Use the iis_app InSpec audit resource to test the state of IIS on Windows Server 2012 (and later).


An iis_app resource block declares details about the named site:

describe iis_app('application_path', 'site_name') do
  it { should exist }
  it { should have_application_pool('application_pool') }
  it { should have_protocols('protocol') }
  it { should have_site_name('site') }
  it { should have_physical_path('physical_path') }
  it { should have_path('application_path') }


  • 'application_path' is the path to the application, such as '/myapp'
  • 'site_name' is the name of the site, such as 'Default Web Site'
  • ('application_pool') is the name of the application pool in which the site’s root application is run, such as 'DefaultAppPool'
  • ('protocols') is a binding for the site, such as 'http'. A site may have multiple bindings; therefore, use a have_protocol matcher for each site protocol to be tested
  • ('physical_path') is the physical path to the application, such as‘C:\inetpub\wwwroot\myapp’`

For example:

describe iis_app('/myapp', 'Default Web Site') do
  it { should exist }
  it { should have_application_pool('MyAppPool') }
  it { should have_protocols('http') }
  it { should have_site_name('Default Web Site') }
  it { should have_physical_path('C:\\inetpub\\wwwroot\\myapp') }
  it { should have_path('\\My Application') }


application_pool, path, physical_path, protocols, site_name

Resource Examples

The following examples show how to use this InSpec audit resource.

Test a default IIS web application

describe iis_app('Default Web Site') do
  it { should exist }
  it { should be_running }
  it { should have_app_pool('DefaultAppPool') }
  it { should have_binding('http *:80:') }
  it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }

Test if IIS service is running

describe service('W3SVC') do
  it { should be_installed }
  it { should be_running }


For a full list of available matchers, please visit our matchers page.


The exist matcher tests if the site exists:

it { should exist }


The have_application_pool matcher tests if the named application pool exists for the web application:

it { should have_application_pool('DefaultAppPool') }


The have_protocol matcher tests if the specified protocol exists for the web application:

it { should have_protocol('http') }


it { should have_protocol('https') }

A web application may have multiple bindings; use a have_protocol matcher for each unique web application binding to be tested.

Protocol Attributes

The have_protocol matcher can also test attributes that are defined for a web application enabledProtocols.

it { should have_protocol('http') }

For example, testing a site that doesn’t have https enabled:

it { should_not have_protocol('https') }
it { should have_protocol('http') }

Testing a web application with https enabled and http enabled:

it { should have_protocol('https') }
it { should have_protocol('http') }


The have_physical_path matcher tests if the named path is defined for the web application:

it { should have_physical_path('C:\\inetpub\\wwwroot') }