Windows Server 2025 ships with updated IIS 10.0 modules that integrate more tightly with Active Directory for Kerberos and NTLM authentication. Administrators who continue to rely on the IIS Manager GUI introduce inconsistencies that are difficult to audit at scale.

PowerShell cmdlets from the WebAdministration module allow repeatable, version-controlled configuration of application pools, sites, and authentication settings. The following sections demonstrate practical patterns used in production hosting environments.

#Prerequisites

  • Windows Server 2025 with IIS role installed
  • Active Directory domain joined server
  • PowerShell 7.5 or later
  • WebAdministration module imported

#Create an Application Pool

powershell 
Import-Module WebAdministration

New-WebAppPool -Name "AspNetCorePool" -Force
Set-ItemProperty IIS:\AppPools\AspNetCorePool -Name managedRuntimeVersion -Value ""
Set-ItemProperty IIS:\AppPools\AspNetCorePool -Name startMode -Value "AlwaysRunning"

#Bind Site to Active Directory Authentication

Enable Windows authentication and disable anonymous access at the site level. The commands below also configure the application pool identity to use a domain service account.

powershell 
Set-WebConfigurationProperty -Filter /system.webServer/security/authentication/windowsAuthentication -Name enabled -Value true -PSPath IIS:\Sites\Default Web Site
Set-WebConfigurationProperty -Filter /system.webServer/security/authentication/anonymousAuthentication -Name enabled -Value false -PSPath IIS:\Sites\Default Web Site

Set-ItemProperty IIS:\AppPools\AspNetCorePool -Name processModel.identityType -Value SpecificUser
Set-ItemProperty IIS:\AppPools\AspNetCorePool -Name processModel.userName -Value "DOMAIN\svc_iis_app"

#Security Hardening Recommendations

  • Require TLS 1.3 and disable legacy protocols via PowerShell
  • Limit application pool permissions to the minimum required NTFS rights
  • Enable failed request tracing only for designated troubleshooting pools
  • Schedule weekly configuration export to a secure repository

Run these scripts from a privileged endpoint and store them in a Git repository with branch protection. Review changes through pull requests before deployment to production servers.