Locking down website access by IP in IIS7
I'm working on a webservice that has the potential to be quite dangerous. In the wrong hands, it could be used to spoof email, calendar, etc data from any person in our organization. So you can imagine that there is some concern about restricting access, even in development.
Since I'm working on my local machine, I simply need to limit access to this website in IIS to one specific IP address: localhost (127.0.0.1). In the days of IIS6, this was fairly easily done in the website properties dialog. On the directory security tab there were options to restrict to certain IP addresses or ranges.
These days, I'm on Windows 7, which comes with IIS7. And in IIS7, (of course!) this functionality has been buried. So I'm posting this both to help others, as well as to be a reminder for myself later down the road when I want to do this again.
The first thing you need to do is open up Control Panel > Programs and Features, and from there, choose Turn Windows Features on or off. Navigate to Internet Information Services > World Wide Web Services > Security and enable IP Security.
After you do this, you'll need to run iisreset before the change takes effect. If you have UAC enabled, be sure to run your command dialog as an administrator, otherwise you won't be able to run iisreset.
Lastly, to create the restrictions, open up the IIS Manager and select the website that you want to restrict. Open the IP Address and Domain Restrictions module, and then in the actions panel (on the right side) choose Edit Feature Settings.... To only allow local browsing, you should deny by default. Choose Deny from the dropdown, and hit OK. Then add your exceptions -- the IP's or ranges that you want to allow access to. To do that, choose Add Allow Entry... from the action panel, and add all the exceptions you need.
These changes should take effect immediately.
Posted in Misc | No Responses Yet