How to Install and Configure IIS on Windows Server 2025
Internet Information Services (IIS) is Microsoft’s mature, high-performance web server built into Windows Server. On Windows Server 2025, IIS 10.0 ships with improved HTTP/3 support, enhanced security defaults, and tighter integration with the Windows Admin Center. Whether you are hosting internal web applications, public-facing sites, or REST APIs, IIS provides a robust platform backed by familiar Windows tooling. This guide walks you through a complete installation and initial configuration of IIS on Windows Server 2025, covering everything from the first PowerShell command to verifying your site in a browser.
Prerequisites
- Windows Server 2025 (Standard or Datacenter edition), fully patched
- A local administrator account or domain account with equivalent privileges
- PowerShell 5.1 or later (included by default)
- Outbound internet access or a local WSUS/SCCM source if you need to pull additional Windows features
- A static IP address assigned to the server (recommended for production)
Step 1: Install the Web Server Role with PowerShell
Open an elevated PowerShell session (Run as Administrator) and run the following command to install the IIS Web Server role along with its management tools:
# Install IIS with management console and common sub-features
Install-WindowsFeature -Name Web-Server -IncludeManagementTools -IncludeAllSubFeature
# Verify the installation
Get-WindowsFeature -Name Web-* | Where-Object { $_.InstallState -eq 'Installed' }
The -IncludeManagementTools flag installs the IIS Manager GUI (inetmgr) and the IIS PowerShell module. The -IncludeAllSubFeature switch installs sub-features such as static content, default document support, directory browsing, HTTP errors, HTTP logging, request filtering, and Windows authentication. For minimal installs, omit -IncludeAllSubFeature and selectively add features instead.
After the command completes, open IIS Manager from the Start menu or by running inetmgr from Run (Win+R). You should see the server node in the left-hand Connections pane.
Step 2: Understand the Default Web Site and Application Pools
IIS creates a Default Web Site automatically. It listens on port 80 for all IP addresses (*:80:) and serves content from %SystemDrive%inetpubwwwroot. Open IIS Manager, expand Sites, and click Default Web Site to review its bindings.
Every IIS site runs inside an Application Pool, which is an isolated worker process boundary. The default pool is named DefaultAppPool. Inspect and configure it via PowerShell:
Import-Module WebAdministration
# View current DefaultAppPool settings
Get-Item IIS:AppPoolsDefaultAppPool | Select-Object *
# Set .NET CLR version (use 'v4.0' for .NET Framework apps, or 'No Managed Code' for ASP.NET Core)
Set-ItemProperty IIS:AppPoolsDefaultAppPool -Name managedRuntimeVersion -Value 'v4.0'
# Set the managed pipeline mode to Integrated (recommended)
Set-ItemProperty IIS:AppPoolsDefaultAppPool -Name managedPipelineMode -Value 'Integrated'
# Confirm changes
Get-ItemProperty IIS:AppPoolsDefaultAppPool -Name managedRuntimeVersion, managedPipelineMode
Integrated pipeline mode allows ASP.NET modules to participate in the full HTTP pipeline, which enables features like URL-level authentication on all content types, not just .aspx files. Use Classic mode only for legacy applications that require it.
Step 3: Create a New Website
Rather than placing all content under the Default Web Site, it is best practice to create dedicated sites. First, prepare a folder for your site content and set permissions:
# Create the web root directory
New-Item -ItemType Directory -Path "C:inetpubmysite"
# Grant IIS_IUSRS read access (the built-in group for IIS worker process identities)
icacls "C:inetpubmysite" /grant "IIS_IUSRS:(OI)(CI)R" /T
# Place a test HTML file
Set-Content -Path "C:inetpubmysiteindex.html" -Value "My New IIS Site
"
Now create the site in IIS and configure its binding:
# Create the new site on port 8080 for testing
New-WebSite -Name "MySite" `
-PhysicalPath "C:inetpubmysite" `
-Port 8080 `
-IPAddress "*" `
-Force
# Create a dedicated application pool for this site
New-WebAppPool -Name "MySitePool"
Set-ItemProperty IIS:AppPoolsMySitePool -Name managedRuntimeVersion -Value 'v4.0'
# Assign the pool to the site
Set-ItemProperty IIS:SitesMySite -Name applicationPool -Value "MySitePool"
# Start the site
Start-WebSite -Name "MySite"
Step 4: Configure Bindings
A binding in IIS is the combination of protocol, IP address, port, and optional host header that tells IIS which incoming requests to route to a particular site. You can add multiple bindings to a single site:
# Add an additional binding on port 80 with a specific host header
New-WebBinding -Name "MySite" `
-Protocol "http" `
-Port 80 `
-IPAddress "*" `
-HostHeader "mysite.local"
# View all bindings for the site
Get-WebBinding -Name "MySite"
# Remove a binding if needed
Remove-WebBinding -Name "MySite" -Protocol "http" -Port 8080
Step 5: Set Document Root Permissions and Default Documents
Ensure the application pool identity can read your content. If you are using a custom service account instead of the built-in IIS AppPoolMySitePool virtual account, grant that account access:
# Grant the virtual app pool account read access
icacls "C:inetpubmysite" /grant "IIS AppPoolMySitePool:(OI)(CI)R"
# Configure the default document list for the site
Add-WebConfiguration system.webServer/defaultDocument/files `
-PSPath "IIS:SitesMySite" `
-Value @{value = 'index.html'}
# View current default documents
Get-WebConfiguration system.webServer/defaultDocument/files -PSPath "IIS:SitesMySite"
Step 6: Enable Key IIS Features
IIS 10.0 on Windows Server 2025 supports a rich set of optional features. Enable them individually with Install-WindowsFeature:
# ASP.NET 4.8 support
Install-WindowsFeature Web-Asp-Net45
# CGI support (required for PHP via FastCGI)
Install-WindowsFeature Web-CGI
# URL Authorization
Install-WindowsFeature Web-Url-Auth
# Windows Authentication
Install-WindowsFeature Web-Windows-Auth
# HTTP Compression (static and dynamic)
Install-WindowsFeature Web-Stat-Compression, Web-Dyn-Compression
# Verify all installed web features
Get-WindowsFeature -Name Web-* | Where-Object InstallState -eq Installed | Select-Object Name, DisplayName
Step 7: Apply Basic Security Settings
Out of the box, IIS 10.0 on Windows Server 2025 has sensible defaults, but there are several hardening steps to perform before exposing a site to the network:
# Disable directory browsing site-wide
Set-WebConfigurationProperty -Filter system.webServer/directoryBrowse `
-PSPath "IIS:" -Name enabled -Value $false
# Remove the Server header (reduces information disclosure)
Set-WebConfigurationProperty -Filter system.webServer/security/requestFiltering `
-PSPath "IIS:" -Name removeServerHeader -Value $true
# Restrict maximum request content length to 30 MB
Set-WebConfigurationProperty -Filter system.webServer/security/requestFiltering `
-PSPath "IIS:" -Name requestLimits.maxAllowedContentLength -Value 31457280
# Disable HTTP TRACE method
Add-WebConfigurationProperty -Filter system.webServer/security/requestFiltering/verbs `
-PSPath "IIS:" -Name . -Value @{verb='TRACE'; allowed='false'}
Step 8: Test Your Installation
Open a browser on the server (or another machine on the same network) and navigate to http://<server-ip>:8080 (or port 80 if you reconfigured the binding). You should see “My New IIS Site” rendered in the browser. Additionally, navigate to http://localhost to confirm the Default Web Site is still serving the IIS welcome page from C:inetpubwwwroot.
You can also use PowerShell to perform a quick connectivity test from the server itself:
Invoke-WebRequest -Uri "http://localhost:8080" -UseBasicParsing | Select-Object StatusCode, StatusDescription
A response of 200 OK confirms IIS is running and serving content correctly.
Conclusion
You have successfully installed IIS on Windows Server 2025, created a dedicated site with its own application pool, configured bindings, set filesystem permissions, and applied foundational security hardening. IIS provides a broad feature set that grows with your application’s needs — from simple static file hosting to complex .NET and PHP workloads. The next logical steps are to enable HTTPS by binding a TLS certificate to your site, set up additional virtual hosts using host headers, and explore IIS URL Rewrite for path-based routing. With IIS Manager and the WebAdministration PowerShell module at your disposal, managing all of this from the command line or automated pipelines is straightforward and scriptable.
