Restricting web site traffic in IIS 7 and IIS 8
Sometimes you need to restrict traffic to your web site or reduce the impact from a rogue bot that is hitting it. Often, the first thought is to restrict that traffic at the perimeter firewall. While that is a good choice, the structure of your organization may prevent that from happening in a timely manner. Or maybe you are frequently making changes to the restrictions making that a cumbersome chore.
That’s where the IP Address and Domain Restrictions feature of IIS 7 and IIS 8 comes in handy. If you are working with a default installation of IIS you may find that this feature is not installed. Use the Add Roles and Features Wizard in IIS 8 to make sure it is installed.
In IIS 7 it is under Add Role Services.
Now that you have installed it or verified that it is installed, let’s put it to work. You should note that this can be configured at both the web server and site level. For the purpose of this post, we are going to be configuring it on the Default Web Site.
There are two parts to setting restrictions on your website. The first is to configure the feature settings. To do this select Edit Feature Settings… in the right Actions pane.
That brings up a dialogue box. In IIS 8 you have a few choices. By default, everybody is allowed access to the web site. You can change the top drop-down box to deny so that nobody will be allowed access to the web site unless they are explicitly permitted. Often this feature is used with IP addresses but by checking the box you can restrict traffic from specific domain names. If you Enable Proxy Mode, you are also able to block traffic based on the x-forwarded-for HTTP header. This is a good time to mention that domain name restrictions are not enabled by default because it will affect performance of your server due to a reverse lookup being performed on each connection.
Another great new feature is the ability to choose what happens when a restricted IP address tries to access the site. IIS 7 and earlier versions sent a HTTP 403.6 Forbidden response. IIS 8 allows you to choose from four different choices: an Unauthorized HTTP 401 response, a Forbidden HTTP 403 response, a Not Fount HTTP 404 response, or Abort where the connection is terminated with no response.
In contrast to the options that IIS 8 gives you, IIS 7 gives you two choices. Those are the same as the top two choices in the IIS 8 dialogue box. Now that we’ve configured the Feature Settings for IP Address and Domain Restrictions, let’s move on to the second step, adding entries.
On the right actions pane there are two links to choose from; Add Allow Entry… and Add Deny Entry. As the names suggest, if you want to add an entry for an IP address (or domain name depending on your Feature Settings), click the Add Allow Entry.
The Add Allow Entry will bring up a dialogue box allowing you to specify a specific IP address or a range of IP addresses. The Add Deny Entry dialogue box is similar.
The Add/Deny Entry dialogue box is very similar in IIS 7.
In review, if you want to deny all traffic to your web site except for a few choice IP addresses, you need to Edit the Feature Settings to deny all traffic, then create Allow Entries for the IP addresses that you want to allow. Conversely, if you want to allow all traffic to your site except for some specific IP addresses, Edit the Feature Settings to allow all traffic, and then add Deny Entries for the IP addresses that you want to restrict.
Rick is a Senior Support Lead at OrcsWeb, a hosted server company providing managed hosting solutions.