All geek questions in one place

Using Powershell to Manage IP Restrictions on IIsWebVirtualDir

Cannot use Powershell to manage IP restrictions on IIsWebVirtualDir (virtual directories).

However, I have code for this in VBS, so hopefully this will be a simple question to get help :)

Code in VBS:

Sub Add2IPRList(WebsiteADSI, strIP2Add, strIP2AddSubnet) Set WebRootObj = GetObject(WebsiteADSI) '"IIS://localhost/W3SVC/2/ROOT/TestVDIR" set IPSecObj = WebRootObj.IPSecurity If(IPSecObj.GrantByDefault)then IPList = IPSecObj.IPDeny Else IPList = IPSecObj.IPGrant End If ReDim Preserve IPList (Ubound(IPList)+1) 'resize local copy of IPList array to CurrentSize+1 IPList(Ubound(IPList))=strIP2Add&","&strIP2AddSubnet 'add the entry to the end of the array If(IPSecObj.GrantByDefault)then IPSecObj.IPDeny = IPList Else IPSecObj.IPGrant = IPList End If WebRootObj.IPSecurity = IPSecObj WebRootObj.SetInfo 'apply the setttings on the server. set IPSecObj = Nothing set WebRootObj = Nothing End Sub

Powershell Attempt 1: The object is returned, but has a strange type.

 PS C:\> $vdir=[adsi]"IIS://localhost/W3SVC/2/ROOT/TestVDIR";([adsi]$vdir).IPSecurity; System.__ComObject

Powershell Attempt 2: Object Not Returning

 PS C:\> $VDir = Get-WmiObject -Namespace 'root\MicrosoftIISv2' -Class IIsWebVirtualDir |where ($_.name).contains("TestVDIR")};$VDir.IPSecurity; PS C:\>

Does anyone know how to 1) deal with the .__ ComObject System when using ADSI in Powershell or 2) have ideas how to work with the IPSecurity object in IIS6 through the WMI provider in Powershell?

Additionally:

I found a way to pull and modify the IIsIPSecuritySetting object associated with W3SVC / 2 / ROOT / TestVDIR using the following code.

 param([string]$computer, [string]$W3SVCPath, [string]$strIP2Add, [string]$strIP2AddSubnet) <# $W3SVCPath = "W3SVC/2/ROOT/TestVDir" #>; $IPSecurity = Get-WmiObject -Authentication PacketPrivacy -class IIsIPSecuritySetting -computername $computer -namespace 'root\MicrosoftIISv2' | where {($_.name).equals("$W3SVCPath")}; if($IPSecurity.GrantByDefault){$GD="Deny"}else{$GD="Grant"} if($IPSecurity.GrantByDefault){$IPList=$IPSecurity.IPDeny;}else{$IPList=$IPSecurity.IPGrant;}; "IPSecurity.GrantByDefault=$GD($IPList)"; $IPList=$IPList+"$strIP2Add, $strIP2AddSubnet"; if($IPSecurity.GrantByDefault){$IPSecurity.IPDeny=$IPList;}else{$IPSecurity.IPGrant=$IPList;}; if($IPSecurity.GrantByDefault){$IPList=$IPSecurity.IPDeny;}else{$IPList=$IPSecurity.IPGrant;}; "($IPList)";

It seems I can’t find a way to return the object to the metabase so that it applies this change. In VBS, the IPSecurity object was always referenced directly in WebRootObj and, therefore, the .setInfo () function was used. However, since we are going directly to the WMI object class and the links are set inside the object itself, I cannot find a function that will install it in the IIsIPSecuritySettings class.

Since I cannot find a reference to the IPSecurity property / object in WebRootObj when using the "Try 2 in Powershell" above, which uses WMI, I'm not sure which direction to go next.

Any thoughts?

+2
source share
1 answer

This can be tricky, but doable using System.DirectoryServices . I will give two examples: set the GrantByDefault value to true or false, and the other is to show how to add IP addresses to the IPDeny or IPGrant .

1. Set the value of GrantByDefault

 $iisObject = new-object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC/2/ROOT/TestVDIR") $ipSec = $iisObject.Properties["IPSecurity"].Value # We need to pass values as one element object arrays [Object[]] $grantByDefault = @() $grantByDefault += , $false # <<< We're setting it to false $ipSec.GetType().InvokeMember("GrantByDefault", $bindingFlags, $null, $ipSec, $grantByDefault); $iisObject.Properties["IPSecurity"].Value = $ipSec $iisObject.CommitChanges()

2. Add an IP Address to the IPDeny or IPGrant

 $iisObject = new-object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC/2/ROOT/TestVDIR") $ipSec = $iisObject.Properties["IPSecurity"].Value $bindingFlags = [Reflection.BindingFlags] "Public, Instance, GetProperty" $isGrantByDefault = $ipSec.GetType().InvokeMember("GrantByDefault", $bindingFlags, $null, $ipSec, $null); # to set an iplist we need to get it first if($isGrantByDefault) { $ipList = $ipSec.GetType().InvokeMember("IPDeny", $bindingFlags, $null, $ipSec, $null); } else { $ipList = $ipSec.GetType().InvokeMember("IPGrant", $bindingFlags, $null, $ipSec, $null); } # Add a single computer to the list: $ipList = $ipList + "10.0.0.1, 255.255.255.255" # This is important, we need to pass an object array of one element containing our ipList array [Object[]] $ipArray = @() $ipArray += , $ipList # Now update $bindingFlags = [Reflection.BindingFlags] "Public, Instance, SetProperty" if($isGrantByDefault) { $ipList = $ipSec.GetType().InvokeMember("IPDeny", $bindingFlags, $null, $ipSec, $ipArray); } else { $ipList = $ipSec.GetType().InvokeMember("IPGrant", $bindingFlags, $null, $ipSec, $ipArray); } $iisObject.Properties["IPSecurity"].Value = $ipSec $iisObject.CommitChanges()

This has been tested with PowerShell 2.0 in Windows 2003.

Hopefully not too late to save your day.

+5
source

Source: https://habr.com/ru/post/986508/

More articles:


All Articles