--- title: About the iis_site Resource --- # iis_site Use the `iis_site` InSpec audit resource to test the state of IIS on Windows Server 2012 (and later). ## Syntax An `iis_site` resource block declares details about the named site: describe iis_site('site_name') do it { should exist } it { should be_running } it { should have_app_pool('app_pool_name') } it { should have_binding('binding_details') } it { should have_path('path_to_site') } end where * `'site_name'` is the name of the site, such as `'Default Web Site'` * `('app_pool_name')` is the name of the application pool in which the site's root application is run, such as `'DefaultAppPool'` * `('binding_details')` is a binding for the site, such as `'net.pipe *'`. A site may have multiple bindings; therefore, use a `have_binding` matcher for each site binding to be tested * `('path_to_site')` is the path to the site, such as `'C:\\inetpub\\wwwroot'` For example: describe iis_site('Default Web Site') do it { should exist } it { should be_running } it { should have_app_pool('DefaultAppPool') } it { should have_binding('https :443:www.contoso.com sslFlags=0') } it { should have_binding('net.pipe *') } it { should have_path('C:\\inetpub\\wwwroot') } end ## Matchers This InSpec audit resource has the following matchers: ### be <%= partial "/shared/matcher_be" %> ### be_running The `be_running` matcher tests if the site is running: it { should be_running } ### cmp <%= partial "/shared/matcher_cmp" %> ### eq <%= partial "/shared/matcher_eq" %> ### exist The `exist` matcher tests if the site exists: it { should exist } ### have\_app\_pool The `have_app_pool` matcher tests if the named application pool exists for the site: it { should have_app_pool('DefaultAppPool') } For example, testing if a site's application pool inherits the settings of the parent application pool: it { should have_app_pool('/') } ### have_binding The `have_binding` matcher tests if the specified binding exists for the site: it { should have_binding('http :80:*') } or: it { should have_binding('net.pipe *') } A site may have multiple bindings; use a `have_binding` matcher for each unique site binding to be tested. ##### Binding Attributes The `have_binding` matcher can also test attributes that are defined for a site binding. For example, the `sslFlags` attribute defines if SSL is enabled, and (when enabled) what level of SSL is applied to the site. Testing a site with SSL disabled: it { should have_binding('https :443:www.contoso.com sslFlags=0') } Testing a site with SSL enabled: it { should have_binding('https :443:www.contoso.com sslFlags=Ssl') } Testing a site with certificate mapping authentication enabled: it { should have_binding('https :443:www.contoso.com sslFlags=SslMapCert') } Testing a site with 128-bit SSL enabled: it { should have_binding('https :443:www.contoso.com sslFlags=Ssl128') } ### have_path The `have_path` matcher tests if the named path is defined for the site: it { should have_path('C:\\inetpub\\wwwroot') } ### include <%= partial "/shared/matcher_include" %> ### match <%= partial "/shared/matcher_match" %> ## Examples The following examples show how to use this InSpec audit resource. ### Test a default IIS site describe iis_site('Default Web Site') do it { should exist } it { should be_running } it { should have_app_pool('DefaultAppPool') } it { should have_binding('http *:80:') } it { should have_path('%SystemDrive%\\inetpub\\wwwroot\\') } end ### Test if IIS service is running describe service('W3SVC') do it { should be_installed } it { should be_running } end