Recipe 12.7. Configuring IP Address and Domain Name RestrictionsProblemYou want to restrict access to content on your web server by IP address or domain name. SolutionUsing a graphical user interfaceTo restrict access to all sites on your server, do the following:
To restrict access to a particular web site, do the following:
To restrict access to a particular virtual directory, do the following:
To restrict access to a particular file:
Using VBScript' This code configures IP and domain restrictions for a web site. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" 'e.g., web01.rallencorp.com strSiteID = "<SiteID>" 'e.g., 1 ' ------ END CONFIGURATION --------- set objweb site = GetObject("IIS://" & strComputer & "/W3SVC/" & strSiteID) set objIPRestrict = objweb site.Get("IPSecurity") objIPRestrict.IPDeny = Array("10.1.2.0,255.255.255.0","192.168.179.34") objIPRestrict.DomainDeny = Array("unrulydomain.biz") objweb site.IPSecurity = objIPRestrict objweb site.SetInfo WScript.Echo "Successfully set IP and domain restrictions for web site: " & _ objweb site.ServerComment WScript.Echo "" WScript.Echo "IP Deny:" arrDeny = objweb site.Get("IPSecurity").IPDeny for i = 0 to Ubound(arrDeny) WScript.Echo arrDeny(i) next arrDeny = objweb site.Get("IPSecurity").DomainDeny WScript.Echo "" WScript.Echo "Domain Deny:" for i = 0 to Ubound(arrDeny) WScript.Echo arrDeny(i) next DiscussionWhen a user tries to access web content, IIS first checks to see whether there is any IP address or domain name restriction that denies access to the user. If not, IIS then tries to authenticate the user with any of the methods described in the next recipe. If authentication is successful, IIS checks to see what the requested content's web permissions are to determine what access level to grant the user. If the web permissions grant the user some level of access to the requested content, IIS compares the user's account (if provided) with the content's NTFS permissions to determine the user's final level of access. One good use of IP and domain restrictions is when you're running IIS on a corporate intranet. By allowing only IP addresses for subnets on your network, you can prevent external users on the Internet from accessing content on your IIS computer (unless they spoof their address, of course). If you have a public-facing web server, you can also use this feature to block attacks from specific IP addresses or domain names when an attack has been detected. In most cases though, your perimeter firewall is the main place you should consider configuring these kinds of settings, not IIS. Avoid using domain name blocking as it requires costly reverse DNS lookups for each user request, which will negatively effect IIS performance. Using VBScriptSetting IP and domain restrictions via ADSI is convoluted and deserves explanation. First, you have to call GetObject with a reference to a web site or virtual directory in the usual way. If you specify a web site, the IP and domain restrictions will apply across the entire web site, whereas referencing a virtual directory will enforce the restrictions only on that directory. Next is a call to get a reference to the IPSecurity object. Instead of setting properties directly on the web site or virtual directory, you have to modify this IPSecurity object. Two property methods of note include IPDeny and DomainDeny. Set them by passing in an array of values. For IPDeny you need an array of IP addresses, and for DomainDeny you need an array of domain names. With IPDeny, you can restrict a whole subnet by specifying a value in the format of "<Network>,<Mask>", which I included in the code. After that, you have to set the IPSecurity property method to the value of the IPSecurity object we've been working with. Now, you just need to call SetInfo to commit the change. After the call to SetInfo, I illustrate how to view the current values of IPDeny and DomainDeny. This serves as a check to make sure what I set previously was committed as expected. See AlsoRecipe 12.6 |