使用Powershell操作IIsWebVirtualDir上的IP限制

Question

在使用Powershell操作IIsWebVirtualDir(虚拟目录)上的IP限制时遇到问题.

但是,我有在VBS中执行此操作的代码,所以希望这将是一个简单的事情来获得帮助:)

VBS中的代码:

 Sub Add2IPRList(WebsiteADSI, strIP2Add, strIP2AddSubnet)
    Set WebRootObj = GetObject(WebsiteADSI) '"IIS://localhost/W3SVC/2/ROOT/TestVDIR"
    set IPSecObj = WebRootObj.IPSecurity
    If(IPSecObj.GrantByDefault)then
        IPList = IPSecObj.IPDeny
    Else
        IPList = IPSecObj.IPGrant
    End If

    ReDim Preserve IPList (Ubound(IPList)+1)     'resize local copy of IPList array to CurrentSize+1
    IPList(Ubound(IPList))=strIP2Add&","&strIP2AddSubnet     'add the entry to the end of the array


    If(IPSecObj.GrantByDefault)then
        IPSecObj.IPDeny = IPList
    Else
        IPSecObj.IPGrant = IPList
    End If

    WebRootObj.IPSecurity = IPSecObj
    WebRootObj.SetInfo        'apply the setttings on the server.
    set IPSecObj = Nothing
    set WebRootObj = Nothing    
End Sub

在Powershell中尝试1:对象返回,但是类型很奇怪.

PS C:\> $vdir=[adsi]"IIS://localhost/W3SVC/2/ROOT/TestVDIR";([adsi]$vdir).IPSecurity;
System.__ComObject

在Powershell中尝试2:对象不会返回

PS C:\> $VDir = Get-WmiObject -Namespace 'root\MicrosoftIISv2' -Class IIsWebVirtualDir |where ($_.name).contains("TestVDIR")};$VDir.IPSecurity;
PS C:\> 

任何人都知道如何1)在Powershell中使用ADSI时处理System .__ ComObject或2)知道如何通过Powershell中的WMI提供程序使用IIS6中的IPSecurity对象？

另外:

我找到了一种方法来使用以下代码来拉取和修改与W3SVC/2/ROOT/TestVDIR关联的IIsIPSecuritySetting对象.

param([string]$computer, [string]$W3SVCPath, [string]$strIP2Add, [string]$strIP2AddSubnet)
<# $W3SVCPath = "W3SVC/2/ROOT/TestVDir" #>;
$IPSecurity = Get-WmiObject -Authentication PacketPrivacy -class IIsIPSecuritySetting -computername $computer -namespace 'root\MicrosoftIISv2' | where {($_.name).equals("$W3SVCPath")};
if($IPSecurity.GrantByDefault){$GD="Deny"}else{$GD="Grant"}
if($IPSecurity.GrantByDefault){$IPList=$IPSecurity.IPDeny;}else{$IPList=$IPSecurity.IPGrant;};
"IPSecurity.GrantByDefault=$GD($IPList)";
$IPList=$IPList+"$strIP2Add, $strIP2AddSubnet";
if($IPSecurity.GrantByDefault){$IPSecurity.IPDeny=$IPList;}else{$IPSecurity.IPGrant=$IPList;};
if($IPSecurity.GrantByDefault){$IPList=$IPSecurity.IPDeny;}else{$IPList=$IPSecurity.IPGrant;};
"($IPList)";

我似乎无法找到一种方法将对象设置回元数据库,因此它将应用更改.在VBS中,IPSecurity对象始终直接在WebRootObj中引用,因此使用了.setInfo()函数.但是,由于我们直接使用WMI Object类,并且引用是在对象本身内设置的,所以我似乎无法找到一个将它设置在IIsIPSecuritySettings类中的函数.

由于我在上面使用"在Powershell中尝试2"(使用WMI)时无法找到对WebRootObj中的IPSecurity属性/对象的引用,因此我不确定接下来要向哪个方向移动.

有什么想法吗？

Answer 1

这可能很棘手但可以使用System.DirectoryServices.我举两个例子,一个设定的值GrantByDefault设置为true或false,其他的向你展示如何将IP地址添加到IPDeny或IPGrant列表.

1.设定GrantByDefault价值

$iisObject = new-object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC/2/ROOT/TestVDIR")
$ipSec = $iisObject.Properties["IPSecurity"].Value

# We need to pass values as one element object arrays
[Object[]] $grantByDefault = @()
$grantByDefault += , $false            # <<< We're setting it to false

$ipSec.GetType().InvokeMember("GrantByDefault", $bindingFlags, $null, $ipSec, $grantByDefault);

$iisObject.Properties["IPSecurity"].Value = $ipSec
$iisObject.CommitChanges()

2.为IPDeny或IPGrant列表添加IP地址

$iisObject = new-object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC/2/ROOT/TestVDIR")
$ipSec = $iisObject.Properties["IPSecurity"].Value
$bindingFlags = [Reflection.BindingFlags] "Public, Instance, GetProperty"
$isGrantByDefault = $ipSec.GetType().InvokeMember("GrantByDefault", $bindingFlags, $null, $ipSec, $null);

# to set an iplist we need to get it first
if($isGrantByDefault)
{
    $ipList = $ipSec.GetType().InvokeMember("IPDeny", $bindingFlags, $null, $ipSec, $null);
}
else
{
    $ipList = $ipSec.GetType().InvokeMember("IPGrant", $bindingFlags, $null, $ipSec, $null);
}

# Add a single computer to the list:
$ipList = $ipList + "10.0.0.1, 255.255.255.255"

# This is important, we need to pass an object array of one element containing our ipList array
[Object[]] $ipArray = @()
$ipArray += , $ipList

# Now update
$bindingFlags = [Reflection.BindingFlags] "Public, Instance, SetProperty"
if($isGrantByDefault)
{
    $ipList = $ipSec.GetType().InvokeMember("IPDeny", $bindingFlags, $null, $ipSec, $ipArray);
}
else
{
    $ipList = $ipSec.GetType().InvokeMember("IPGrant", $bindingFlags, $null, $ipSec, $ipArray);
}

$iisObject.Properties["IPSecurity"].Value = $ipSec
$iisObject.CommitChanges()

这是在Windows 2003上使用PowerShell 2.0测试的.

希望不要太晚挽救你的一天.