December 21, 2011 21:33 by
Victor Ratajczyk |
This article focuses on using web.config files to Permit access from specific IP addresses or specific IP networks. The "deny" security model is used in the remainder of this article. All hosts are denied, but a few specific IP addresses or IP networks are explicitly allowed.
Purpose
Web.config IP address restrictions can be used to restrict access to an entire web site, a sub directory of a web site, or even a single web page. The IP address restrictions are used to restrict access based on the IP address of the client (connecting) computer.
Denying all IP addresses, but allowing a few specific addresses, is useful in securing administrative or otherwise sensitive areas of a web site. I would recommend IP address restrictions in addition to user name and password restrictions.
Compatibility
The ipSecurity section of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).
Web.config files are deeply integrated with IIS 7.x. The ipSecurity restrictions listed in this article will apply to all protected files and directories (php, jpg, png, htm, etc), not just asp.net files.
While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a ipSecurity section may be placed in any directory, and the directory does NOT need to be set as an application.
Prerequisites
- Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
- IIS sub feature: IP and Domain Restrictions
- IPv4 IP Address and Domain Restrictions delegation set to: Read/Write
Examples
Example IP address restrictions. Comments are enclosed in <!-- --> and are not required
Permit specific IPs and networks, but deny all others.
<security>
<!-- deny everybody -->
<ipSecurity allowUnlisted="false">
<!-- "clear" removes all upstream restrictions -->
<clear/>
<<!-- permit the loopback address -->
<add ipAddress="127.0.0.1" allowed="true"/>
<!--permit network 83.116.119.0 to 83.116.119.255-->
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>
</ipSecurity>
</security>
Using IP Address Restrictions
- Use a text editor to create a file named web.config
- Save the web.config file with the appropriate content
- Place the web.config file in the directory that you wish to protect
Detailed web.config content
- If there isn't an existing web.config in the directory, your new web.config should look something like this
<?xml version="1.0"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true"/>
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>
</ipSecurity>
</security>
</system.webServer>
</configuration>
- If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
<?xml version="1.0"?>
<configuration> <system.web>
.. existing text ..
.. existing text ..
</system.web>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true"/>
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>
</ipSecurity>
</security>
</system.webServer>
</configuration>
- If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
<?xml version="1.0"?>
<configuration>
<system.web>
.. existing text ..
.. existing text ..
</system.web>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true"/>
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>
</ipSecurity>
</security>
</system.webServer>
</configuration>