Locking Down IIS files and sites

We need assistance in building a VB Script that can set IP/Subnet restrictions on  multiple folders and/or files in IIS for our web based application. Will need to accept a list of addresses and/or subnets. It needs to work under IIS 7, 6, 5.

The current script on hand does not work in IIS7 without the IIS6 compatibility layer. Even then, running it twice will cause problems. Running the script below multiple times on IIS 4/5/6 causes no problems.

on error resume next
 
 
'SiteIndex will typically be 1, but may change where Windows SBS, Sharepoint, or Intranets are pre-existing
  'Running against wrong site will typically be benign as the script is looking for very specific names
  'If they are not there, not too much happens! 
  'You should also see that the "The following IP addresses are now Allowed:" will show nothing, indicating failure.
  'The 'ListSiteIndex' subroutine will show the current setup and will help if '1' is not working for you
    
 
'ToFiles array is for individual files and is geared towards locking individual files to local/admin access only
'ToFolders array is suited to locking the whole virtual folder to just the CU subnet(s)
'Any IP/Subnet not specified will be DENIED
  'For just an IP use ("nnn.nnn.nnn.nnn") 
  'For Subnet, ("nnn.nnn.nnn.nnn,nnn.nnn.nnn.nnn")
  'Adding Multiple entries is ok, and you can mix IP and Subnets together like ("127.0.0.1","192.168.5.0,255.255.255.0")
 
 
'Start - Edit Name/Index/IPs as required. *************************************************************************************************
'Calling from command line will override these values if specified.
 
  strServerName = "localhost" 
  strSiteIndex = "1"
   
  arrGrantTheseIPs_ToFiles = Array("127.0.0.1")
  arrGrantTheseIPs_ToFolders = Array("127.0.0.1","192.168.5.0,255.255.255.0")
  
'End - Edit Name/Index/IPs ****************************************************************************************************************
 
 
 
'Do not edit! *****************************************************************************************************************************
 
  strSiteRoot = "IIS://" & strServerName & "/W3SVC" & "/" & strSiteIndex & "/ROOT"
  ListSiteIndex
  wscript.echo vbTab & "Current Site Index: " & strSiteIndex
  
'/Do not edit! ****************************************************************************************************************************
 
 
'Grab argument from command line and overrride settings embedded in file
 
 
IF WScript.Arguments.Named("grantFiles") <> "" THEN
                   tgf=WScript.Arguments.Named("grantFiles")
                   wscript.echo vbCRLF & "Granting IP/Networks " & tgf & " to config files"
                   arrGrantTheseIPs_ToFiles = Array(tgf)
END IF
 
IF WScript.Arguments.Named("grantFolders") <> "" THEN
                   tgfl=WScript.Arguments.Named("grantFolders")
                   wscript.echo vbCRLF & "Granting IP/Networks " & tgfl & " to user facing folders"
                   arrGrantTheseIPs_ToFiles = Array(tgfl)
END IF
 
 
 
      'Create a config block for *each* config file/folder that needs ip restrictions
      'Use the examples below for guidence - then copy/paste and adapt the block to the desired configuration
      'When using the examples, ensure you uncomment the lines between Start and End!
      'The only value(s) to edit/replace are indicated with *xxxxxx*
 
 
 
      'Start Folder IP Restrict Definition Block EXAMPLE----------------------------------------------------------
        'strFolderPath = strSiteRoot & "/*theFoldername*"
        'strConfigFilePath = strFolderPath & "/" & strConfigFileName
        'wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
        '    SetFolderIPSec
      'End Folder IP Restrict Definition Block EXAMPLE------------------------------------------------------------
 
 
          'Start File IP Restrict Definition Block EXAMPLE------------------------------------------------------------
            'strConfigFileName = "*thefile.extension*"
            'strFolderPath = strSiteRoot & "/*theFoldername*"
            'strConfigFilePath = strFolderPath & "/" & strConfigFileName
            'wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath
            '    CreateFile
            '    SetFileIPSec
          'End File IP Restrict Definition Block EXAMPLE--------------------------------------------------------------
 
 
 
 
'Edit below here! *************************************************************************************************************************
 
      'Start Folder IP Restrict Definition Block------------------------------------------------------------------
        strFolderPath = strSiteRoot & "/CDPManageWebService"
        strConfigFilePath = strFolderPath & "/" & strConfigFileName
        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
            SetFolderIPSec
      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 
      'Start Folder IP Restrict Definition Block------------------------------------------------------------------
        strFolderPath = strSiteRoot & "/CDPManageWebServiceMega"
        strConfigFilePath = strFolderPath & "/" & strConfigFileName
        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
            SetFolderIPSec
      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 
          'Start File IP Restrict Definition Block -------------------------------------------------------------------
            strConfigFileName = "configuration.aspx"
            strFolderPath = strSiteRoot & "/CDPManageWebServiceMega"
            strConfigFilePath = strFolderPath & "/" & strConfigFileName
            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath
                CreateFile
                SetFileIPSec
          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 
      'Start Folder IP Restrict Definition Block------------------------------------------------------------------
        strFolderPath = strSiteRoot & "/CDPManageDocumentSearch"
        strConfigFilePath = strFolderPath & "/" & strConfigFileName
        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
            SetFolderIPSec
      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 
      'Start Folder IP Restrict Definition Block------------------------------------------------------------------
        strFolderPath = strSiteRoot & "/CDPCentralWebService"
        strConfigFilePath = strFolderPath & "/" & strConfigFileName
        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
            SetFolderIPSec
      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 
          'Start File IP Restrict Definition Block -------------------------------------------------------------------
            strConfigFileName = "configuration.aspx"
            strFolderPath = strSiteRoot & "/CDPCentralWebService"
            strConfigFilePath = strFolderPath & "/" & strConfigFileName
            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath
                CreateFile
                SetFileIPSec
          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 
      'Start Folder IP Restrict Definition Block------------------------------------------------------------------
        strFolderPath = strSiteRoot & "/CDPCentralWebServiceMega"
        strConfigFilePath = strFolderPath & "/" & strConfigFileName
        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
            SetFolderIPSec
      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 
          'Start File IP Restrict Definition Block -------------------------------------------------------------------
            strConfigFileName = "configuration.aspx"
            strFolderPath = strSiteRoot & "/CDPCentralWebServiceMega"
            strConfigFilePath = strFolderPath & "/" & strConfigFileName
            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath
                CreateFile
                SetFileIPSec
          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 
      'Start Folder IP Restrict Definition Block------------------------------------------------------------------
        strFolderPath = strSiteRoot & "/CDPTellerWebInquiry"
        strConfigFilePath = strFolderPath & "/" & strConfigFileName
        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
            SetFolderIPSec
      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 
          'Start File IP Restrict Definition Block -------------------------------------------------------------------
            strConfigFileName = "configuration.aspx"
            strFolderPath = strSiteRoot & "/CDPTellerWebInquiry"
            strConfigFilePath = strFolderPath & "/" & strConfigFileName
            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath
                CreateFile
                SetFileIPSec
          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 
      'Start Folder IP Restrict Definition Block------------------------------------------------------------------
        strFolderPath = strSiteRoot & "/CDPCentralWebService3_98"
        strConfigFilePath = strFolderPath & "/" & strConfigFileName
        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath
            SetFolderIPSec
      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 
          'Start File IP Restrict Definition Block -------------------------------------------------------------------
            strConfigFileName = "configuration.aspx"
            strFolderPath = strSiteRoot & "/CDPCentralWebService3_98"
            strConfigFilePath = strFolderPath & "/" & strConfigFileName
            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath
                CreateFile
                SetFileIPSec
          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 
 
'No Edits below here! *********************************************************************************************************************
 
 
 
Sub CreateFile
 
  Set objFolder = GetObject(strFolderPath)
  set objCreateConfigFile = objFolder.Create("IISWebFile",strConfigFileName)
      objCreateConfigFile.SetInfo
 
      Set objFolder = Nothing
      set objCreateConfigFile = Nothing
    
End Sub
 
 
 
Sub SetFileIPSec
 
  Set nub_object = GetObject(strConfigFilePath)
  Set objIPRestrict = nub_object.IPSecurity
  objIPRestrict.GrantByDefault = False
  'Leaving these in for flexibility - reverses things to allow all EXCEPT the addresses indicated
  'objIPRestrict.GrantByDefault = True
  'objIPRestrict.IPDeny = arrDenyTheseIPs_ToFiles
  objIPRestrict.IPGrant = arrGrantTheseIPs_ToFiles
  nub_object.IPSecurity = objIPRestrict
  nub_object.SetInfo
 
  WScript.Echo vbTab & "The following IP addresses are now Allowed:"
  arrGrantedIPs = objIPRestrict.IPGrant
  for i = 0 to Ubound(arrGrantedIPs)
    WScript.Echo vbTab & arrGrantedIPs(i)
  next
  
  WScript.Echo vbTab & "ALL OTHER ADDRESSES ARE DENIED!!!"
  
    Set nub_object = Nothing
    Set objIPRestrict = Nothing
    strConfigFileName = Nothing
    strFolderPath = Nothing
    strConfigFilePath = Nothing
  
End Sub
 
 
 
Sub SetFolderIPSec
 
  Set nub_object = GetObject(strFolderPath)
  Set objIPRestrict = nub_object.IPSecurity
  objIPRestrict.GrantByDefault = False
  'Leaving these in for flexibility - reverses things to allow all EXCEPT the addresses indicated
  'objIPRestrict.GrantByDefault = True
  'objIPRestrict.IPDeny = arrDenyTheseIPs_ToFolders
  objIPRestrict.IPGrant = arrGrantTheseIPs_ToFolders
  nub_object.IPSecurity = objIPRestrict
  nub_object.SetInfo
 
  WScript.Echo vbTab & "The following IP addresses are now Allowed:"
  arrGrantedIPs = objIPRestrict.IPGrant
  for i = 0 to Ubound(arrGrantedIPs)
    WScript.Echo vbTab & arrGrantedIPs(i)
  next
  
    WScript.Echo vbTab & "ALL OTHER ADDRESSES ARE DENIED!!!"
  
    Set nub_object = Nothing
    Set objIPRestrict = Nothing
    strConfigFileName = Nothing
    strFolderPath = Nothing
    strConfigFilePath = Nothing
  
End Sub
 
 
 
Sub ListSiteIndex
 
  Dim parent_object 
  Dim child_object 
  Dim allsites 
 
  IISPath = "IIS://" & strServerName & "/W3SVC"
  Set parent_object = GetObject(IISPath)
  For each child_object in parent_object 
      If IsNumeric(child_object.Name) then
        Wscript.echo "Site Index ID: " & child_object.Name & vbTab                     & "ServerComment: " & child_object.ServerComment 
      End If
  Next
  
    IISPath = Nothing
    parent_object = Nothing
    child_object = Nothing
    allsites = Nothing
  
End Sub

Open in new window

LVL 1
carswelldpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

meverestCommented:
Hi,

although WMI is supposed to be supported on IIS7, it tends to be problematic in some cases - as you have apparently discovered.

For IIS7 config, it is a better idea to use appCmd.exe to apply configuration changes, or to use httpmodule support using c# or other managed code.

for appcmd.exe see:  http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe/

for httpmodules see: http://learn.iis.net/page.aspx/241/configuration-extensibility/

cheers.
0
carswelldpAuthor Commented:
This has led us into the proper direction we believe.  This is something that we are going to explore in greater detail.  

cheers!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.