An Overview Of IIS 7.5 Feature - IP & Domain Restrictions

This feature helps to allow\deny access to a website based on IPv4 address or its range or domain name.

Let’s open IIS 7.5 manager and check whether IP & Domain Restrictions module present or not under IIS section as shown below:

ip address

If it doesn't exist, we can install the same by going to “Turn on or off Windows Feature” in Control Panel and selecting same under Internet Information Services, WWW Services, Security, then clicking IP Security.

feature

Let’s select “Default Web Site”, double-click on IP Address & Domain Restrictions and understand its settings:

Here, we can add Allow\Deny entry rule based on IP address or domain name.

domain

Let’s add a Deny rule to deny access to Default Web Site from IP: 127.0.0.1 by clicking on “Add Deny Entry”:

add

If we try to browse web site over http://127.0.0.1, we will get the following access denied message.

error

We can even specify range of IPv4 addresses for allowing\denying access to Default Web site along with subnet mask. This setting denies access to complete 160.251.0.0 network.

ip address

We can enable Domain Restrictions by going to “Edit Feature Settings” and clicking on “Enable domain name restrictions”.

allow

This setting may affect server performance because of DNS reverse lookup:

setting

Now, we can add an Allow\Deny rule on Domain name as well:

rule

domain
 
Rules are applied from top to bottom, in the order they appear in the list. We can use “Edit Feature Settings” to set default allow\deny access to unspecified clients:

edit ip

Instead of IIS Manager, we can use appcmd.exe to configure it with the following command:

appcmd.exe set config "Default Web Site" -section:system.webServer/security/ipSecurity /+"[ipAddress='127.0.0.1',allowed='False']" /commit:apphost

cmd

Please ensure to use option/Commit:apphost to commit changes to correct location section in IIS configuration file [ApplicationHost.config].

It is a good practice to list all Deny rules first followed by Allow rules. This feature remains same in IIS 8, 8.5 and above settings will still apply.

I am ending things here on IP & Domain Restrictions, I hope this article will be helpful for all.

Read more articles on Servers: