IIS Website Deployment Checklist: A Practical Guide for Windows System Administrators

 

IIS Website Deployment Checklist: A Practical Guide for Windows System Administrators

Introduction

Deploying a website on Microsoft Internet Information Services (IIS) involves more than copying application files to a server. Incorrect application-pool settings, missing permissions, firewall restrictions, or an incomplete SSL configuration can cause errors such as HTTP 403, HTTP 404, HTTP 500.19, and HTTP 503.

This practical checklist explains how to deploy an application securely on IIS and verify that it is ready for production.


Prerequisites

Before deployment, confirm that you have:

  • A supported Windows Server version
  • Administrator access to the server
  • The application deployment package
  • Required .NET or hosting runtime
  • Database connection details
  • DNS record information
  • A valid SSL certificate
  • A tested backup and rollback plan

Step 1: Install the Required IIS Components

Open Server Manager → Add Roles and Features, then install:

  • Web Server (IIS)
  • IIS Management Console
  • Static Content
  • Default Document
  • HTTP Errors
  • HTTP Logging
  • Request Filtering
  • Windows Authentication, if required
  • ASP.NET and .NET Extensibility, if required
  • WebSocket Protocol, if required by the application

Verify IIS installation by opening:

http://localhost

The default IIS page should appear.


Step 2: Install the Correct Application Runtime

Confirm which runtime the application requires.

Examples include:

  • .NET Framework 4.8 or 4.8.1
  • ASP.NET Core Hosting Bundle
  • PHP
  • Java Runtime Environment
  • Microsoft Visual C++ Redistributable

For ASP.NET Core applications, installing only the .NET runtime may not be enough. The server generally requires the appropriate ASP.NET Core Hosting Bundle for IIS integration.

Restart IIS after installing the required components:

iisreset

Use this command during an approved maintenance window because it restarts all IIS websites.


Step 3: Prepare the Deployment Directory

Create a dedicated folder for the application:

D:\Websites\CompanyPortal

Recommended practices:

  • Avoid deploying directly under a user profile.
  • Keep application and log folders separate.
  • Do not store passwords in scripts or text files.
  • Remove test files before production deployment.
  • Keep a copy of the previously working release.

Example structure:

D:\Websites\CompanyPortal

├── Application

├── Logs

├── Backup

└── Certificates

Restrict access to the certificate folder and avoid storing exported private keys unnecessarily.


Step 4: Create a Dedicated Application Pool

Open IIS Manager → Application Pools → Add Application Pool.

Configure:

  • A descriptive application-pool name
  • The correct .NET CLR version
  • Integrated pipeline mode, unless the application requires Classic
  • 64-bit or 32-bit mode according to application dependencies
  • A dedicated service account when required

For ASP.NET Core applications hosted with the IIS module, select:

No Managed Code

Avoid placing unrelated production applications in the same application pool. Separate pools improve security and prevent one application failure from affecting another.


Step 5: Configure Folder Permissions

The application-pool identity needs permission to read the application files.

Grant permission to:

IIS AppPool\CompanyPortalPool

Typical permissions are:

  • Read and Execute for application files
  • Modify for application-generated logs
  • Modify for upload folders, when required

Do not grant Everyone: Full Control. Give only the permissions required by the application.

Example command:

icacls "D:\Websites\CompanyPortal\Application" /grant "IIS AppPool\CompanyPortalPool:(OI)(CI)RX"

For a log directory that requires write access:

icacls "D:\Websites\CompanyPortal\Logs" /grant "IIS AppPool\CompanyPortalPool:(OI)(CI)M"


Step 6: Create the Website in IIS

In IIS Manager:

  1. Right-click Sites.
  2. Select Add Website.
  3. Enter the site name.
  4. Select the application pool.
  5. Enter the physical path.
  6. Configure the IP address, port, and hostname.
  7. Start the website.

Example HTTP binding:

Type: http

Port: 80

Hostname: portal.example.com

Use a unique hostname when several websites share the same server and IP address.


Step 7: Configure DNS

Create the appropriate DNS record:

  • Use an A record to map the hostname to an IP address.
  • Use a CNAME record to map an alias to another hostname.

Test name resolution:

nslookup portal.example.com

The result should return the correct server or load-balancer IP address.

If the site is internal, create the record in the organization’s internal DNS zone. Public websites also require the appropriate public DNS record.


Step 8: Install and Bind the SSL Certificate

Import the certificate through:

IIS Manager → Server Certificates → Import

Then edit the website bindings and add:

Type: https

Port: 443

Hostname: portal.example.com

SSL certificate: portal.example.com

Enable Server Name Indication (SNI) when multiple HTTPS websites share the same IP address.

Verify that:

  • The certificate hostname matches the website.
  • The certificate has not expired.
  • The complete certificate chain is trusted.
  • The certificate includes a private key.
  • HTTPS opens without browser warnings.

Step 9: Redirect HTTP to HTTPS

After confirming that HTTPS works, configure HTTP redirection.

A URL Rewrite example is:

<rule name="Redirect to HTTPS" stopProcessing="true">

  <match url="(.*)" />

  <conditions>

    <add input="{HTTPS}" pattern="off" ignoreCase="true" />

  </conditions>

  <action type="Redirect"

          url="https://{HTTP_HOST}/{R:1}"

          redirectType="Permanent" />

</rule>

Test the redirect carefully before applying it in production. Incorrect rewrite rules can cause redirect loops.


Step 10: Configure the Windows Firewall

Allow only the ports required by the application.

New-NetFirewallRule `

  -DisplayName "IIS HTTPS" `

  -Direction Inbound `

  -Protocol TCP `

  -LocalPort 443 `

  -Action Allow

Do not expose database ports to the internet. Communication between the IIS server and database server should be restricted to trusted network paths.


Step 11: Protect Configuration and Connection Strings

Production configuration commonly contains:

  • Database server names
  • Database credentials
  • API keys
  • SMTP settings
  • External service URLs

Recommended controls include:

  • Use a dedicated database account.
  • Grant only the required database privileges.
  • Keep secrets outside the application repository.
  • Restrict access to configuration files.
  • Use encrypted secret-management solutions where available.
  • Never use a database administrator account as the application login.

Step 12: Enable Logging

IIS logging is available under:

C:\inetpub\logs\LogFiles

Also configure a separate application-log directory where supported.

Monitor:

  • HTTP status codes
  • Application exceptions
  • Failed authentication
  • Database connection failures
  • Application-pool crashes
  • Long-running requests

For detailed IIS errors, review:

  • IIS logs
  • Windows Application event log
  • Failed Request Tracing
  • Application-specific logs

Avoid enabling detailed errors for remote production users because they may expose sensitive technical information.


Step 13: Perform Production Validation

Test the application using a normal user account, not only an administrator account.

Verify:

  • Homepage accessibility
  • Login and logout
  • Role-based access
  • Database connectivity
  • File uploads and downloads
  • Email notifications
  • Reports and exports
  • Session timeout
  • HTTPS redirection
  • Backup jobs
  • Application logs
  • Access from the required networks

Ask the application owner to complete user acceptance testing before final sign-off.


Common IIS Errors and Solutions

Error

Likely Cause

Recommended Check

HTTP 403

Permission or authentication issue

Check NTFS rights, default documents and authentication

HTTP 404

File, route or handler unavailable

Verify deployment path, URL and IIS features

HTTP 500.19

Invalid configuration

Review web.config and installed IIS modules

HTTP 500.30

ASP.NET Core failed to start

Review application and Event Viewer logs

HTTP 503

Application pool stopped

Check pool identity, crashes and Rapid-Fail Protection

SSL warning

Certificate problem

Verify hostname, expiry date and certificate chain

Database login failed

Connection or permission issue

Verify the connection string, firewall and DB account


Deployment Rollback Plan

Before releasing a new version:

  1. Back up the current application files.
  2. Back up the database when schema changes are involved.
  3. Export the IIS configuration.
  4. Record the current application-pool settings.
  5. Document the rollback commands.
  6. Confirm who is authorized to approve rollback.

If validation fails, restore the last working release and investigate the problem outside the production environment.


Final Production Checklist

  • Application files backed up
  • Database backup verified
  • Correct runtime installed
  • Dedicated application pool configured
  • NTFS permissions validated
  • DNS record resolving correctly
  • SSL certificate installed and trusted
  • HTTP redirected to HTTPS
  • Firewall rules restricted
  • Application logs enabled
  • Database connectivity tested
  • Authentication and authorization tested
  • Monitoring configured
  • Rollback procedure documented
  • Application owner approval received

Conclusion

A successful IIS deployment depends on preparation, security, validation, and documentation. Using a dedicated application pool, applying minimum folder permissions, protecting connection strings, enabling HTTPS, and maintaining a tested rollback plan will significantly reduce deployment failures.

This checklist can be reused for every UAT and production deployment to provide a consistent, secure, and auditable release process.


Meta Description

Learn how to deploy a website securely on Microsoft IIS with this practical checklist covering application pools, permissions, DNS, SSL certificates, firewall rules, logging, testing, troubleshooting, and rollback planning.

Tags

  • IIS
  • Windows Server
  • Web Deployment
  • SSL Certificate
  • System Administration

 

Comments

Popular posts from this blog

IIS Installation and Application configuration windows swerver

IIS Self Signed

Here’s a step-by-step guide on configuring WDS on Windows Server