IIS tip: blocking all IP addresses except one or two

I recently needed to solve a seemingly simple thing: an ASP.NET web application is only supposed to be available from certain IPv4 addresses. In IIS 7 onwards (including IIS 7.5 and IIS 8) you can restrict IP addresses served using the IPv4 Address and Domain Restrictions feature. This feature is a separately installed module in IIS 7, so be sure to first install the feature before configuring.

Firstly, you need to learn how the feature works. Let's assume that you want to deny all IP addresses except a single IP or a range of IP addresses. In IIS, you will be working in a similar fashion to firewall access settings, where you construct your access based on a list of allow and deny entries. These entries are based on IP addresses and subnets masks, for instance 208.144.56.0/255.255.255.0 (ip/subnet mask).

However, unlike many firewalls, there's one thing you need to be aware of. Furthermore, this piece of functionality isn't so obvious from the user interface of the management tool. In firewalls, you would oftentimes specify first a "deny all" kind of command, for instance with the IP address range of 0.0.0.0/255.255.255.255. Then, you would order your access list so that the allow entries (the exceptions) would be listed first, and the deny address would be listed last.

However, this is not the way IIS works, and the above configuration wouldn't give you the correct results. Instead, you use a "master switch", which specified whether unlisted clients should be allowed or denied access. Then, you would add the exceptions to these rules.

Unfortunately, the IIS Manager UI doesn't specifically indicate the presence of such "master switch", instead you have to notice and click the "Edit Feature Settings" link on the right in IIS Manager. Clicking this link opens up a new dialog box where you can specify the settings for unspecified clients.

In my case, I set this setting to "Deny", and then added one "Allow" entry with the IP address range I wanted. This solved the problem for me.

Remember also that IP address restrictions are working in the usual inheritable manner: you can specify different IP address restrictions for your application, but give more specific (more broad or narrow) restrictions on a folder level below the site.

For more information about the feature, see the reference document for the <ipSecurity> element.

Keywords: how to block all IP addresses in Internet Information Services (IIS) Manager, allow IP address exceptions, deny all IP addresses.