Overview

This extension contains a release task that will apply security on your deployed web app (IIS) through the use of msdeploy.

Prerequisites

This extension supports Azure DevOps Server 2019 and Azure Devops Online. This extension in the end is execute only on a windows machine with IIS on it. This extension requires the pre install of MS Deploy V3. If you install it without changing anything the default install location is C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe If msdeploy is not there this extension won't work.

Basic Knowledge

This whole process is based on the following microsoft article where we will send setacl command to the IIS website in order to apply 1 or more securing actions after the application is deployed.

https://docs.microsoft.com/en-us/iis/develop/windows-web-application-gallery/package-an-application-for-the-windows-web-application-gallery

Out of the box once reinstalling a web application by 'IIS web app deploy' all previously set security on files and or subfolders is removed and reverted back to default security applied on the root directory of the web application.

This extension will apply custom security after installing your application should you have the need to do so.

How to use

After installing the extension, you can add 1 task named 'IIS web app Secure' to a new or existing release definition.

It is important that this task is added to a deployment group since this has to execute on the machine where it is deployed

Once you've added the 'IIS web app secure' you should have the following:

Depending on your release process you might have to repeat that for each stage of the release process that you want to have that executed.

You might also create a task group that regroups multiple actions and is used inside multiple staging groups.

Once you've added the task to your Release pipeline you need to configure your individual task.

Inside your task configuration you have 4 parameters to configure. Those 4 parameters are transmitted to msdeploy.

Parameters:

• Destination
• Choose Resource Type
• UserName
• Access to grant

Destination to Secure

This is the location of where you want to apply the security. This can be a parameter that is filled in a task group later or this can be the name of the site. ex:

• $(DeployIISSiteName)\log
• www.mysite.org
• www.mysite.org\data.

As long as msdeploy accepts it and the structure exists on the web server the security will be applied.

Choose Resource Type

Here you need to choose wheither you want to secure a file or directory.

User Name

The User to grant the security. ex:

• apppoolidentityuser.
• anonymousAuthenticationUser.

Access to grand:

The righte to give to the user. ex:

• Read
• Write
• Modify
• FullControl

Complex scenarios

Should multiple users require different access, then just add a second task with the new access to apply.

Target

The goal of this add-in is to automate custom security upon deploy in an automated way.

Version History

Version 1.0 Initial Version