Dynamic IP restrictions deny action settings.

Like most settings in IIS, the options for deny-action settings in Dynamic IP restrictions can be adjusted from the IIS UI, or via PowerShell. In the UI, this is how it looks like:

clip_image002

However, if you tried to adjust this settings using PowerShell, you might find that the settings don’t appear to show up in the management console. For example, if you run this PowerShell command:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/dynamicIpSecurity" -name "denyAction" -value "AbortRequest"

The command will complete successfully, and if you used the Get-WebConfigurationProperty command to query it, will return the value you have set, but the UI will still show the “old” value.

This might seem weird, but in reality, this is exactly the way its supposed to behave. You see, in the current version of IIS, the DenyAction property has two values. One is for DynamicIPSecurity, and another for ipSecurity. In the configuration file (AppicationHost.config), this looks like this:

<security>
<access sslFlags="None" />
<applicationDependencies />
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
<basicAuthentication />
<clientCertificateMappingAuthentication />
<digestAuthentication />
<iisClientCertificateMappingAuthentication />
<windowsAuthentication />
</authentication>
<authorization />
<ipSecurity allowUnlisted="true" denyAction="AbortRequest" />
<isapiCgiRestriction />
<requestFiltering>
<fileExtensions allowUnlisted="true" applyToWebDAV="true" />
<verbs allowUnlisted="true" applyToWebDAV="true" />
<hiddenSegments applyToWebDAV="true">
<add segment="web.config" />
</hiddenSegments>
</requestFiltering>
<dynamicIpSecurity denyAction="AbortRequest" />

If you change the configuration from the IIS manager UI, the configuration is adjusted for both, but with PowerShell, you need to adjust both using the following commands:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/dynamicIpSecurity" -name "denyAction" -value " AbortRequest "

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/ipSecurity" -name "denyAction" -value "AbortRequest"

If you fail to do so, you will end up with an inconsistent configuration.

Cheers to Carl R for his help with this post!

No Comments