A question was asked — Why does Microsoft still force customers to install as the webroot to the system partition (i.e. C:\inetpub) when all security-related documentation advises to not do this?
I casually grinned, then openly smiled and said…”just because. Kidding!” It is a very legitimate question and my response was fairly lengthy but went something like this…
Starting with Windows 2000, IIS was installed using Windows installation technology (SysOcMgr). The technical reason we don’t allow this is based on the fact that there is no means of doing a “custom action” in SysOcMgr. If you ever think back to anything you do in Add\Remove programs, Windows never “prompts” you to enter any information. The only actions you take is to click a check mark and then all the magic occurs — except if you don’t have the source files from Windows still available which that is considered an error (not a custom action.)
There is actually a simple solution around this but often many think the tax is to large to do it. The Microsoft answer to this non-system partition webroot is to automate IIS’s installation. This often scares many of our customers as they don’t want to go down that path. However, it should be noted though that you don’t have to do a full OS install through automation but instead just automate the install of IIS. This is easy.
1). Create a file called Unattend.txt and open it with Notepad
2). Paste the following into that file:
3). The next step is to open a command-prompt (Start – Run – CMD) and type the following:
SysOcMgr.exe /i:sysoc.inf /u:$PathToUnattendFileCreatedInStep2$
This will magically install IIS based on your parameters. The above file, unattend.txt, installs and enables the following:
Enables ASP & FPSE
The key is to understand that you don’t have to automate the entire OS installation in order to do this. It can be done afterwards. You can also cover all your bases and build a full automated installation of the OS and IIS. This is completely an option. The major thing that changes is that you have a couple of options -
1). Install from a CD
2). Install from a Shared UNC Location
In my case, I chose to install from a CD. This was done by creating a winnt.sif file and placing it on a floppy drive. The Winnt.sif had the following information:
Repartition = Yes
The only execution I have to do now is the following:
Winnt32.exe /unattend:AnswerFile /s:InstallSource
REM Make Dir Structure for Website
REM CREATE ADDITIONAL WEBSITES
iisweb /create c:\websites\mysite "My Site" /b 81
REM ADD ADDITIONAL VIRTUAL DIRECTORIES
iisvdir /create "My Site" Upload c:\ftpsites
REM MODIFY THE AUTHENTICATION FOR ONE OF THE NEWLY CREATED VDIR'S
CSCRIPT /NOLOGO ADSUTIL.VBS SET W3SVC/858812021/ROOT/Upload/AUTHNTLM 0
CSCRIPT /NOLOGO ADSUTIL.VBS SET W3SVC/858812021/ROOT/Upload/AUTHBasic 1
This script creates a directory structure for my new site, creates the website and assigns to that directory just created, and bound the site to a specific port, added a virtual directory, and then customized that virtual directories authentication to Basic and turned off NTLM.
This is just a sample and there is much more powerful things you can do but in the end with the push of a power button you can truly walk away and come back to a fully functional webserver.
The time spent up front is worth thousands of time-off in the future (or spent doing better things!). For a complete and more in-depth discussion of this, view the following webcast I did on this topic and used these scripts — http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032280620&EventCategory=5&culture=en-US&CountryCode=US.
P.S. Thanks to the person who asked the question and spawned me thinking about this for my blog!