IIS7 has introduced new add element of IPSecurity collection that allows to block IP addresses directly from the web.config without changing the metadatabase. This, combined with configSource feature allows us to dump all IPs into a single xml file making it easy to manipulate and maintain. This article shows how to block IP addresses programmatically using the IPSecurity element and splitting the config file with configSource.
- allow overrideMode for the application configuration.
- create xml file to contain restricted IPs
- change configSource in web.config to read IPSecurity info from the xml file.
- create application that will add/remove IPs from xml file.
- Make sure Role Service for IP security is already installed. To install role service see the guide at the end of the article.
- create web application from a specific folder in IIS7 Manager using the "Convert to Application" option.
In this example we will create Test1 application.
- set overrideMode to "Allow" in the applicationHost.config for the specific website (c:\Windows\system32\inetsrv\config\applicationHost.config)
- create ipSecurity.xml file that will contain IP restrictions
- change web.config to read IPSecurity section from the ipSecurity.xml file
- copy provided files to create admin site to add/remove IP Security restrictions for the test1 site. (default.aspx; default.aspx.cs; impersonateUser.cs;
- change web.config parameters
- change web.config parameters
Any change of the xml file are not active until the application pool is recycled. Following is the code that recycles the application pool.
by default the asp user doesn't have sufficient access rights to recycle the application pool that's why the recycle method is nested inside impersonation context.
To protect the impersonation information run the following command to encrypt the <secureAppSettings section
aspnet_regiis -pef "secureAppSettings" . -prov "DataProtectionConfigurationProvider"
(if aspnet_regiis is not found try to add a path to it e.g. path=%path%;C:\Windows\Microsoft.NET\Framework64\v2.0.50727)
Installing the role service for IP security
Windows Server 2008 or Windows Server 2008 R2
- On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
- In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
- In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
- On the Select Role Services page of the Add Role Services Wizard, select IP and Domain Restrictions, and then click Next.
- On the Confirm Installation Selections page, click Install.
- On the Results page, click Close.
Windows Vista or Windows 7
- On the taskbar, click Start, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
- Expand Internet Information Services, then World Wide Web Services, then Security.
- Select IP Security, and then click OK.
Manual restriction of IP
For manual restriction of IP addresses in IIS7 Manager follow this steps.
- open IIS Manager.
- In the Connections pane, expand the server name, expand Sites, and then site, application or Web service for which you want to add IP restrictions.
- In the home pane you will see the icon for "IPv4 Address and Domain Restrictions". Use this feature to allow/deny IP access to the website.