kdschool
asked on
how to set and understand IP & Domain Restrictions in IIS 7.5?
Windows server 2008 R2 running IIS 7.5. The role of IP and domain restrictions is already added to the server and I can see that in features. When I open it only options are add allow entry or add deny entry. from the drop down I have no grouping, entry type or mode to select from. here is what they are telling me to do
Inside the IPv4 address & domain restrictions set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.
I don't see anything that says unspecified clients at this point. Also I am not sure how this impacts the sites that are not using security. Can someone help me understand and determine what to do from the point I am at in the interface?
Inside the IPv4 address & domain restrictions set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.
I don't see anything that says unspecified clients at this point. Also I am not sure how this impacts the sites that are not using security. Can someone help me understand and determine what to do from the point I am at in the interface?
ASKER
I have two steps based on this,
Set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.
When I select edit feature settings the box that is opening says allow or deny and then I only have a check mark option that says 'enable domain name restrictions" I still don't understand the part about unspecified clients. I don't see that term anywhere. There is also a add and a deny entry selection for each of these. This option gives a box with two options that let you select an IP address range or mask/prefix. Would that be where I add the secure.xxx.com address as as allow?
Set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.
When I select edit feature settings the box that is opening says allow or deny and then I only have a check mark option that says 'enable domain name restrictions" I still don't understand the part about unspecified clients. I don't see that term anywhere. There is also a add and a deny entry selection for each of these. This option gives a box with two options that let you select an IP address range or mask/prefix. Would that be where I add the secure.xxx.com address as as allow?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I need to use the domain option but the microsoft instructions do not match the interface.
In Features View, double-click IPv4 Address and Domain Restrictions.
In the Actions pane, click Add Deny Entry.
In the Add Deny Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, and type the IPv4 address, range, mask, or domain name, and then click OK.
Unless that is the item labeled mask/prefix there is no where to just enter a domain secure.xxx.com
In Features View, double-click IPv4 Address and Domain Restrictions.
In the Actions pane, click Add Deny Entry.
In the Add Deny Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, and type the IPv4 address, range, mask, or domain name, and then click OK.
Unless that is the item labeled mask/prefix there is no where to just enter a domain secure.xxx.com
ASKER
Where is the enable domain restrictions selection?
ASKER
Ok I see you are saying to use the edit feature settings box to enable the process to work then do the settings.
ASKER
I read through your articles and I think I got. Thank you so much for all this wonderful information.
ASKER
Very quick and perfect information.
For example, if you have a site on an intranet server that is connected to the Internet, you can prevent Internet users from accessing your intranet site by allowing access only to members of your intranet, and explicitly denying access to outside users.
http://www.therealtimeweb.com/index.cfm/2012/10/18/iis7-restrict-by-ip
https://technet.microsoft.com/en-us/library/cc733090(v=ws.10).aspx
When you open this feature in IIS Console, click on edit feature settings, you will get allow or Deny option for unspecified clients where you can tell IIS that either allow or deny all IPs and domains not listed here in the list
According to my understanding, you will not be benefitted with this feature much
U can do it for testing purpose. Its looks like very great feature, but don't see much use in real world scenario
Also if your web site is published on internet, I don't see any genuine reason to block internet public domains or IP addresses to block to access your web sites.
This feature doesn't support *IPV6* addresses
All you need to do, you need to ensure that only required port (80/443) is allowed from internet and brute force \ port scan cyber attacks to be blocked via firewall \ IDS device in between.