Adventures of a wannabe geek!

Ranting within

IIS Administration Application

One of the first things i had to do when i got to my new company was to build an application that would allow the remote restart of a web application. After much searching to find the correct thing i found the use of DirectoryEntry

In order to use it i had to import the name space:

using System.DirectoryServices;

This meant that i was able to access the correct part of AD in order to call the correct method that could tell me what the correct status of the app was and also to change the status to another state.

 

The first method i used was InvokeGet - this took an application pool path and then returned an int that was the state of that application pool. the app pool path was made up as follows:

var appPoolPath = String.Format(@"IIS://{0}/W3SVC/AppPools/{1}", 
                                 Environment.MachineName, 
                                 ConfigurationManager.AppSettings["applicationPoolName"]);

using this path we could then call a method as follows:

DirectoryEntry w3svc = new DirectoryEntry(appPoolPath);
var currentStatus = (int)w3svc.InvokeGet("AppPoolState");

the int returned could then be deciphered to get the current status. If the int was 2 then the app pool is “running”, if the int was “4” then the app pool was stopped. i only checked for those 2 states and made the default be state “unknown”.

 

this meant that as we have the current state then we could then decide was was available to do and what not to do. By using a different method and passing in the command name and app pool name could we then change is state.

var appPoolPath = String.Format(@"IIS://{0}/W3SVC/AppPools/{1}", 
                                 Environment.MachineName, 
                                 ConfigurationManager.AppSettings["applicationPoolName"]);
var command = "start";
DirectoryEntry w3svc = new DirectoryEntry(appPoolPath);
w3svc.Invoke(command, null);

We are passing in null as there are no parameters that i needed to go with this. But it can accept a [] of args if needed. We can call stop in exactly the same way.

 

So whats the point of this post ihear you ask?? Well there are certain conditions that you can run this application under. The main one is that the user that the application pool needs to run under needs to be a local machine administration in order to interact with AD. this of course will not be a good thing to do on a live webserver - so what are the alternatives?

 

Nada, nothing, zilch! This is needed and the only way you can stop attacks on the server is possibly to run this under basic IIS authentication within an IP range and a known user with a ridiculously difficult password. I only discovered all of this after i had actually written the little application and this idea has since been trashed!

 

So back to remoting into the webserver for IIS application pool crashes! c’est la vie!