Solved

how to set and understand IP & Domain Restrictions in IIS 7.5?

Posted on 2015-02-17
8
717 Views
Last Modified: 2015-02-19
Windows server 2008 R2 running IIS 7.5.  The role of IP and domain restrictions is already added to the server and I can see that in features.  When I open it only options are add allow entry or add deny entry.  from the drop down I have no grouping,  entry type or mode to select from.  here is what they are telling me to do
Inside the IPv4 address & domain restrictions set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.

I don't see anything that says unspecified clients at this point.  Also I am not sure how this impacts the sites that are not using security.  Can someone help me understand and determine what to do from the point I am at in the interface?
0
Comment
Question by:kdschool
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
8 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 40616088
In IIS 7, all IP addresses, computers, and domains can access your site by default. To enhance security, you can restrict access to your site by creating a deny rule for all IP addresses, a specific IP address, a range of IP addresses, or a specific domain.

For example, if you have a site on an intranet server that is connected to the Internet, you can prevent Internet users from accessing your intranet site by allowing access only to members of your intranet, and explicitly denying access to outside users.
http://www.therealtimeweb.com/index.cfm/2012/10/18/iis7-restrict-by-ip
https://technet.microsoft.com/en-us/library/cc733090(v=ws.10).aspx


When you open this feature in IIS Console, click on edit feature settings, you will get allow or Deny option for unspecified clients where you can tell IIS that either allow or deny all IPs and domains not listed here in the list


According to my understanding, you will not be benefitted with this feature much
U can do it for testing purpose. Its looks like very great feature, but don't see much use in real world scenario
Also if your web site is published on internet, I don't see any genuine reason to block internet public domains or IP addresses to block to access your web sites.
This feature doesn't support *IPV6* addresses

All you need to do, you need to ensure that only required port (80/443) is allowed from internet and brute force \ port scan cyber attacks to be blocked via firewall \ IDS device in between.
0
 

Author Comment

by:kdschool
ID: 40618706
I have two steps based on this,
 Set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.  

When I select edit feature settings the box that is opening says allow or deny and then I only have a check mark option that says 'enable domain name restrictions"   I still don't understand the part about unspecified clients.  I don't see that term anywhere.  There is also a add and a deny entry selection for each of these.  This option gives a box with two options that let you select an IP address range or mask/prefix.  Would that be where I add the secure.xxx.com address as as allow?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40618756
your domain name restrictions can't be enforced unless you check 'enable domain name restrictions"


Unspecified clients means all IPs, domains, IP Range except added in allow entry

What it means, once you enable unspecified clients for deny you are denying all traffic except allowed
Also you must be selected 'enable domain name restrictions" on edit settings dialog box.
Now you can add secure.xxx.com as allow entry
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:kdschool
ID: 40618758
I need to use the domain option but the microsoft instructions do not match the interface.



In Features View, double-click IPv4 Address and Domain Restrictions.
In the Actions pane, click Add Deny Entry.
In the Add Deny Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, and type the IPv4 address, range, mask, or domain name, and then click OK.

Unless that is the item labeled mask/prefix there is no where to just enter a domain secure.xxx.com
0
 

Author Comment

by:kdschool
ID: 40618760
Where is the enable domain restrictions selection?
0
 

Author Comment

by:kdschool
ID: 40618766
Ok I see you are saying to use the edit feature settings box to enable the process to work then do the settings.
0
 

Author Comment

by:kdschool
ID: 40618989
I read through your articles and I think I got. Thank you so much for all this wonderful information.
0
 

Author Closing Comment

by:kdschool
ID: 40618992
Very quick and perfect information.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question