Sick FTP service

On Windows 2008R2 server, a freshly installed FTP service does not accept an external connection attempts, even if the FTP firewall rule is enabled.
Could be cured by issuing the following command:
netsh advfirewall set global StatefulFTP disable
Then restart of the ftpsvc service.

IIS IP binding

If IIS7 does not listen the incoming connections trying to be made to a particular IP address,
even if the binding is set up correctly, check the output of the following command:
netsh http show iplisten

The IP address must be in the list to respond the requests.

To add an IP, type in the following command:
netsh http add iplisten x.x.x.x

It seems, that data is stored in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters

See http://support.microsoft.com/kb/954874 for more detail.

Excel needs the Desktop

To make Excel automation works from IIS:
Excel uses the "Desktop" folder for something.
Even though IIS execution right personalized to an user specified in the application pool advanced settings, Excel still executes in the system environment, so, we need to create the desktop folder for it:

C:\Windows\System32\config\systemprofile\Desktop
read more at:

http://social.msdn.microsoft.com/Forums/en-US/innovateonoffice/thread/b81a3c4e-62db-488b-af06-44421818ef91?prof=required

Also, give proper rights to the folder "C:\Windows\System32\config\systemprofile\" and to the Excel's DCOM properties (go "Administrative Tools/Component Services") to the user which executes Excel

To run the DCOM config:
When the office has the same bits as the OS:
DCOMCNFG.exe

When 32bit office on 64bit OS:

mmc comexp.msc /32

Note! Even if the caller 32bit and the Excel is 64 bit, it should work fine, since the Excel object is called via DCOM.

Also! The Excel need a valid accessible printer to produce documents.
Make sure the default printer has enough permissions which allow the IIS user to print on it.

IIS Authentication

By default, there are only three kind of authentication: Anonymous, ASP.NET and Forms in IIS7. Old good (?) Basic/Digest/Windows Authentication are not available.
To make them enabled, go to the roles in "Server Manager", in the context menu choose "Add Role Services". Enable the desired Authentication features.

IIS7 in maximum application security mode

When IIS7's application pool is set to use the "ApplicationPoolIdentities", the system dynamically creates an user with the name as "IIS AppPool\< application pool name >".
This user is not listed in the right assignment dialog's "Find" feature, but can be entered manually to setup the permissions (Or use the icacls command, like ICACLS folder_name /grant "IIS AppPool\DefaultAppPool":F ). Also, this user in the "IIS_IUSRS" group, so, by assigning the necessary permissions to the group it gives the same rights to that user as well.
To send SMTP Email using CDOSYS object, need not only to give the writing rights to the "Mailroot\Pickup" folder, but also то give the read right to the metabase's "IIS://LOCALHOST/SMTPSVC" and "IIS://LOCALHOST/SMTPSVC/1" to let the CDO know where the pickup folder is.

IIS tricks

I wrote a VBscript to automate IIS7 setup to use with ISAPI extension.
It creates absolutely the same XML node in the global config file as if I add the handler
mapping manually via the UI.  But if I add the mapping manually, the
server works as it should (loads and calls the extension's dll, (does
not matter the requested file exists or not)), but if I use the script
like below, the server sends the file back to the client (if the file
exist) or returns the 404 if the file does not exist.

const TrgExt = "*.sxt"
const waDll = "myISAPI.dll"

Dim adminManager
Set adminManager = CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
call AddHandlierMapping( adminManager, "C:\app_folder" )

function AddHandlierMapping( adminManager, path )
    On Error Resume Next
    Err.Clear
    Dim handlersSection, handlersSectionCollection, addElement, addProperties
    Set handlersSection = adminManager.GetAdminSection("system.webServer/handlers", "MACHINE/WEBROOT/APPHOST")
    Set handlersSectionCollection = handlersSection.Collection
    Set addElement = handlersSectionCollection.CreateNewElement("add")
    Set addProperties = addElement.Properties
    addProperties.Item("name").Value = "Tree"
    addProperties.Item("path").Value = "*" & TrgExt
    addProperties.Item("verb").Value = "*"
    addProperties.Item("modules").Value = "IsapiModule"
    addProperties.Item("scriptProcessor").Value = path & "\" & waDll
    addProperties.Item("resourceType").Value = "Unspecified"
    addProperties.Item("preCondition").Value = "bitness32"
    handlersSectionCollection.AddElement( addElement )
    adminManager.CommitChanges()
end function

What's wrong? The answer - the order.
The AddElement() should be called with the second parameter which is the position in the list:
handlersSectionCollection.AddElement( addElement, 0 )

windows sudo ersatz

To see if a process is executed with elevated rights or not: open the Process Explorer (as Administrator), find the process you need to check, then open the property's Security tab.
If the "BUILTIN\Administrators" record says "Deny" - that means the process is standard,
if it says "Owner", then it's elevated.

IIS's pool process (w3wp.exe) is executed elevated, so no need to worry, but need make sure if the application pool is running as "LOCAL SERVICE", that "LOCAL SERVICE" have rights to the resources the web application need access to. Also to give it more rights, in the web application setting check "Same as the application pool".

IIS redirection parameters

When you need a redirection from one URL to another
the IIS let you keep the resource name and parameters,
as described in this article:
http://support.microsoft.com/kb/313074


The parameters are:

$S	The $S variable passes the matched suffix of the requested URL. The matched suffix is the portion of the original URL that remains after the redirected URL is substituted. The server automatically performs this suffix substitution. The $S variable is used only in combination with other variables.	If /Scripts is redirected to /NewScripts and the original request is for /Scripts/Program.exe, the suffix is /Program.exe.
$P	The $P variable passes the parameters in the original URL without the question mark that is used to specify the beginning of the query string.	If the original URL is /Scripts/MyScript.asp?number=1, the string "number=1" is mapped into the destination URL.
$Q	The $Q variable passes the full query string (the question mark and the parameters) from the original URL.	If the original URL is /Scripts/MyScript.asp?number=1, the string "?number=1" is mapped into the destination URL.
$V	The $V variable passes the requested URL, without the server name.	If the original URL is /Myserver/Scripts/MyScript.asp, the string "/Scripts/MyScript.asp" is mapped into the destination URL.
$0 through $9	The variables $0 through $9 pass the portion of the requested URL that matches the indicated wildcard.
!	Do not redirect.	Use this variable to prevent redirecting a folder or an individual file.

Don't forget to make sure the "exact redirection" check box is on!