Configuring IP Address and Domain Restrictions
Although
some Web servers are configured to provide public access to all
content, it’s also common to need to restrict access to only specific
groups of users. By default, IIS is configured to accept requests on
all connections based on site binding settings such as IP address and
TCP port. Systems administrators can further restrict access to Web
sites by responding only to requests that originate from specific IP
addresses or domains using IIS Manager.
The
first step is to select the level at which you want to assign the
restrictions. The IPv4 Address And Domain Restrictions feature is
available at the server, site, Web application, virtual directory, and
folder level. In general, assign restrictions at the highest level for
which the settings will apply. For example, if all the Web applications
in a particular site should respond to requests only from a single
domain, configure the request settings at the site level. By default,
IIS does not include any restrictions. To configure request settings,
select the appropriate object in the left pane of IIS Manager, and then
double-click IPv4 Address And Domain Restrictions in Features View. Figure 19 provides an example of the settings.
Adding Allow and Deny Entries
There
are two main types of entries you can add to the IPv4 Address And
Domain Restrictions configuration. Allow entries specify which IP
addresses can access Web content; Deny entries define which addresses
cannot access the content. When configuring IP address restrictions,
you can specify either a single IP address or a range of IP addresses.
(See Figure 20.)
When specifying a range, you can enter the initial IP address and the
subnet mask. This will determine the range of addresses that will be
allowed or denied. It is possible to exclude specific addresses or
ranges by using additional allow or deny rules. Overall, however, try
to keep the configuration simple to make administration and management
easier.
The
single address option is useful if only a few users require access to
the site or if only a few other servers require access to the content.
This is common in environments that support distributed server-side Web
applications that are not designed for direct user access. IP address
ranges are more appropriate when groups of users and computers should
have access to the environment. For example, if all the users in the
Human Resources department are located on the same subnet, that subnet
can be allowed while other subnets are denied.
When
evaluating connection rules, IIS will evaluate all allow and deny rules
to determine whether an address has access. Deny rules will take
precedence over allow rules. If users are denied access to a site, they
will see a screen similar to the one shown in Figure 21.
An
additional setting defines the default behavior for any IP addresses
that are not explicitly added to the Allow or Deny list. By default,
IIS will allow access automatically from these addresses. To change the
setting, click Edit Feature Settings in the Actions pane, and choose
Deny for the Access For Unspecified Clients setting. (See Figure 22.)
Adding Domain Restrictions
Managing
access to Web services by using IP addresses is useful when the list of
incoming clients is well known. This is typical of intranet and
internal network environments where network administrators can
configure and manage IP address ranges. In other types of Web server
scenarios—such as public Web servers or extranets—managing IP address
ranges can be time-consuming and impractical.
An
alternative to using IP address–based restrictions is specifying allow
and deny settings, using domain name restrictions. This method depends
on a Domain Name System (DNS) reverse lookup operation. Whenever a user
attempts to connect to IIS, the Web server will perform a reverse DNS
lookup to resolve the requester’s IP address to a domain name. IIS will
then use the domain name to determine whether the user should have
access. Domain-based restrictions are disabled by default because this
feature can decrease server performance significantly. Every incoming
request needs to be resolved, adding overhead to request processing.
Additionally, this can place significant load on the DNS server
infrastructure. From a management standpoint, however, this feature
sometimes can be useful (especially in low-volume scenarios).
To
enable domain name restrictions, select the IPv4 Address And Domain
Restrictions feature for a portion of the Web site, and then click Edit
Feature Settings in the Actions pane. As shown in Figure 22, you can check the Enable Domain Name Restrictions check box to enable this feature. Figure 23 shows the confirmation warning when you enable this feature.
Once you have enabled domain name restrictions, you can use the Add Allow Entry and Add Deny Entry commands to configure the rules. As shown in Figure 24, the dialog boxes include an additional setting for Domain Name.
As
mentioned earlier, the default behavior for allow and deny entries is
for these restrictions to flow from parent objects to child objects. If
you have made explicit changes to the settings for an object such as a
Web application, you can use the Revert To Inherited
command in the Actions pane to remove settings at that level. The
effective settings will then be based on the parent hierarchy.