IIS - How to restrict a web site access to some IP addresses Brief tutorial explaining how to use the IP Address and Domain Name Restrictions IIS feature to allow or deny access to web sites, folders, and/or files

How to stop (or prevent) massive login attempts to Remote Desktop RDP on Windows Server

In this post we'll deal with one of the most undervalued and semi-unknown features of Internet Information Services, better known as IIS, the web server shipped with most Windows client and servers distributions - from Windows 95 to Windows 10 and Windows Server 2019: the IP and Domain Restrictions role service, which allows the system administrator to allow or deny access to the web server, web sites, folders, or files through various rules that can be configured for remote IP addresses or based on the domain name.

Such  feature has been added since IIS 7.0, shipped with Windows Vista and Windows Server 2008, and is available since then... even if most administrator don't know it does exist. The reason for that is simple: it's not included in the default Windows Server installation, the one you get when you click "OK" various times without actually looking at the screen. Even if you choose to install IIS, the IP and Domain Restrictions option won't be enabled by default: you'll have to install it manually using the Server Manager by following the steps described below.

Installing

Luckily enough, installing the IP and Domain Restrictions role service feature is rather trivial:

  • Open the Server Manager by selecting Start > Administrative Tools > Server Manager.
  • On the next screen, select Role-based or feature-based, then select your server and click Next.
  • Click the Add Role Services link to add the required role.
  • From the Select Role Services screen, navigate to Web Server (IIS) > Web Server > Security.
  • Check the IP and Domain Restrictions check box and click Next to continue.
  • From the Confirm Installation Selections screen, click Install to add the IP and Domain Restrictions role service.

Here are some screenshots depicting the selection & installation phases:

IIS - How to restrict a web site access to some IP addresses

IIS - How to restrict a web site access to some IP addresses

Configuring

After adding the IP and Domain Restrictions role service, a new icon will be added to IIS Manager GUI interface: by clicking on such icon, you'll be able to configure IP and domain restrictions as shown below:

IIS - How to restrict a web site access to some IP addresses

The configuration interface is quite straight-forward, and similar to all other IIS Manager services: you'll be able to add Allow Entries and/or Deny Entries, thus allowing or blocking specific IP addresses, IP address ranges, IP masks and even domain names.

Needless to say, you'll also be able to set a default behaviour for unspecified clients using the Edit Feature Settings link available on the right column:

IIS - How to restrict a web site access to some IP addresses

IMPORTANT: it's worth noting that configuring Allow or Deny restrictions using a domain name require a reverse DNS look up every time a request arrives the server.: performing these kinds of rDNS lookups is a rather expensive tasks that can have a serious impact on your IIS server performances.

Also, keep in mind that - if your website is behind a reverse proxy - you might not be able to see the caller IP address unless the reverse proxy is properly configured to set it accordingly. If that's so, you'll just have to check the Enable Proxy Mode optional boolean attribute: such option, if checked, tells IIS to not only to block requests from a client IP that is seen by IIS, but also to block requests from IP addresses that are received in the x-forwarded-for HTTP header. This header enables you to identify the originating IP address of a client that connects through an HTTP proxy or load balancer: this is referred to as proxy mode.

Result

When a remote client that is not permitted access requests a resource and a deny rule is hit, the following errors will appear depending on the Deny Action Type rule specified through the Edit Feature Settings window:

403.6 - Forbidden: IP address of the client has been rejected
403.8 - DNS name of the client is rejected

The HTTP error will be also recorded within the Internet Information Services (IIS) logs.

Conclusion

That's it, at least for now: I definitely hope that this small tutorial guide will help many web administrators to selectively allow or block traffic on their web sites.

UPDATE: If you want to implement the IP Address and Domain Name Restrictions built-in feature directly from the configuration files, such as the (server-wide) applicationHost.config file and/or the (website-specific) web.config file, check out this post.

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.