Web.config ipSecurity - Allow specific IP addresses, Deny all others

clock December 21, 2011 21:33 by author Victor Ratajczyk |

This article focuses on using web.config files to Permit access from specific IP addresses or specific IP networks. The "deny" security model is used in the remainder of this article. All hosts are denied, but a few specific IP addresses or IP networks are explicitly allowed.

Purpose
Web.config IP address restrictions can be used to restrict access to an entire web site, a sub directory of a web site, or even a single web page. The IP address restrictions are used to restrict access based on the IP address of the client (connecting) computer.

Denying all IP addresses, but allowing a few specific addresses, is useful in securing administrative or otherwise sensitive areas of a web site. I would recommend IP address restrictions in addition to user name and password restrictions.

Compatibility
The ipSecurity section of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).

Web.config files are deeply integrated with IIS 7.x. The ipSecurity restrictions listed in this article will apply to all protected files and directories (php, jpg, png, htm, etc), not just asp.net files.

While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a ipSecurity section may be placed in any directory, and the directory does NOT need to be set as an application.

Prerequisites

  • Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
  • IIS sub feature: IP and Domain Restrictions
  • IPv4 IP Address and Domain Restrictions delegation set to: Read/Write


Examples

Example IP address restrictions. Comments are enclosed in <!-- --> and are not required

Permit specific IPs and networks, but deny all others.

<security>
	<!-- deny everybody -->
   <ipSecurity allowUnlisted="false">
   		<!-- "clear" removes all upstream restrictions -->
       <clear/>
       <<!-- permit the loopback address  -->
       <add ipAddress="127.0.0.1" allowed="true"/>
	    <!--permit network 83.116.119.0 to 83.116.119.255-->
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>
   </ipSecurity>
</security>

 

Using IP Address Restrictions

  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory that you wish to protect

Detailed web.config content

  • If there isn't an existing web.config in the directory, your new web.config should look something like this           
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="false">          
               <clear/>
               <add ipAddress="127.0.0.1" allowed="true"/>        
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>     
            </ipSecurity>
          </security>
       </system.webServer>
    </configuration>
    
  • If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
    <?xml version="1.0"?>
    <configuration> <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer> <security> <ipSecurity allowUnlisted="false"> <clear/> <add ipAddress="127.0.0.1" allowed="true"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/> </ipSecurity> </security> </system.webServer> </configuration>
  • If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
    <?xml version="1.0"?>
    <configuration>
    <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer>
    <security> <ipSecurity allowUnlisted="false"> <clear/> <add ipAddress="127.0.0.1" allowed="true"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/> </ipSecurity> </security>
    </system.webServer>
    </configuration>

 

 



Web.config ipSecurity - Deny specific IP addresses, Allow all others

clock December 21, 2011 19:52 by author Victor Ratajczyk |

This article focuses on using web.config files to Deny access from specific IP addresses or entire IP networks. The "allow" security model is used in the remainder of this article. All hosts are allowed, but a few specific IP addresses or IP networks are explicitly denied.

Purpose
Web.config IP address restrictions can be used to restrict access to an entire web site, a sub directory of a web site, or even a single web page. The IP address restrictions are used to restrict access based on the IP address of the client (connecting) computer.

Compatibility
The ipSecurity section of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).

Web.config files are deeply integrated with IIS 7.x. The ipSecurity restrictions listed in this article will apply to all protected files and directories (php, jpg, png, htm, etc), not just asp.net files.

While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a ipSecurity section may be placed in any directory, and the directory does NOT need to be set as an application.

Prerequisites

  • Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
  • IIS sub feature: IP and Domain Restrictions
  • IPv4 IP Address and Domain Restrictions delegation set to: Read/Write


Examples

Example IP address restrictions. Comments are enclosed in <!-- --> and are not required

Deny specific IPs and networks, but allow all others.

<security>
	<!-- allow everybody, except those listed below -->
   <ipSecurity allowUnlisted="true">
   		<!-- "clear" removes all upstream restrictions -->
       <clear/>
	    <!-- deny the specific IP of 83.116.19.53  -->
       <add ipAddress="83.116.19.53"/>
	    <!--deny network 83.116.119.0 to 83.116.119.255-->
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>
	    <!--deny network 83.116.0.0 to 83.116.255.255-->
       <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>
	    <!--deny entire /8 network of 83.0.0.0 to 83.255.255.255-->
       <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>
   </ipSecurity>
</security> 


Using IP Address Restrictions

  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory that you wish to protect

Detailed web.config content

  • If there isn't an existing web.config in the directory, your new web.config should look something like this   
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">          
               <clear/>
               <add ipAddress="83.116.19.53"/>        
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     
            </ipSecurity>
          </security>
       </system.webServer>
    </configuration>
    
  • If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
    <?xml version="1.0"?>
    <configuration> <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer> <security> <ipSecurity allowUnlisted="true"> <clear/> <add ipAddress="83.116.19.53"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> </ipSecurity> </security> </system.webServer> </configuration>
  • If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
    <?xml version="1.0"?>
    <configuration>
    <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer>
    <security> <ipSecurity allowUnlisted="true"> <clear/> <add ipAddress="83.116.19.53"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> </ipSecurity> </security>
    </system.webServer>
    </configuration>