CODEWITHSUNDEEP
powershelliis-6powershell-2.0
JonnyG
JonnyG

Reputation: 759

Using Powershell to Manipulate IP Restrictions on IIsWebVirtualDir

Having trouble using Powershell to manipulate IP Restrictions on IIsWebVirtualDir (Virtual Directories).

However, i have the code to do this in VBS, so hopefully this will be a simple matter to get help with :)

Code in VBS:

 Sub Add2IPRList(WebsiteADSI, strIP2Add, strIP2AddSubnet)
    Set WebRootObj = GetObject(WebsiteADSI) '"IIS://localhost/W3SVC/2/ROOT/TestVDIR"
    set IPSecObj = WebRootObj.IPSecurity
    If(IPSecObj.GrantByDefault)then
        IPList = IPSecObj.IPDeny
    Else
        IPList = IPSecObj.IPGrant
    End If

    ReDim Preserve IPList (Ubound(IPList)+1)     'resize local copy of IPList array to CurrentSize+1
    IPList(Ubound(IPList))=strIP2Add&","&strIP2AddSubnet     'add the entry to the end of the array


    If(IPSecObj.GrantByDefault)then
        IPSecObj.IPDeny = IPList
    Else
        IPSecObj.IPGrant = IPList
    End If

    WebRootObj.IPSecurity = IPSecObj
    WebRootObj.SetInfo        'apply the setttings on the server.
    set IPSecObj = Nothing
    set WebRootObj = Nothing    
End Sub

Attempt 1 in Powershell: The object returns, but is of a strange type.

PS C:\> $vdir=[adsi]"IIS://localhost/W3SVC/2/ROOT/TestVDIR";([adsi]$vdir).IPSecurity;
System.__ComObject

Attempt 2 in Powershell: The object doesnt return

PS C:\> $VDir = Get-WmiObject -Namespace 'root\MicrosoftIISv2' -Class IIsWebVirtualDir |where ($_.name).contains("TestVDIR")};$VDir.IPSecurity;
PS C:\>

Anyone know how to either 1) deal with the System.__ComObject when using ADSI in Powershell or 2) have any idea how to work with the IPSecurity object in IIS6 via the WMI provider in Powershell?

Additionally:

I found a way to pull and modify the IIsIPSecuritySetting object associated with W3SVC/2/ROOT/TestVDIR by using the following code.

param([string]$computer, [string]$W3SVCPath, [string]$strIP2Add, [string]$strIP2AddSubnet)
<# $W3SVCPath = "W3SVC/2/ROOT/TestVDir" #>;
$IPSecurity = Get-WmiObject -Authentication PacketPrivacy -class IIsIPSecuritySetting -computername $computer -namespace 'root\MicrosoftIISv2' | where {($_.name).equals("$W3SVCPath")};
if($IPSecurity.GrantByDefault){$GD="Deny"}else{$GD="Grant"}
if($IPSecurity.GrantByDefault){$IPList=$IPSecurity.IPDeny;}else{$IPList=$IPSecurity.IPGrant;};
"IPSecurity.GrantByDefault=$GD($IPList)";
$IPList=$IPList+"$strIP2Add, $strIP2AddSubnet";
if($IPSecurity.GrantByDefault){$IPSecurity.IPDeny=$IPList;}else{$IPSecurity.IPGrant=$IPList;};
if($IPSecurity.GrantByDefault){$IPList=$IPSecurity.IPDeny;}else{$IPList=$IPSecurity.IPGrant;};
"($IPList)";

I cant seem to find a way to SET the object back to the metabase so it will apply the change. In VBS the IPSecurity object was always referenced directly within the WebRootObj and thus the .setInfo() function was used. However, as we're going for the WMI Object class directly, and the references are set within the object itself, i cant seem to find a function that will set it within the IIsIPSecuritySettings class.

Since i cant find a reference to the IPSecurity property/object within the WebRootObj when using "Attempt 2 in Powershell" above, which uses WMI, i'm not sure which direction to move in next.

Any thoughts?

Upvotes: 3

Views: 3859

Answers (1)

Kev
Kev

Reputation: 119816

This can be tricky but is doable using System.DirectoryServices. I'll give you two examples, one to set the value of GrantByDefault to true or false, the other to show you how to add IP addresses to the IPDeny or IPGrant list.

1. Set GrantByDefault value

$iisObject = new-object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC/2/ROOT/TestVDIR")
$ipSec = $iisObject.Properties["IPSecurity"].Value

# We need to pass values as one element object arrays
[Object[]] $grantByDefault = @()
$grantByDefault += , $false            # <<< We're setting it to false

$ipSec.GetType().InvokeMember("GrantByDefault", $bindingFlags, $null, $ipSec, $grantByDefault);

$iisObject.Properties["IPSecurity"].Value = $ipSec
$iisObject.CommitChanges()

2. Add an IP address to the IPDeny or IPGrant lists

$iisObject = new-object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC/2/ROOT/TestVDIR")
$ipSec = $iisObject.Properties["IPSecurity"].Value
$bindingFlags = [Reflection.BindingFlags] "Public, Instance, GetProperty"
$isGrantByDefault = $ipSec.GetType().InvokeMember("GrantByDefault", $bindingFlags, $null, $ipSec, $null);

# to set an iplist we need to get it first
if($isGrantByDefault)
{
    $ipList = $ipSec.GetType().InvokeMember("IPDeny", $bindingFlags, $null, $ipSec, $null);
}
else
{
    $ipList = $ipSec.GetType().InvokeMember("IPGrant", $bindingFlags, $null, $ipSec, $null);
}

# Add a single computer to the list:
$ipList = $ipList + "10.0.0.1, 255.255.255.255"

# This is important, we need to pass an object array of one element containing our ipList array
[Object[]] $ipArray = @()
$ipArray += , $ipList

# Now update
$bindingFlags = [Reflection.BindingFlags] "Public, Instance, SetProperty"
if($isGrantByDefault)
{
    $ipList = $ipSec.GetType().InvokeMember("IPDeny", $bindingFlags, $null, $ipSec, $ipArray);
}
else
{
    $ipList = $ipSec.GetType().InvokeMember("IPGrant", $bindingFlags, $null, $ipSec, $ipArray);
}

$iisObject.Properties["IPSecurity"].Value = $ipSec
$iisObject.CommitChanges()

This was tested with PowerShell 2.0 on Windows 2003.

Hopefully not too late to save your day.

Upvotes: 5

Related Questions