IIS Website Deployment Checklist: A Practical Guide for Windows System Administrators
IIS Website Deployment
Checklist: A Practical Guide for Windows System Administrators
Introduction
Deploying a website on
Microsoft Internet Information Services (IIS) involves more than copying
application files to a server. Incorrect application-pool settings, missing
permissions, firewall restrictions, or an incomplete SSL configuration can
cause errors such as HTTP 403, HTTP 404, HTTP 500.19, and HTTP
503.
This practical checklist
explains how to deploy an application securely on IIS and verify that it is
ready for production.
Prerequisites
Before deployment, confirm
that you have:
- A supported Windows Server version
- Administrator access to the server
- The application deployment package
- Required .NET or hosting runtime
- Database connection details
- DNS record information
- A valid SSL certificate
- A tested backup and rollback plan
Step 1: Install the
Required IIS Components
Open Server Manager → Add
Roles and Features, then install:
- Web Server (IIS)
- IIS Management Console
- Static Content
- Default Document
- HTTP Errors
- HTTP Logging
- Request Filtering
- Windows Authentication, if required
- ASP.NET and .NET Extensibility, if
required
- WebSocket Protocol, if required by the
application
Verify IIS installation by
opening:
http://localhost
The default IIS page should
appear.
Step 2: Install the
Correct Application Runtime
Confirm which runtime the
application requires.
Examples include:
- .NET Framework 4.8 or 4.8.1
- ASP.NET Core Hosting Bundle
- PHP
- Java Runtime Environment
- Microsoft Visual C++ Redistributable
For ASP.NET Core
applications, installing only the .NET runtime may not be enough. The server
generally requires the appropriate ASP.NET Core Hosting Bundle for IIS
integration.
Restart IIS after installing
the required components:
iisreset
Use this command during an
approved maintenance window because it restarts all IIS websites.
Step 3: Prepare the
Deployment Directory
Create a dedicated folder for
the application:
D:\Websites\CompanyPortal
Recommended practices:
- Avoid deploying directly under a user
profile.
- Keep application and log folders separate.
- Do not store passwords in scripts or text
files.
- Remove test files before production
deployment.
- Keep a copy of the previously working
release.
Example structure:
D:\Websites\CompanyPortal
├── Application
├── Logs
├── Backup
└── Certificates
Restrict access to the
certificate folder and avoid storing exported private keys unnecessarily.
Step 4: Create a Dedicated
Application Pool
Open IIS Manager →
Application Pools → Add Application Pool.
Configure:
- A descriptive application-pool name
- The correct .NET CLR version
- Integrated pipeline mode, unless the
application requires Classic
- 64-bit or 32-bit mode according to
application dependencies
- A dedicated service account when required
For ASP.NET Core applications
hosted with the IIS module, select:
No Managed Code
Avoid placing unrelated
production applications in the same application pool. Separate pools improve
security and prevent one application failure from affecting another.
Step 5: Configure Folder
Permissions
The application-pool identity
needs permission to read the application files.
Grant permission to:
IIS AppPool\CompanyPortalPool
Typical permissions are:
- Read and Execute for application files
- Modify for application-generated logs
- Modify for upload folders, when required
Do not grant Everyone:
Full Control. Give only the permissions required by the application.
Example command:
icacls
"D:\Websites\CompanyPortal\Application" /grant "IIS
AppPool\CompanyPortalPool:(OI)(CI)RX"
For a log directory that
requires write access:
icacls
"D:\Websites\CompanyPortal\Logs" /grant "IIS
AppPool\CompanyPortalPool:(OI)(CI)M"
Step 6: Create the Website
in IIS
In IIS Manager:
- Right-click Sites.
- Select Add Website.
- Enter the site name.
- Select the application pool.
- Enter the physical path.
- Configure the IP address, port, and
hostname.
- Start the website.
Example HTTP binding:
Type: http
Port: 80
Hostname: portal.example.com
Use a unique hostname when
several websites share the same server and IP address.
Step 7: Configure DNS
Create the appropriate DNS
record:
- Use an A record to map the hostname
to an IP address.
- Use a CNAME record to map an alias
to another hostname.
Test name resolution:
nslookup portal.example.com
The result should return the
correct server or load-balancer IP address.
If the site is internal,
create the record in the organization’s internal DNS zone. Public websites also
require the appropriate public DNS record.
Step 8: Install and Bind
the SSL Certificate
Import the certificate
through:
IIS Manager → Server
Certificates → Import
Then edit the website
bindings and add:
Type: https
Port: 443
Hostname: portal.example.com
SSL certificate:
portal.example.com
Enable Server Name
Indication (SNI) when multiple HTTPS websites share the same IP address.
Verify that:
- The certificate hostname matches the
website.
- The certificate has not expired.
- The complete certificate chain is trusted.
- The certificate includes a private key.
- HTTPS opens without browser warnings.
Step 9: Redirect HTTP to
HTTPS
After confirming that HTTPS
works, configure HTTP redirection.
A URL Rewrite example is:
<rule name="Redirect
to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off"
ignoreCase="true" />
</conditions>
<action type="Redirect"
url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
Test the redirect carefully
before applying it in production. Incorrect rewrite rules can cause redirect
loops.
Step 10: Configure the
Windows Firewall
Allow only the ports required
by the application.
New-NetFirewallRule `
-DisplayName "IIS HTTPS" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-Action Allow
Do not expose database ports
to the internet. Communication between the IIS server and database server
should be restricted to trusted network paths.
Step 11: Protect
Configuration and Connection Strings
Production configuration
commonly contains:
- Database server names
- Database credentials
- API keys
- SMTP settings
- External service URLs
Recommended controls include:
- Use a dedicated database account.
- Grant only the required database
privileges.
- Keep secrets outside the application
repository.
- Restrict access to configuration files.
- Use encrypted secret-management solutions
where available.
- Never use a database administrator account
as the application login.
Step 12: Enable Logging
IIS logging is available
under:
C:\inetpub\logs\LogFiles
Also configure a separate
application-log directory where supported.
Monitor:
- HTTP status codes
- Application exceptions
- Failed authentication
- Database connection failures
- Application-pool crashes
- Long-running requests
For detailed IIS errors,
review:
- IIS logs
- Windows Application event log
- Failed Request Tracing
- Application-specific logs
Avoid enabling detailed
errors for remote production users because they may expose sensitive technical
information.
Step 13: Perform
Production Validation
Test the application using a
normal user account, not only an administrator account.
Verify:
- Homepage accessibility
- Login and logout
- Role-based access
- Database connectivity
- File uploads and downloads
- Email notifications
- Reports and exports
- Session timeout
- HTTPS redirection
- Backup jobs
- Application logs
- Access from the required networks
Ask the application owner to
complete user acceptance testing before final sign-off.
Common IIS Errors and
Solutions
|
Error |
Likely Cause |
Recommended Check |
|
HTTP 403 |
Permission or
authentication issue |
Check NTFS rights, default
documents and authentication |
|
HTTP 404 |
File, route or handler
unavailable |
Verify deployment path, URL
and IIS features |
|
HTTP 500.19 |
Invalid configuration |
Review web.config and
installed IIS modules |
|
HTTP 500.30 |
ASP.NET Core failed to
start |
Review application and
Event Viewer logs |
|
HTTP 503 |
Application pool stopped |
Check pool identity,
crashes and Rapid-Fail Protection |
|
SSL warning |
Certificate problem |
Verify hostname, expiry
date and certificate chain |
|
Database login failed |
Connection or permission
issue |
Verify the connection
string, firewall and DB account |
Deployment Rollback Plan
Before releasing a new
version:
- Back up the current application files.
- Back up the database when schema changes
are involved.
- Export the IIS configuration.
- Record the current application-pool
settings.
- Document the rollback commands.
- Confirm who is authorized to approve
rollback.
If validation fails, restore
the last working release and investigate the problem outside the production
environment.
Final Production Checklist
- Application files backed up
- Database backup verified
- Correct runtime installed
- Dedicated application pool configured
- NTFS permissions validated
- DNS record resolving correctly
- SSL certificate installed and trusted
- HTTP redirected to HTTPS
- Firewall rules restricted
- Application logs enabled
- Database connectivity tested
- Authentication and authorization tested
- Monitoring configured
- Rollback procedure documented
- Application owner approval received
Conclusion
A successful IIS deployment
depends on preparation, security, validation, and documentation. Using a
dedicated application pool, applying minimum folder permissions, protecting
connection strings, enabling HTTPS, and maintaining a tested rollback plan will
significantly reduce deployment failures.
This checklist can be reused
for every UAT and production deployment to provide a consistent, secure, and
auditable release process.
Meta Description
Learn how to deploy a website
securely on Microsoft IIS with this practical checklist covering application
pools, permissions, DNS, SSL certificates, firewall rules, logging, testing,
troubleshooting, and rollback planning.
Tags
- IIS
- Windows Server
- Web Deployment
- SSL Certificate
- System Administration
Comments
Post a Comment