Example configuration of IIS for "boostrapping" Powershell scripts via a curl | iex
style. Because, port 80/443 all the things?
This is intended for HTTPS INTRANET sites as running code.
Yes, iex
can be considered harmful, and CSS tomfoolery exists to exploit the behavior. Nonetheless, this is how Chocolatey, PsGet, and even Homebrew bootstrap themselves. In any case, one should always approach code with caution (i.e. curl first without the iex
).
Normal
(new-object net.webclient).DownloadString('https://site.contoso.local/bootstrap-thing.ps1')|iex
NTLM
$wc=new-object net.webclient;$wc.UseDefaultCredentials=$true;$wc.DownloadString('https://site.contoso.local/windowsAuth/bootstrap-thang.ps1')|iex
- Use
.\setup-urlAuthorization-WindowsAuth.ps1
to- Install URL Authorization feature (
Web-Url-Auth
) - Configure
authenticatedUserOverride
in yourappHostConfig
-- otherwise you have to grant authenticating users NTFS permissions (see link)
- Install URL Authorization feature (
- In your site's top
web.config
, ensure you add MIME maps for at least.ps1
-- if not for.7z
, etc.
You can use .\enable-windowsAuthOnSitePath.ps1
to setup your appHostConfig
for your site path as such:
- Disable Anonymous authentication
- Enable Windows authentication
- Clear existing Windows Auth Providers
- Add
NTLM
provider
However, how you setup that portion (even via the GUI) is up to you.
An example of setting up restrictions via URL authorization rules against AD is in site\windowsAuth\web.config