IPv4 Address and Domain Restrictions feature in IIS 7.0

  • Article

We wanted to use IPv4 Address and Domain Restrictions feature of IIS 7.0 server. We wanted to restrict one particular computer from accessing the IIS server or accessing particular website on IIS server.

We added the particular IP address in the Deny Restriction List, we see the mode as Deny for that specific IP Address.

image

We then go ahead and edit the above setting by clicking on Edit Feature Settings

image

We see the following options. We select Deny, as we want that specific machine’s IP address, denied from accessing the website.

image

If we want to select the check box we can do that as well. This is for reverse look up for the specific IP address in DNS.

image

After doing all these and once we do an iisreset, to be sure that all changes are in place, but still we see that if we access the website from the machine, for which we have denied access, we see that we are still able to access the website.

This means that we are still missing on something, which is making this to happen and not work as expected.

After enough research on this, we found that this feature’s name is IPv4 Address and Domain Restriction and this looks and configures only IPv4 addresses.

In order to make the above stuff to work we had to add the IPv6 address of that machine into the Deny Restriction List. But GUI does not provide the option of adding IPv6 address of that machine. So to do this we need to edit the applicationHost.config file (found in location, C:\Windows\System32\inetsrv\config) and add manually the IPv6 entry into it.

Note: Be careful while editing the applicationHost.config. As even a small entry error would have a major impact like IIS not starting up correctly.

To do this, first we try to find the IPv4 entry in the applicationHost.config file.

<ipSecurity enableReverseDns="true" allowUnlisted="true">
<add ipAddress="192.168.0.1" allowed="false" />
</ipSecurity>

Tried finding the IPv6 address of that particular machine. You can do IPConfig /All from the command prompt and copy the IPv6 address and then please add that address as follows in the applicationHost.config file.

<add ipAddress="2001:4898:7001:f001:0:5efe" subnetMask="ffff:ffff::" allowed="false" />

So the entire entry would look as follows

<ipSecurity enableReverseDns="true" allowUnlisted="true">
<add ipAddress="192.168.0.1" allowed="false" />
<add ipAddress="2001:4898:7001:f001:0:5efe" subnetMask="ffff:ffff::" allowed="false" />
</ipSecurity>

After this once we do iisreset, and refresh IIS Manager snap-in, we can see the above entry displayed in GUI. After this go ahead and try to access the website from the machine, for which we have denied access, we would see the following error.

403.6 - IP address rejected.

After this, in order to provide support for IPv6 Addresses, Microsoft introduced new extension called Dynamic IP Restrictions and you can find more details at following site

https://www.iis.net/extensions/DynamicIPRestrictions

https://learn.iis.net/page.aspx/548/using-dynamic-ip-restrictions/

You can download the extension and play with it as well.

For more details please refer following link

https://technet.microsoft.com/en-us/library/cc731598(WS.10).aspx

https://technet.microsoft.com/en-us/library/cc733090(WS.10).aspx

Many more to come!

Until then bye from Vandana