Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1027
  • Last Modified:

how to set and understand IP & Domain Restrictions in IIS 7.5?

Windows server 2008 R2 running IIS 7.5.  The role of IP and domain restrictions is already added to the server and I can see that in features.  When I open it only options are add allow entry or add deny entry.  from the drop down I have no grouping,  entry type or mode to select from.  here is what they are telling me to do
Inside the IPv4 address & domain restrictions set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.

I don't see anything that says unspecified clients at this point.  Also I am not sure how this impacts the sites that are not using security.  Can someone help me understand and determine what to do from the point I am at in the interface?
0
kdschool
Asked:
kdschool
  • 6
  • 2
1 Solution
 
MaheshArchitectCommented:
In IIS 7, all IP addresses, computers, and domains can access your site by default. To enhance security, you can restrict access to your site by creating a deny rule for all IP addresses, a specific IP address, a range of IP addresses, or a specific domain.

For example, if you have a site on an intranet server that is connected to the Internet, you can prevent Internet users from accessing your intranet site by allowing access only to members of your intranet, and explicitly denying access to outside users.
http://www.therealtimeweb.com/index.cfm/2012/10/18/iis7-restrict-by-ip
https://technet.microsoft.com/en-us/library/cc733090(v=ws.10).aspx


When you open this feature in IIS Console, click on edit feature settings, you will get allow or Deny option for unspecified clients where you can tell IIS that either allow or deny all IPs and domains not listed here in the list


According to my understanding, you will not be benefitted with this feature much
U can do it for testing purpose. Its looks like very great feature, but don't see much use in real world scenario
Also if your web site is published on internet, I don't see any genuine reason to block internet public domains or IP addresses to block to access your web sites.
This feature doesn't support *IPV6* addresses

All you need to do, you need to ensure that only required port (80/443) is allowed from internet and brute force \ port scan cyber attacks to be blocked via firewall \ IDS device in between.
0
 
kdschoolAuthor Commented:
I have two steps based on this,
 Set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.  

When I select edit feature settings the box that is opening says allow or deny and then I only have a check mark option that says 'enable domain name restrictions"   I still don't understand the part about unspecified clients.  I don't see that term anywhere.  There is also a add and a deny entry selection for each of these.  This option gives a box with two options that let you select an IP address range or mask/prefix.  Would that be where I add the secure.xxx.com address as as allow?
0
 
MaheshArchitectCommented:
your domain name restrictions can't be enforced unless you check 'enable domain name restrictions"


Unspecified clients means all IPs, domains, IP Range except added in allow entry

What it means, once you enable unspecified clients for deny you are denying all traffic except allowed
Also you must be selected 'enable domain name restrictions" on edit settings dialog box.
Now you can add secure.xxx.com as allow entry
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kdschoolAuthor Commented:
I need to use the domain option but the microsoft instructions do not match the interface.



In Features View, double-click IPv4 Address and Domain Restrictions.
In the Actions pane, click Add Deny Entry.
In the Add Deny Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, and type the IPv4 address, range, mask, or domain name, and then click OK.

Unless that is the item labeled mask/prefix there is no where to just enter a domain secure.xxx.com
0
 
kdschoolAuthor Commented:
Where is the enable domain restrictions selection?
0
 
kdschoolAuthor Commented:
Ok I see you are saying to use the edit feature settings box to enable the process to work then do the settings.
0
 
kdschoolAuthor Commented:
I read through your articles and I think I got. Thank you so much for all this wonderful information.
0
 
kdschoolAuthor Commented:
Very quick and perfect information.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now