IIS – How to restrict a web site access to some IP addresses

 A tutorial explaining how to use the IP Address and Domain Name Restrictions IIS feature to allow or deny access to web sites, folders, and/or files


In this post we’ll deal with one of the most undervalued and semi-unknown features of Internet Information Services, better known as IIS, the web server shipped with most Windows client and servers distributions – from Windows 95 to Windows 10 and Windows Server 2019: the IP and Domain Restrictions role service, which allows the system administrator to allow or deny access to the web server, web sites, folders, or files through various rules that can be configured for remote IP addresses or based on the domain name.

Installing

Luckily enough, installing the IP and Domain Restrictions role service feature is rather trivial:

·        Open the Server Manager by selecting Start > Administrative Tools > Server Manager.
·        On the next screen, select Role-based or feature-based, then select your server and click Next.
·        Click the Add Role Services link to add the required role.
·        From the Select Role Services screen, navigate to Web Server (IIS) > Web Server > Security.
·        Check the IP and Domain Restrictions check box and click Next to continue.
·        From the Confirm Installation Selections screen, click Install to add the IP and Domain Restrictions role  service.

Configuring
After adding the IP and Domain Restrictions role service, a new icon will be added to IIS Manager GUI interface: by clicking on such icon, you’ll be able to configure IP and domain restrictions as shown below:

The configuration interface is quite straight-forward, and similar to all other IIS Manager services: you’ll be able to add Allow Entries and/or Deny Entries, thus allowing or blocking specific IP addresses, IP address ranges, IP masks and even domain names.

Needless to say, you’ll also be able to set a default behaviour for unspecified clients using the Edit Feature Settings link available on the right column:

Result

When a remote client that is not permitted access requests a resource and a deny rule is hit, the following errors will appear depending on the Deny Action Type rule specified through the Edit Feature Settings window:

403.6 – Forbidden: IP address of the client has been rejected
403.8 – DNS name of the client is rejected

Post a Comment

0 Comments