Solved

how to set and understand IP & Domain Restrictions in IIS 7.5?

Posted on 2015-02-17
8
536 Views
Last Modified: 2015-02-19
Windows server 2008 R2 running IIS 7.5.  The role of IP and domain restrictions is already added to the server and I can see that in features.  When I open it only options are add allow entry or add deny entry.  from the drop down I have no grouping,  entry type or mode to select from.  here is what they are telling me to do
Inside the IPv4 address & domain restrictions set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.

I don't see anything that says unspecified clients at this point.  Also I am not sure how this impacts the sites that are not using security.  Can someone help me understand and determine what to do from the point I am at in the interface?
0
Comment
Question by:kdschool
  • 6
  • 2
8 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 40616088
In IIS 7, all IP addresses, computers, and domains can access your site by default. To enhance security, you can restrict access to your site by creating a deny rule for all IP addresses, a specific IP address, a range of IP addresses, or a specific domain.

For example, if you have a site on an intranet server that is connected to the Internet, you can prevent Internet users from accessing your intranet site by allowing access only to members of your intranet, and explicitly denying access to outside users.
http://www.therealtimeweb.com/index.cfm/2012/10/18/iis7-restrict-by-ip
https://technet.microsoft.com/en-us/library/cc733090(v=ws.10).aspx


When you open this feature in IIS Console, click on edit feature settings, you will get allow or Deny option for unspecified clients where you can tell IIS that either allow or deny all IPs and domains not listed here in the list


According to my understanding, you will not be benefitted with this feature much
U can do it for testing purpose. Its looks like very great feature, but don't see much use in real world scenario
Also if your web site is published on internet, I don't see any genuine reason to block internet public domains or IP addresses to block to access your web sites.
This feature doesn't support *IPV6* addresses

All you need to do, you need to ensure that only required port (80/443) is allowed from internet and brute force \ port scan cyber attacks to be blocked via firewall \ IDS device in between.
0
 

Author Comment

by:kdschool
ID: 40618706
I have two steps based on this,
 Set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.  

When I select edit feature settings the box that is opening says allow or deny and then I only have a check mark option that says 'enable domain name restrictions"   I still don't understand the part about unspecified clients.  I don't see that term anywhere.  There is also a add and a deny entry selection for each of these.  This option gives a box with two options that let you select an IP address range or mask/prefix.  Would that be where I add the secure.xxx.com address as as allow?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40618756
your domain name restrictions can't be enforced unless you check 'enable domain name restrictions"


Unspecified clients means all IPs, domains, IP Range except added in allow entry

What it means, once you enable unspecified clients for deny you are denying all traffic except allowed
Also you must be selected 'enable domain name restrictions" on edit settings dialog box.
Now you can add secure.xxx.com as allow entry
0
 

Author Comment

by:kdschool
ID: 40618758
I need to use the domain option but the microsoft instructions do not match the interface.



In Features View, double-click IPv4 Address and Domain Restrictions.
In the Actions pane, click Add Deny Entry.
In the Add Deny Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, and type the IPv4 address, range, mask, or domain name, and then click OK.

Unless that is the item labeled mask/prefix there is no where to just enter a domain secure.xxx.com
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 

Author Comment

by:kdschool
ID: 40618760
Where is the enable domain restrictions selection?
0
 

Author Comment

by:kdschool
ID: 40618766
Ok I see you are saying to use the edit feature settings box to enable the process to work then do the settings.
0
 

Author Comment

by:kdschool
ID: 40618989
I read through your articles and I think I got. Thank you so much for all this wonderful information.
0
 

Author Closing Comment

by:kdschool
ID: 40618992
Very quick and perfect information.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Suggested Solutions

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now