IP Address and Domain Restrictions in IIS 8

Srinivas Wednesday, October 08, 2014 , , , , No comments
IP Address and Domain Restrictions in IIS 8

In this article, i will cover how to configure Dynamic IP Restrictions.

Introduction

IP Address and Domain Restrictions is one of the great built-in features of IIS 8. On configuring this feature allows website administrator  to selectively permit or deny access to the web server, websites, folders, or files which makes your server more secure. One can configure and set the limits based on particular IP address(es) or frequency of  requests from a particular IP over a period of time. By default all the clients requesting the website are permitted to all access unless specifically rejected.

Background

This feature was available in previous versions of IIS where you can block one IP or range of IP addresses. The disadvantage in this was first you need know the person who is doing suspicious activity on your website based on the tools like Log Parser for checking the site logs then only you can block that IP or range of IP addresses by using Deny Rules. Most of the professional attackers (hackers) will use a variety of IPs from proxy servers so by the time you've blocked a handful a new range could be starting up.

Installing IP Address  and Domain Restrictions in IIS 8

This feature is not installed by default. One need to install the feature from the Turn Windows features On and Off window.

For this follow the below steps:
            1.Open the Control Panel.
       2.Click on Programs feature.
       3.In that Click on Turn Windows features on or off under Programs and Features.
       4.Install the required features.



Configuring IP Address and Domain Restrictions in IIS Manager

#1. Open the IIS Manager. (Click WIN+R, enter inetmgr in the dialog, and click OK. Alternatively,  search for IIS Manger in start window).
#2. Click on IP Address and Domain Restrictions feature in feature pane under IIS section.


#3. Once you opened this feature, you will see a window like the below image.


#4. Action pane elements are the elements which are used for defining the rules for allowing or denying the particular IP address(es). Let’s have a deeper look into each of these elements.

Edit Feature Settings:

  • This action is used for specifying the default access to all unspecified clients in Add and Deny rules.
  • On clicking this action, it will open up a window as below image.



  • Select Allow in the Access for unspecified clients dropdown if you to allow all clients by default else select Deny.
  • If you want to configure rules based on the client’s DNS name then check the Enable Domain Name Restrictions checkbox. If you click on OK to save the settings when this checkbox was checked it will show a warning (below image) which states that performing DNS lookups is a potentially expensive operation. Click on Yes to enable DNS lookup restrictions.

  • If you want to enable the requests that come through a proxy server then check Enable Proxy Mode check box.
  • Choose the Default Deny Action Type for sending the response to clients when you denied any request. It can be either Unauthorized (401), Forbidden  (403), Not Found (404) or Abort the request.
  • Once you have selected your options click on OK to save the settings.
Add Allow/ Deny Entry:

  • These two action types are used for defining the rule for allowing/ blocking the particular IP address or range of IP addresses.
  • On clicking the action, it will open up any one window as provided in the below image.
  • To create a rule for a specific IP Address, select Specific IP Address and enter the client IP address in the provided text box. 
  • To create a rule for a range of IP addresses, select  IP address range and enter the subnet and subnet mask in the provided text boxes. For example, to permit access to all IP addresses in the range from 192.168.8.0 to 192.168.8.8 then enter the subnet as 192.168.8.0 and subnet mask as the 255.0.0.0.
  • If you have enabled Domain Name Restrictions in the feature settings, then you will be able to set restrictions based on DNS names else this option will not be available. To create a rule for a client domain name, then select Domain name and enter the DNS name. 
  • After entering the details click on OK to add the rule.
Edit Dynamic Restriction Settings:
  • This is the new feature that came with IIS 8.
  • This action allows to dynamically determine whether to block certain clients, based on number of concurrent requests at a time or number of requests over a period of time.
  • On configuring this feature one can secure their website from the automated attacks like Dictionary attacks.
  • On Clicking this action, it will open up a window as provided in the below image.
  • If you want to restrict the client based on number of concurrent requests, then check the Deny IP Address based on number of concurrent requests check box and enter Maximum number of concurrent requests count in the provided text box..
  • If you want to restrict the client based on number of requests over a period of time, then check the provided check box and enter  the details in the provided text boxes.
  • Check the Enable the Logging Only Mode check box if you want IIS to log requests that would be rejected.
View Ordered List:
  • This action is used for changing the rule priority.
  • On clicking on this action, you will be able to see the screen which is showing rules places in the order and with different action elements as provided in the below image.

  • Rules that are located top in the list have higher priority.
  • Use Move Up and Move Down actions are for changing the priority of the rules.
  • Once you are done with changing the order of the rules then click on View Unordered List to return to the screen that allows you to add and remove rules.


Remove:
  • This action is used for remove the rules that are not required.
  • To view this action click on any of the rule in the feature pane and then click on Remove to remove the rule.
  • On clicking the remove, you will get a warning as below image. Click on Yes to Remove the Rule. 

#5. Feature pane elements which gives the information about the rules that are applicable to current web site or virtual application

Mode:
  • This displays the type of rule. It contains the values either Allow or Deny which indicates that whether the created rule is to allow or deny access to content.
Requester:
  • This displays the specific IP address or range of IP addresses  or domain name which is defined in the Add  Allow/ Deny Restriction Rule.
Entry Type:
  • This displays whether the item is local or inherited. Local items are added in current application level, and inherited items are added from a parent application level.

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )