Home / server / Questions / 653672
Accepted
Kjensen
Asked: 2014-12-20 03:01:26 +0800 CST

How to IP restrict access to a website in IIS8,5 (Windows 2012R2)

  • 772

I have read that to IP-restrict a website in IIS8 to allow only one or more IPs and deny everybody else, you do this:

  1. Set "Access for unspecified clients" to "Deny"
  2. Add IP-address for "Allow"

(as specified in below screenshot)

However, when I do this (as specified in below screenshot), I am still able to access the site from other IPs.

What is missing here? Is there something else, that needs to be done?

enter image description here

I tried iisreset and the page is not browser cached on the test-machines, that should not have access.

windows-server-2012-r2

5 Answers

  1. Best Answer

    If the IP Security under IIS Windows Features is installed you could add this to your web.config to block IP's:

    <location path="Default Web Site">
   <system.webServer>
      <security>
         <ipSecurity allowUnlisted="false"><!-- this line blocks everybody, except those listed below -->                
            <clear/> <!-- removes all upstream restrictions -->
            <add ipAddress="192.168.100.1" />
            <add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
         </ipSecurity>
      </security>
   </system.webServer>
</location>
    • 9

  2. After a lot of messing about, I found the following worked for me (IIS 8.5.X on win server 2012 R2)

    Ensure Feature enabled for web.config management

    • In IIS
    • Click on the root server
    • Double click Feature Delegation (under management)
    • Scroll down to IP Address and Domain Restrictions
    • Change to Read/Write

    (in my case it was Read Only, which was the issue)

    Then edit web.config to include 

    <system.webServer>
        <security>
            <!-- this line blocks everybody, except those listed below -->                
            <ipSecurity allowUnlisted="false">
                <!-- removes all upstream restrictions -->            
                <clear />
                <add ipAddress="X.X.X.X" allowed="true" />
                <add ipAddress="127.0.0.1" allowed="true" /> 
            </ipSecurity>
        </security>
</system.webServer>

    Where X.X.X.X is the IP you wish to allow (add a line like this for every IP or IP subnet combo you wish to allow)

    Noteworthy is the the documentation seems to miss the allowed="true" and any mention of the requirement to allow the feature to be delegated. Thanks to @Summit for that tip here

    • 4

  3. Do you have a proxy between Clients and your IIS Server? You can show in IIS Logs with which IP your Client is coming.

    • 1

  4. I found a work around for my situation.

    SITUATION: Need to block IPs on network, but allow IIS access to website for server local applications. Occasional individual and total sub-net access to IIS website.

    PROBLEM: Setting "Edit Feature Settings" to Deny does not work properly. It does not respect the "Allow" list. Nothing, local or network, is allowed to access the hosted website.

    WORKAROUND: Leave "Edit Feature Settings" at "Allow". Last entry of "Allow/Deny" list is "Deny" to full sub-net. "Allow" entry for local server IP precedes the sub-net "Deny". Any individual computers on sub-net to be allowed access have "Allow" entries preceding the "Deny" to full sub-net.

    • 1

  5. Steps to do file level IP restriction in IIS 7 & above

    In IIS manager->In the Content view ,highlight the specific file->Click "Switch to Features view" on Actions pane->In Features View,Double-click "IP Address and Domain restrictions" and then set restriction

    I think it works with classic ASP pages as well.

    • 0