As shown in Figure 10.6, you can include or exclude specific sites based on IP address.
If your organization has requirements for "Chinese Walls" ( mandated separation by regulatory agencies) between business units (as might be found between the Corporate Finance and Equities groups of an investment bank), you may want to prevent individual subnets or DNS domains from accessing specific resources on your intranet.
Although IP spoofing can compromise the effectiveness of such methods , implementing IP security can be an effective front line defense against access from an unauthorized IP address.
In a more common scenario, IP address restrictions are often imposed to ensure that development sites utilizing anonymous access are accessed only by developers. By simply inserting the IP addresses of the developer workstations into the list of machines granted access, the developers can transfer data between their client and the server with little fear that anyone else has access.
IP security requires construction of an array of IP addresses that are then consequently assigned to one of the properties of the IPSecurity object in Table 10.2.
Property | Description |
---|---|
IPGrant | Array of IP Addresses granted access ”stored in variant array of strings in the format IPAddress, Subnet Mask |
IPDeny | Array of IP Addresses denied access ”stored in variant array of strings in the format IPAddress, Subnet Mask |
DomainGrant | Array of strings representing DNS domains granted access to resources |
DomainDeny | Array of strings representing DNS domains denied access to resources |
Armed with the basic knowledge of the operations of the IPSecurity interface, you can now examine the code used to query and set new IP address restrictions.
Warning
The use of DNS domains for restricting access is not recommended because of the costly reverse DNS lookup that must take place for each request. Be sure to examine the performance of the site both before and after implementing such a restriction to ensure that performance is still reasonably acceptable.
To find the current IP address and DNS domain restrictions effective for a particular site, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex&"/ROOT") Set IPSecurity = Site.IPSecurity If IPSecurity.GrantByDefault Then Debug.Print "All addresses will be allowed, except as follows:" For Each Entry In IPSecurity.IPDeny If InStr(1, Entry, "255.255.255.255") Then Debug.Print vbTab&"Denied IP: "&vbTab&vbTab&Replace(Entry, , 255.255.255.255", ") Else Debug.Print vbTab&"Denied Subnet: "&vbTab&Entry End If Next For Each Entry In IPSecurity.DomainDeny Debug.Print vbTab&"Denied Domain: "&vbTab&Entry Next Else Debug.Print "All addresses will be blocked, except as follows:" For Each Entry In IPSecurity.IPGrant If InStr(1, Entry, "255.255.255.255") Then Debug.Print vbTab&"Allowed IP: "&vbTab&vbTab& Replace(Entry, ", 255.255.255.255", ") Else Debug.Print vbTab&"Allowed Subnet: "&vbTab&Entry End If Next For Each Entry In IPSecurity.DomainGrant Debug.Print vbTab&"Allowed Domain: "&vbTab&Entry Next End If
To create a new IP address or DNS domain restriction programmatically, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant Dim IPAddress As String Dim IPSubnet As String Dim Domain As String Dim ActionType As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value IPAddress = "xxx.xxx.xxx.xxx" IPSubnet = "xxx.xxx.xxx.xxx" Domain = "DNS_Domain.Name" ActionType = "GRANTIP" 'ActionType = "GRANTSUBNET" 'ActionType = "GRANTDOMAIN" 'ActionType = "DENYIP" 'ActionType = "DENYSUBNET" 'ActionType = "DENYDOMAIN" Select Case ActionType Case "GRANTIP" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT") Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = False Site.IPSecurity = IPSecurity Site.SetInfo IPSecurity.IPGrant = Array(IPAddress&", 255.255.255.255") Site.IPSecurity = IPSecurity Site.SetInfo Case "GRANTSUBNET" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT") Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = False IPSecurity.IPGrant = Array(IPAddress&", "&IPSubnet) Site.IPSecurity = IPSecurity Site.SetInfo Case "GRANTDOMAIN" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT") Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = False IPSecurity.DomainGrant = Array(Domain) Site.IPSecurity = IPSecurity Site.SetInfo Case "DENYIP" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT") Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = True IPSecurity.IPDeny = Array(IPAddress&", 255.255.255.255") Site.IPSecurity = IPSecurity Site.SetInfo Case "DENYSUBNET" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT") Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = True IPSecurity.IPDeny = Array(IPAddress&", "&IPSubnet) Site.IPSecurity = IPSecurity Site.SetInfo Case "DENYDOMAIN" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT") Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = True IPSecurity.DomainDeny = Array(Domain) Site.IPSecurity = IPSecurity Site.SetInfo End Select
Note
To set a new IP address restriction, simply uncomment the desired ActionType variable assignment and verify that all associated variables have been assigned .
Top |