Solved

how to set and understand IP & Domain Restrictions in IIS 7.5?

Posted on 2015-02-17
8
649 Views
Last Modified: 2015-02-19
Windows server 2008 R2 running IIS 7.5.  The role of IP and domain restrictions is already added to the server and I can see that in features.  When I open it only options are add allow entry or add deny entry.  from the drop down I have no grouping,  entry type or mode to select from.  here is what they are telling me to do
Inside the IPv4 address & domain restrictions set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.

I don't see anything that says unspecified clients at this point.  Also I am not sure how this impacts the sites that are not using security.  Can someone help me understand and determine what to do from the point I am at in the interface?
0
Comment
Question by:kdschool
  • 6
  • 2
8 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 40616088
In IIS 7, all IP addresses, computers, and domains can access your site by default. To enhance security, you can restrict access to your site by creating a deny rule for all IP addresses, a specific IP address, a range of IP addresses, or a specific domain.

For example, if you have a site on an intranet server that is connected to the Internet, you can prevent Internet users from accessing your intranet site by allowing access only to members of your intranet, and explicitly denying access to outside users.
http://www.therealtimeweb.com/index.cfm/2012/10/18/iis7-restrict-by-ip
https://technet.microsoft.com/en-us/library/cc733090(v=ws.10).aspx


When you open this feature in IIS Console, click on edit feature settings, you will get allow or Deny option for unspecified clients where you can tell IIS that either allow or deny all IPs and domains not listed here in the list


According to my understanding, you will not be benefitted with this feature much
U can do it for testing purpose. Its looks like very great feature, but don't see much use in real world scenario
Also if your web site is published on internet, I don't see any genuine reason to block internet public domains or IP addresses to block to access your web sites.
This feature doesn't support *IPV6* addresses

All you need to do, you need to ensure that only required port (80/443) is allowed from internet and brute force \ port scan cyber attacks to be blocked via firewall \ IDS device in between.
0
 

Author Comment

by:kdschool
ID: 40618706
I have two steps based on this,
 Set default for "Unspecified Clients" to Deny, then select Add Allow Entry, and set it to secure.xxx.com.  

When I select edit feature settings the box that is opening says allow or deny and then I only have a check mark option that says 'enable domain name restrictions"   I still don't understand the part about unspecified clients.  I don't see that term anywhere.  There is also a add and a deny entry selection for each of these.  This option gives a box with two options that let you select an IP address range or mask/prefix.  Would that be where I add the secure.xxx.com address as as allow?
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40618756
your domain name restrictions can't be enforced unless you check 'enable domain name restrictions"


Unspecified clients means all IPs, domains, IP Range except added in allow entry

What it means, once you enable unspecified clients for deny you are denying all traffic except allowed
Also you must be selected 'enable domain name restrictions" on edit settings dialog box.
Now you can add secure.xxx.com as allow entry
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kdschool
ID: 40618758
I need to use the domain option but the microsoft instructions do not match the interface.



In Features View, double-click IPv4 Address and Domain Restrictions.
In the Actions pane, click Add Deny Entry.
In the Add Deny Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, and type the IPv4 address, range, mask, or domain name, and then click OK.

Unless that is the item labeled mask/prefix there is no where to just enter a domain secure.xxx.com
0
 

Author Comment

by:kdschool
ID: 40618760
Where is the enable domain restrictions selection?
0
 

Author Comment

by:kdschool
ID: 40618766
Ok I see you are saying to use the edit feature settings box to enable the process to work then do the settings.
0
 

Author Comment

by:kdschool
ID: 40618989
I read through your articles and I think I got. Thank you so much for all this wonderful information.
0
 

Author Closing Comment

by:kdschool
ID: 40618992
Very quick and perfect information.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question