Merge pull request #53983 from MicrosoftDocs/NEW-internet-information-services-websites-applications

New internet information services websites applications module

Author: Stacyrch140

learn-pr/advocates/configure-manage-website-application/1-website-application-virtual-directory.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.devrel.website-application-virtual-directory.website-application-virtual-directory
+title: Websites, applications, and virtual directories
+metadata:
+  title: Websites, Applications, and Virtual Directories
+  description: Understand the concepts of websites, applications, and virtual directories in Internet Information Services (IIS) on Windows Server, and learn how to create and configure them to host web content effectively.
+  ms.date: 03/26/2026
+  author: Orin-Thomas
+  ms.author: orthomas
+  ms.topic: unit
+durationInMinutes: 11
+content: |
+  [!include[](includes/1-website-application-virtual-directory.md)]

learn-pr/advocates/configure-manage-website-application/2-application-pool-worker-process.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.devrel.website-application-virtual-directory.application-pool-worker-process
+title: Application pools and worker process
+metadata:
+  title: Application Pools and Worker Process
+  description: Learn about application pools and worker processes in Internet Information Services (IIS) on Windows Server, including how to create and manage application pools to provide process isolation for web applications, and how to monitor and troubleshoot worker processes for optimal performance and reliability.
+  ms.date: 03/26/2026
+  author: Orin-Thomas
+  ms.author: orthomas
+  ms.topic: unit
+durationInMinutes: 14
+content: |
+  [!include[](includes/2-application-pool-worker-process.md)]

learn-pr/advocates/configure-manage-website-application/3-binding-host-header.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.devrel.website-application-virtual-directory.binding-host-header
+title: Bindings and host headers
+metadata:
+  title: Bindings and Host Headers
+  description: Learn about site bindings and host headers in Internet Information Services (IIS) on Windows Server, including how to configure site bindings to host multiple websites on a single server using host headers and Server Name Indication (SNI) for HTTPS sites, and how to manage and troubleshoot common binding issues for optimal website accessibility and performance.
+  ms.date: 03/26/2026
+  author: Orin-Thomas
+  ms.author: orthomas
+  ms.topic: unit
+durationInMinutes: 11
+content: |
+  [!include[](includes/3-binding-host-header.md)]

learn-pr/advocates/configure-manage-website-application/4-advanced-site-configuration.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.devrel.website-application-virtual-directory.advanced-site-configuration
+title: Advanced site configuration
+metadata:
+  title: Advanced Site Configuration
+  description: Learn about advanced site configuration options in Internet Information Services (IIS) on Windows Server, including how to configure custom error pages, MIME types, compression, and request filtering to optimize website performance, security, and user experience.
+  ms.date: 03/26/2026
+  author: Orin-Thomas
+  ms.author: orthomas
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/4-advanced-site-configuration.md)]

learn-pr/advocates/configure-manage-website-application/5-knowledge-check.yml

@@ -0,0 +1,69 @@
+### YamlMime:ModuleUnit
+uid: learn.devrel.website-application-virtual-directory.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge Check
+  description: Check your knowledge
+  ms.date: 03/26/2026
+  author: Orin-Thomas
+  ms.author: orthomas
+  ms.topic: unit
+durationInMinutes: 7
+quiz:
+  questions:
+  - content: "You have an IIS server with one IP address and need to host three different HTTP websites that must all use TCP port 80. What is the recommended way to ensure IIS sends each request to the correct website?"
+    choices:
+    - content: "Assign a separate IP address to each site."
+      isCorrect: false
+      explanation: "This works, but it's an older/scarcer-resource approach and not the recommended standard when host names are available. IIS can already distinguish sites using bindings without requiring extra IPs."
+    - content: "Configure each site to listen on a unique port (80, 8080, 8081)."
+      isCorrect: false
+      explanation: "Using different ports can differentiate sites, but it's typically a dev/test or niche scenario because it forces nonstandard ports in URLs and client access. It's not the usual production recommendation when name-based hosting is possible."
+    - content: "Use host headers (host names) to differentiate the sites."
+      isCorrect: true
+      explanation: "IIS routes requests using the binding tuple: IP address + port + host name (Host header). With one IP and port 80, the host name is the differentiator, making host headers the standard production approach (with DNS pointing hostnames to the server)."
+    - content: "Install a separate instance of IIS for each site."
+      isCorrect: false
+      explanation: "IIS is designed to host multiple sites within one instance using bindings; installing multiple IIS instances is unnecessary and doesn't address request routing the way bindings do."
+  - content: "You need to host two HTTPS websites on the same IIS server using the same IP address and TCP port 443, and each site must use a different SSL/TLS certificate. Which IIS capability enables this?"
+    choices:
+    - content: "URL Rewrite."
+      isCorrect: false
+      explanation: "URL Rewrite applies after the request is received and processed at the HTTP layer; it doesn't help IIS choose the correct certificate during the TLS handshake."
+    - content: "IP and Domain Restrictions."
+      isCorrect: false
+      explanation: "This feature controls who may access a site (by client IP/domain). It doesn't control certificate selection or enable multiple certs on the same IP:443."
+    - content: "Server Name Indication (SNI)."
+      isCorrect: true
+      explanation: "SNI is a TLS extension that includes the hostname during SSL/TLS negotiation, allowing IIS to select the right certificate even when multiple sites share the same IP and port 443."
+    - content: "HTTP/2."
+      isCorrect: false
+      explanation: "HTTP/2 is a transport/application protocol enhancement; it doesn't enable multiple certificates on a single IP:443. Certificate selection happens earlier, during TLS negotiation."
+  - content: "A user gets HTTP 404.3 when requesting a .webp image from your IIS website, even though the file exists in the correct folder. What is the most likely cause and fix?"
+    choices:
+    - content: "The application pool is stopped; start the application pool."
+      isCorrect: false
+      explanation: "A stopped app pool is more associated with application availability issues (often 503). Here, the clue is 404.3, which indicates IIS refuses to serve the file due to extension handling/MIME mapping, not that the worker process is down."
+    - content: "The .webp extension isn't registered as a MIME type; add image/webp for .webp."
+      isCorrect: true
+      explanation: "IIS won't serve certain static file types unless they're mapped under staticContent / MIME types. Adding a MIME map for .webp to image/webp resolves the 404.3 extension configuration issue."
+    - content: "The file has incorrect NTFS permissions; grant read access to the app pool identity."
+      isCorrect: false
+      explanation: "Bad NTFS permissions commonly produce 401/403-style access problems. With 404.3, IIS is indicating an extension/MIME mapping configuration issue rather than a filesystem authorization issue."
+    - content: "Directory browsing is disabled; enable directory browsing."
+      isCorrect: false
+      explanation: "Directory browsing affects listing folder contents when no default document is present. It doesn't fix serving a specific static file when IIS is refusing the file type due to missing MIME mapping."
+  - content: "You want IIS to block clients from downloading any .bak files from your website (to avoid accidental exposure of backups). Which IIS feature should you configure?"
+    choices:
+    - content: "Authentication."
+      isCorrect: false
+      explanation: "Authentication controls how users prove identity (Windows/Basic/etc.). It doesn't specifically block a file type from being requested at all."
+    - content: "URL Rewrite."
+      isCorrect: false
+      explanation: "URL Rewrite can redirect/transform URLs, but the built-in security mechanism intended to deny by extension is Request Filtering, which runs early and is purpose-built for this."
+    - content: "Request Filtering."
+      isCorrect: true
+      explanation: "Request Filtering can deny specific file extensions (like .bak). When blocked by file extension, IIS logs/returns the 404.7 substatus for file name extension denied, which is exactly the protective behavior you want."
+    - content: "Authorization Rules."
+      isCorrect: false
+      explanation: "Authorization determines who is allowed to access content (users/roles), not whether a file extension is categorically blocked. Extension-level denial is handled by Request Filtering."

learn-pr/advocates/configure-manage-website-application/6-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.devrel.website-application-virtual-directory.summary
+title: Summary
+metadata:
+  title: Summary
+  description: Module summary
+  ms.date: 03/26/2026
+  author: Orin-Thomas
+  ms.author: orthomas
+  ms.topic: unit
+durationInMinutes: 1
+content: |
+  [!include[](includes/6-summary.md)]

learn-pr/advocates/configure-manage-website-application/includes/1-website-application-virtual-directory.md

@@ -0,0 +1,134 @@
+IIS organizes web content through a hierarchy of sites, applications, and virtual directories. In this unit, you learn to understand and create new websites, configure web applications within those sites, and set up virtual directories using both the IIS Manager graphical interface and PowerShell.
+
+## The IIS content hierarchy
+
+IIS structures web content in a three-tier hierarchy:
+
+- **Website (Site):** The top-level container. Each site has at least one binding (IP address, port, and optional host name) that identifies incoming requests. A site maps to a physical root directory on disk.
+- **Web Application:** A child container within a site. Applications have their own application pool assignment and can have separate configuration settings from the parent site. Use applications when you need isolated configuration, a different .NET runtime, or a dedicated worker process identity for a portion of a site.
+- **Virtual Directory:** A pointer from a URL path to a physical directory on disk (which may be on a different volume or UNC path). Virtual directories don't have their own application pool and inherit the parent application's settings.
+
+> [!NOTE]
+> This hierarchy is stored in the central IIS configuration file, ApplicationHost.config, located at %windir%\system32\inetsrv\config\.
+
+The following table lists the differences between IIS Web Applications and IIS Virtual Directories.
+
+| **Feature** | **Web application** | **Virtual directory** |
+|---|---|---|
+| **Has own application pool** | Yes | No (inherits parent app's pool) |
+| **Isolated configuration** | Yes | No |
+| **Separate .NET runtime** | Yes | No |
+| **Physical path** | Local or UNC | Local or UNC |
+| **Typical use** | Separate component with own identity/runtime | Alias for supplementary content directory |
+
+## Creating a new website
+
+To add a new site in IIS manager:
+
+1. Open IIS Manager.
+1. In the Connections pane on the left, expand the server node, then right-click Sites.
+1. Select Add Website.
+1. In the Add Website dialog, fill in the following fields:
+   - Site name: Enter a descriptive name, for example Contoso.
+   - Application pool: IIS creates a new pool with the same name as the site by default. Accept this or select Select to assign an existing pool.
+   - Physical path: Enter `C:\inetpub\contoso` or browse to the directory.
+   - Binding type: Select http.
+   - IP address: Select All Unassigned unless restricting the site to a specific IP address.
+   - Port: Enter 80 (or another port if 80 is already in use and you're hosting multiple sites on the same IP address but differentiating based on port).
+   - Host name: Enter the FQDN for this site, for example www.contoso.com. Host names are required when multiple sites share port 80 or 443 on the same IP address. The sites are differentiated by IIS using the HTTP host header value in each incoming request.
+
+   ![Screenshot showing the Add Website dialog box.](../media/add-website.png)
+
+1. Leave Start Website immediately checked unless you want to configure the site before it begins serving requests.
+1. Select OK.
+
+You can create a site with the `New-Website` cmdlet, which will be installed with the web server role management tools. For example, to create a site named Contoso with the path `D:\contoso` on port 80 that uses the fully qualified domain name www.contoso.com and has a new application pool named Contoso, run the command:
+
+```powershell
+New-Website -Name "Contoso" `
+            -PhysicalPath "D:\contoso" `
+            -Port 80 `
+            -HostHeader "www.contoso.com" `
+            -ApplicationPool "Contoso"
+```
+
+You can verify website creation with the `Get-Website` command. For example, to verify the contoso website was created, run the following command:
+
+```powershell
+Get-Website -Name "Contoso"
+```
+
+## NTFS permissions for web content
+
+When creating a website, configure the directory that hosts the content directory and ensure appropriate NTFS permissions are set. Remember that NTFS permissions are often inherited. Best practice is to use a separate volume for website content rather than storing it on the system volume. Using a separate volume for the website allows you to separate the content from operating system files, it also makes it simpler to back up and restore. You might repartition free space on your existing volume to implement this configuration.
+
+The worker process runs under the application pool identity. For example, a pool named Contoso runs as `IIS AppPool\Contoso`. Application pool identities are:
+
+- Local only
+- Noninteractive
+- Automatically managed
+- Not usable for logon
+
+You should grant the application pool identity `Read and Execute` access to the content folder:
+
+```powershell
+$acl = Get-Acl "D:\contoso"
+$permission = "IIS AppPool\Contoso", "ReadAndExecute",
+              "ContainerInherit,ObjectInherit", "None", "Allow"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+$acl.SetAccessRule($accessRule)
+Set-Acl "D:\contoso" $acl
+```
+
+Granting permissions directly to that identity ensures:
+
+- Only that specific app can access the files
+- Other application pools on the same server can't read or execute the content
+- You avoid using broad identities like Everyone, Users, or IIS_IUSRS
+
+Granting `Read and Execute` adheres to the principle of least privilege as IIS only needs read access to serve static content and load assemblies, and execute is required for binaries such as ASP.NET and native modules. You shouldn't assign the Write privilege as this will limit attacks such as:
+
+- Web shell uploads
+- Defacement attacks
+- Runtime modification of binaries or config files
+
+## Creating web applications
+
+To add a Web Application within a Site
+
+1. In the Connections pane, expand Sites, then select the Contoso site.
+1. Right-click the site and select Add Application.
+1. In the Add Application dialog, configure:
+   - Alias: The URL path segment, for example demoapp (accessible at www.contoso.com/demoapp).
+   - Application pool: Select or create a dedicated pool.
+   - Physical path: Enter the path to the application's files, for example d:\demoapp.
+1. Select OK.
+
+![Screenshot showing the Add Application dialog box.](../media/add-application.png)
+
+You can accomplish this with the following PowerShell command:
+
+```powershell
+New-WebApplication -Name "api" `
+                   -Site "Contoso" `
+                   -PhysicalPath "C:\inetpub\contoso-api" `
+                   -ApplicationPool "Contoso-API"
+```
+
+## Adding a virtual directory within a site
+
+To add a virtual directory within a site using IIS Manager, perform the following steps:
+
+1. In the Connections pane, right-click the Contoso site (or an application within it) and select Add Virtual Directory.
+1. In the Add Virtual Directory dialog, configure:
+   - Alias: The URL segment, for example downloads.
+   - Physical path: Enter the directory path, for example D:\shared\downloads.
+1. Select OK.
+
+You can add a virtual directory using the PowerShell `New-WebVirtualDirectory` cmdlet. For example, to add a new virtual directory named `downloads` to the `Contoso` site, run the command:
+
+```powershell
+New-WebVirtualDirectory -Site "Contoso" `
+                        -Name "downloads" `
+                        -PhysicalPath "D:\shared\downloads"
+```