How to Configure Active Directory Sites and Services on Windows Server 2022

How to Install and Configure IIS on Windows Server 2022

Internet Information Services (IIS) is Microsoft’s web server platform included with Windows Server 2022. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP protocols and integrates deeply with the Windows ecosystem. This guide walks through a complete IIS installation and configuration from a clean Windows Server 2022 system, covering everything from initial feature installation to security hardening.

Installing IIS Using PowerShell

The fastest and most repeatable way to install IIS on Windows Server 2022 is through PowerShell using the Install-WindowsFeature cmdlet. Open an elevated PowerShell session and run the following command to install IIS along with its management tools and common features:

Install-WindowsFeature -Name Web-Server -IncludeManagementTools -IncludeAllSubFeature

This installs the base IIS server, IIS Management Console, and all sub-features including static content, default document, directory browsing, HTTP errors, HTTP logging, request filtering, static compression, and more. To verify the installation succeeded and see exactly what was installed:

Get-WindowsFeature -Name Web-* | Where-Object { $_.InstallState -eq 'Installed' } | Format-Table Name, DisplayName

If you need a more granular installation — for example, only specific features — you can install individual components. Here is an example installing just the core server with CGI and ISAPI support (required for PHP and other CGI applications):

Install-WindowsFeature -Name Web-Server, Web-CGI, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Console, Web-Mgmt-Tools

Opening IIS Manager

Once installed, launch the IIS Manager (inetmgr) from the Run dialog or PowerShell:

Start-Process inetmgr

Alternatively, find it under Start Menu → Windows Administrative Tools → Internet Information Services (IIS) Manager. The IIS Manager provides a graphical interface to manage sites, application pools, bindings, authentication, SSL certificates, handlers, modules, logging, and nearly every other configuration aspect of IIS.

Understanding the Default Website

After installation, IIS creates a Default Web Site automatically. It listens on port 80 on all IP addresses and serves content from C:inetpubwwwroot. You can verify this is running with:

Get-WebSite -Name "Default Web Site"

The output shows the physical path, bindings, state, and application pool. To confirm the server is responding, open a browser and navigate to http://localhost. You should see the default IIS welcome page. The default document order (the files IIS looks for when no filename is specified) can be checked and modified:

Get-WebConfiguration -Filter "system.webServer/defaultDocument/files/*" -PSPath "IIS:SitesDefault Web Site"

Creating a New Website with New-WebSite

To host your own content, create a new website rather than using the Default Web Site. First, create the directory for your content:

New-Item -Path "C:inetpubmysite" -ItemType Directory
New-Item -Path "C:inetpubmysiteindex.html" -ItemType File -Value "
My Site
"

Now create the IIS website using New-WebSite:

New-WebSite -Name "MySite" -PhysicalPath "C:inetpubmysite" -Port 8080 -HostHeader "mysite.local"

This creates a site named MySite, bound to port 8080 with the host header mysite.local. The site is started automatically. To start or stop it explicitly:

Start-WebSite -Name "MySite"
Stop-WebSite -Name "MySite"

Application Pools

Every IIS website runs inside an application pool (AppPool), which is an isolated worker process (w3wp.exe) that handles requests. Isolating sites into separate application pools prevents one site’s failure from affecting others. Create a dedicated application pool for your site:

New-WebAppPool -Name "MySitePool"
Set-ItemProperty -Path "IIS:AppPoolsMySitePool" -Name "managedRuntimeVersion" -Value "v4.0"
Set-ItemProperty -Path "IIS:AppPoolsMySitePool" -Name "enable32BitAppOnWin64" -Value $false

Assign the application pool to your site:

Set-ItemProperty -Path "IIS:SitesMySite" -Name applicationPool -Value "MySitePool"

To configure the application pool identity (the account worker processes run under), use the built-in ApplicationPoolIdentity (recommended) or a specific service account:

# Use ApplicationPoolIdentity (default, most secure)
Set-ItemProperty -Path "IIS:AppPoolsMySitePool" -Name processModel.identityType -Value "ApplicationPoolIdentity"

# Or use a specific domain account
$cred = Get-Credential
Set-ItemProperty -Path "IIS:AppPoolsMySitePool" -Name processModel.identityType -Value "SpecificUser"
Set-ItemProperty -Path "IIS:AppPoolsMySitePool" -Name processModel.userName -Value $cred.UserName
Set-ItemProperty -Path "IIS:AppPoolsMySitePool" -Name processModel.password -Value $cred.GetNetworkCredential().Password

Configuring Bindings with New-WebBinding

Bindings define how IIS listens for incoming requests — which protocol, IP address, port, and host header. Use New-WebBinding to add additional bindings to an existing site:

# Add an HTTP binding on port 80 with a host header
New-WebBinding -Name "MySite" -Protocol "http" -Port 80 -HostHeader "www.mysite.local" -IPAddress "*"

# Add another binding on port 8081 without a host header restriction
New-WebBinding -Name "MySite" -Protocol "http" -Port 8081 -IPAddress "*"

List all current bindings for a site:

Get-WebBinding -Name "MySite"

Remove a specific binding:

Remove-WebBinding -Name "MySite" -Protocol "http" -Port 8081 -HostHeader "" -IPAddress "*"

IIS Directory Structure

The default IIS directory layout under C:inetpub is:

C:inetpub
  wwwroot         # Default Web Site content root
  logs            # IIS log files (by default W3C extended format)
    LogFiles
      W3SVC1      # Logs for site ID 1 (Default Web Site)
  temp            # Temporary compressed files and ASP.NET cache
    appPools      # Per-app-pool temp directories
  ftproot         # Default FTP site root (if FTP installed)
  mailroot        # SMTP root (if SMTP installed)

The IIS_IUSRS group is the built-in group for IIS worker process identities. When using ApplicationPoolIdentity, the virtual account IIS AppPoolYourPoolName is used. Always grant this account read access to your content directory:

icacls "C:inetpubmysite" /grant "IIS AppPoolMySitePool:(OI)(CI)RX"

Configuring Logging Settings

IIS logging is enabled by default and writes W3C extended log format files to C:inetpublogsLogFiles. Configure the log directory, format, and fields via PowerShell:

# Set log file directory for a site
Set-WebConfigurationProperty -Filter "system.applicationHost/sites/site[@name='MySite']/logFile" -Name "directory" -Value "D:LogsMySite"

# Enable logging if disabled
Set-WebConfigurationProperty -Filter "system.applicationHost/sites/site[@name='MySite']/logFile" -Name "enabled" -Value $true

# Set log period (daily, weekly, monthly, hourly, maxSize)
Set-WebConfigurationProperty -Filter "system.applicationHost/sites/site[@name='MySite']/logFile" -Name "period" -Value "Daily"

# Log additional fields (time-taken, x-forwarded-for)
Set-WebConfigurationProperty -Filter "system.applicationHost/sites/site[@name='MySite']/logFile" -Name "logExtFileFlags" -Value "Date,Time,ClientIP,UserName,ServerIP,Method,UriStem,UriQuery,HttpStatus,Win32Status,BytesSent,BytesRecv,TimeTaken"

Authentication Modes

IIS supports several authentication methods. Anonymous Authentication is enabled by default and allows any user to access content without credentials. Windows Authentication uses Kerberos or NTLM and is appropriate for intranet applications. Basic Authentication sends credentials in base64 (use only over HTTPS). Configure authentication via PowerShell:

# Check current authentication state
Get-WebConfiguration -Filter "system.webServer/security/authentication/anonymousAuthentication" -PSPath "IIS:SitesMySite"

# Disable anonymous authentication
Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/anonymousAuthentication" -PSPath "IIS:SitesMySite" -Name "enabled" -Value $false

# Enable Windows Authentication
Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" -PSPath "IIS:SitesMySite" -Name "enabled" -Value $true

IIS Feature Delegation

IIS uses a hierarchical configuration system where site and application-level web.config files can override server-level settings — but only if the server allows it through feature delegation. By default, many settings are locked at the server level. Unlock a specific section for site-level override:

# Allow sites to override the defaultDocument section
Set-WebConfiguration -Filter "system.webServer/defaultDocument" -Metadata "overrideMode" -Value "Allow" -PSPath "IIS:"

# Lock a section so sites cannot override it
Set-WebConfiguration -Filter "system.webServer/security/requestFiltering" -Metadata "overrideMode" -Value "Deny" -PSPath "IIS:"

Basic IIS Security Hardening

After installation, apply these security hardening steps. First, remove the Server header from HTTP responses to avoid leaking version information. Edit C:WindowsSystem32inetsrvconfigapplicationHost.config or use PowerShell:

# Remove Server header (requires URL Rewrite module or custom header config)
Set-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering" -PSPath "IIS:" -Name "removeServerHeader" -Value $true

Enable request filtering to limit request sizes and block dangerous extensions:

# Limit maximum URL length to 4096 bytes
Set-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering/requestLimits" -PSPath "IIS:" -Name "maxUrl" -Value 4096

# Limit maximum query string to 2048 bytes  
Set-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering/requestLimits" -PSPath "IIS:" -Name "maxQueryString" -Value 2048

# Deny access to .config files
Add-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering/fileExtensions" -PSPath "IIS:" -Name "." -Value @{fileExtension=".config"; allowed="False"}

Disable WebDAV if not needed (it is a common attack vector):

Disable-WindowsOptionalFeature -Online -FeatureName "IIS-WebDAV"
# Or via Server Manager:
Uninstall-WindowsFeature -Name Web-DAV-Publishing

Add security headers to all responses by configuring custom headers at the server level in applicationHost.config or via web.config:

Add-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -PSPath "IIS:" -Name "." -Value @{name="X-Content-Type-Options"; value="nosniff"}
Add-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -PSPath "IIS:" -Name "." -Value @{name="X-Frame-Options"; value="SAMEORIGIN"}
Add-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -PSPath "IIS:" -Name "." -Value @{name="Referrer-Policy"; value="strict-origin-when-cross-origin"}

IIS on Windows Server 2022 is a mature, highly configurable web platform. Proper installation, isolation via application pools, careful binding configuration, appropriate authentication modes, and security hardening from day one give you a solid foundation for hosting production web applications.