Ideally you already have a snapshot you maintain and have hardened, and just have to clone it when you need new servers deployed. If you have to build a clean image to use for your future VMs: it’s usually easier to start with an existing VM you’ve configured, because it already has everything you need installed, but it might also have other stuff installed that you don’t necessarily want on every new VM, so here’s a way I quickly set up a new server image:

1. Install a clean version of Windows on a new VM

2. Set up your networking stack, and run Windows Update and install all the updates available

3. Export the installed roles from your existing server https://www.ntweekly.com/2017/04/17/export-installed-roles-and-features-on-windows-server-2016-and-2012/

4. Review the exported list and install all the features you need on your new VM using PowerShell:

Import-Csv C:\Temp\Roles.csv | foreach{Add-WindowsFeature $_.name }

5. Import your encryption certificates into the new server

6. Install Web Platform Installer

• The Microsoft Web Platform Installer is a free tool that makes it simple to install and keep up-to-date with many web components

7. Using Web Platform Installer install any components you might need, ex: WebDeploy 3.6 and URL Rewrite are some I find very useful.

8. Set up Windows or IIS for SSL Perfect Forward Secrecy and TLS 1.2. Depending on your audience, you might want to keep only TLS 1.2, or support TLS 1.1. Here’s the script I use: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12

9. Snapshot the VM

Now whenever you need a new web server, you can just clone this VM, assign it a new IP, join it to your domain and you’re ready to go. Remember to keep your base image up-to-date with any changes you make to your production environment.