Home / server / Questions / 502982
In Process
Brandon
Asked: 2013-04-27 10:17:17 +0800 CST

How to block a login page except to certain IP's?

  • 772

In an IIS7 web application (ASP.NET) where we don't have control over source code, anyone visiting that application from the internet is presented with the login page.

To comply with security audits, the login page (a specific URL) must be locked down to internal IP network ranges only. In other words, internet users should be able to do everything except get to this login page.

It's easy to block/allow an entire site, but how can security for a specific page or URL be accomplished within IIS configuration?

windows-server-2008

2 Answers

  1. You can use the "IP Address and Domain Restrictions" feature at the level of folders and virtual directories, as well as sites.

    So, put the login page into one of those, and use IIS restrictions. (I mean, redesign the website with that in mind, don't just move it arbitrarily).

    See also: https://stackoverflow.com/questions/8147804/ip-restriction-for-a-folder-of-a-web-application-in-iis7

    • 0

  2. In your web.config, add a section like this:

    <location path="authentication/logon.aspx">
     <system.webServer>
         <security>
             <ipSecurity>
                 <add ipAddress="127.0.0.1" subnetMask="255.255.255.0" allowed="false" />
             </ipSecurity>
         </security>
     </system.webServer>
</location>

    within the root configuration node.

    Even though in the IIS UI it is not possible to apply settings to a single file, the configuration system does support this. The key is the 'path' attribute in the location node. Anything within that node only applies to the path specified.

    • 0