Recipe12.7.Configuring IP Address and Domain Name Restrictions

Recipe 12.7. Configuring IP Address and Domain Name Restrictions

Problem

You want to restrict access to content on your web server by IP address or domain name.

Solution

Using a graphical user interface

To restrict access to all sites on your server, do the following:

1. Open Internet Information Services (IIS) Manager.

2. In the left pane, right-click on the Web Sites node and select Properties.

3. Select the Directory Security tab and click Edit under IP address and domain name restrictions.

4. Select either Granted access or Denied access depending on whether you want to define a rule to allow or deny access to your server.

5. Click Add and specify either a single IP address, an entire subnet of addresses, or a DNS domain name depending on how you want to restrict access to your server. Click OK.

6. If the Inheritance Overrides dialog box appears, click Select All and click OK (repeat if this box appears again).

To restrict access to a particular web site, do the following:

1. Open Internet Information Services (IIS) Manager.

2. In the left pane, expand the Web Sites node, right-click on your web site, and select Properties.

3. Select the Directory Security tab and click Edit under IP address and domain name restrictions. Follow the same directions as described previously.

To restrict access to a particular virtual directory, do the following:

1. Open Internet Information Services (IIS) Manager.

2. In the left pane, expand the Web Sites node, right-click on a particular virtual directory within your web site and select Properties.

3. Select the Directory Security tab and click Edit under IP address and domain name restrictions. Follow the same directions as described previously.

To restrict access to a particular file:

1. Open Internet Information Services (IIS) Manager.

2. In the left pane, expand the Web Sites node, right-click on a particular file within a virtual directory or site, and select Properties.

3. Select the File Security tab and click Edit under IP address and domain name restrictions. Follow the same directions as described previously.

Using VBScript

' This code configures IP and domain restrictions for a web site. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>"  'e.g., web01.rallencorp.com strSiteID = "<SiteID>"        'e.g., 1 ' ------ END CONFIGURATION --------- set objweb site = GetObject("IIS://" & strComputer & "/W3SVC/" & strSiteID) set objIPRestrict = objweb site.Get("IPSecurity") objIPRestrict.IPDeny = Array("10.1.2.0,255.255.255.0","192.168.179.34") objIPRestrict.DomainDeny = Array("unrulydomain.biz") objweb site.IPSecurity = objIPRestrict objweb site.SetInfo WScript.Echo "Successfully set IP and domain restrictions for web site: " & _              objweb site.ServerComment     WScript.Echo "" WScript.Echo "IP Deny:" arrDeny = objweb site.Get("IPSecurity").IPDeny for i = 0 to Ubound(arrDeny)     WScript.Echo arrDeny(i) next   arrDeny = objweb site.Get("IPSecurity").DomainDeny WScript.Echo "" WScript.Echo "Domain Deny:" for i = 0 to Ubound(arrDeny)     WScript.Echo arrDeny(i) next

Discussion

When a user tries to access web content, IIS first checks to see whether there is any IP address or domain name restriction that denies access to the user. If not, IIS then tries to authenticate the user with any of the methods described in the next recipe. If authentication is successful, IIS checks to see what the requested content's web permissions are to determine what access level to grant the user. If the web permissions grant the user some level of access to the requested content, IIS compares the user's account (if provided) with the content's NTFS permissions to determine the user's final level of access.

One good use of IP and domain restrictions is when you're running IIS on a corporate intranet. By allowing only IP addresses for subnets on your network, you can prevent external users on the Internet from accessing content on your IIS computer (unless they spoof their address, of course). If you have a public-facing web server, you can also use this feature to block attacks from specific IP addresses or domain names when an attack has been detected. In most cases though, your perimeter firewall is the main place you should consider configuring these kinds of settings, not IIS. Avoid using domain name blocking as it requires costly reverse DNS lookups for each user request, which will negatively effect IIS performance.

Using VBScript

Setting IP and domain restrictions via ADSI is convoluted and deserves explanation. First, you have to call GetObject with a reference to a web site or virtual directory in the usual way. If you specify a web site, the IP and domain restrictions will apply across the entire web site, whereas referencing a virtual directory will enforce the restrictions only on that directory. Next is a call to get a reference to the IPSecurity object. Instead of setting properties directly on the web site or virtual directory, you have to modify this IPSecurity object. Two property methods of note include IPDeny and DomainDeny. Set them by passing in an array of values. For IPDeny you need an array of IP addresses, and for DomainDeny you need an array of domain names. With IPDeny, you can restrict a whole subnet by specifying a value in the format of "<Network>,<Mask>", which I included in the code.

After that, you have to set the IPSecurity property method to the value of the IPSecurity object we've been working with. Now, you just need to call SetInfo to commit the change.

After the call to SetInfo, I illustrate how to view the current values of IPDeny and DomainDeny. This serves as a check to make sure what I set previously was committed as expected.

See Also

Recipe 12.6