Some checks and reminders for IIS - This is a work in progress!
1.> Change the IIS log location for existing websites, this needs to be done on each WFE in your farm, providing you want to change them.
PS Script to Change the IIS log directory for existing web sites.
2.> Disable IIS recycling
3.> Ensure app pool accounts have low levels of network permissions.
4.> Certificates used by IIS, when do they expire.
5.> Application Initialisation for IIS8 or warm-up scripts to stop the long delays after and IISREST/app pool recycle.
**************
CPU over utilisation
#change this once it's working
$expirationDate = (Get-Date).AddDays($DaysToExpiration)
$expirationDate5yrs = (Get-Date).AddDays(1020)
{
$store = $cert.Store.ToString()
Write-Host " Cert Store:" $cert.Store.ToString()
Write-Host " Cert Port:" $cert.Port.ToString()
Write-Host " Cert Thumbprint:" $cert.Thumbprint
$body = Get-ChildItem CERT:LocalMachine/$store
foreach ($me in $body) {
if ($expirationDate -gt $me.NotAfter) {
Write-Host " Expiring soon" -BackgroundColor red
}
elseif ($expirationDate5yrs -gt $me.NotAfter) {
Write-Host " Expiring in 5 years" -BackgroundColor Yellow
}
elseif ($expirationDate -le $me.NotAfter) {
Write-Host " Expiring more than a year away" -BackgroundColor green
}
Write-Host " - Body subject: " $me.Subject
Write-Host " - Body thumbprint: " $me.Thumbprint
Write-Host " - Body fiendly name: "$me.FriendlyName
Write-Host " - Body Expiry: "$me.NotAfter
}
Write-Host ""
}
Tip: Advise client to change Windows service account used to run the SP timer job. Check ramifications.
**********************************
1.> Change the IIS log location for existing websites, this needs to be done on each WFE in your farm, providing you want to change them.
PS Script to Change the IIS log directory for existing web sites.
2.> Disable IIS recycling
3.> Ensure app pool accounts have low levels of network permissions.
4.> Certificates used by IIS, when do they expire.
5.> Application Initialisation for IIS8 or warm-up scripts to stop the long delays after and IISREST/app pool recycle.
**************
CPU over utilisation
********************
Verify when certificates are going to expire:
import-module webadministration
$DaysToExpiration = 365 #change this once it's working
$expirationDate = (Get-Date).AddDays($DaysToExpiration)
$expirationDate5yrs = (Get-Date).AddDays(1020)
$certs = Get-ChildItem IIS:SSLBindings
foreach($cert in $certs){
$store = $cert.Store.ToString()
Write-Host " Cert Store:" $cert.Store.ToString()
Write-Host " Cert Port:" $cert.Port.ToString()
Write-Host " Cert Thumbprint:" $cert.Thumbprint
$body = Get-ChildItem CERT:LocalMachine/$store
foreach ($me in $body) {
if ($expirationDate -gt $me.NotAfter) {
Write-Host " Expiring soon" -BackgroundColor red
}
elseif ($expirationDate5yrs -gt $me.NotAfter) {
Write-Host " Expiring in 5 years" -BackgroundColor Yellow
}
elseif ($expirationDate -le $me.NotAfter) {
Write-Host " Expiring more than a year away" -BackgroundColor green
}
Write-Host " - Body subject: " $me.Subject
Write-Host " - Body thumbprint: " $me.Thumbprint
Write-Host " - Body fiendly name: "$me.FriendlyName
Write-Host " - Body Expiry: "$me.NotAfter
}
Write-Host ""
}
*********************
Check the service account do not have too many permissions:
Script below retrieves pswd to show client potential issue
Import-Module WebAdministration
$webapps = Get-WebApplication
foreach ($webapp in get-childitem IIS:\AppPools\)
{
$iispath = "IIS:\AppPools\" + $webapp.name
$pswd = $webapp.processModel.password
$state = (Get-WebAppPoolState -Name $webapp.name).Value
$color = "White"
$forecolor = "Black"
if ($pswd.Length -gt 0) {$color = "red"} # verify the domain accounts don't have excessive priviges
if ($state -eq "Stopped") {$forecolor = "blue"} #Why are there stopped IIS websites
Write-Host "Name:" $webapp.name " | Version:" (Get-ItemProperty $iispath managedRuntimeVersion).Value `
" | Username:" $webapp.processModel.userName " | Pswd:" $pswd `
" | State:" $state -BackgroundColor $color -ForegroundColor $forecolor
}
**********************************
