Configure IP Address and Domain Name Restrictions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

You can configure your Web site to grant or deny specific computers, groups of computers, or domains access to Web sites, directories, or files.

Requirements

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools Iis.msc.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

Configure Restrictions Based on IP Address

You can use IIS Manager to grant or deny access to Web sites or applications for a computer or group of computers.

Grant or deny access to resources for a single computer

You can either deny or grant access for a single computer based upon its IP address.

To grant access to resources for a computer

  1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file you want to configure, and click Properties.

  2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit.

  3. Click Granted access.

  4. When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access.

  5. Click Add.

  6. Click Single computer.

  7. Click DNS Lookup to search for computers or domains by name, rather than by IP address.

  8. Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.

    The following information is important to remember when using the DNS Lookup feature:

    • Server performance decreases while DNS addresses are being looked up.

    • A user accessing your Web server through a proxy server will appear to have the IP address of the proxy server.

    • Some user server access problems can be corrected by using the "*.domainname.com" syntax rather than the "domainname.com" syntax.

  9. Click OK three times.

To deny access to resources for a computer

  1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file you want to configure, and click Properties.

  2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit.

  3. Click Denied access.

    When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access.

  4. Click Add.

  5. Click Single computer.

  6. Click DNS Lookup to search for computers or domains by name, rather than by IP address.

  7. Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.

    The following information is important to remember when using the DNS Lookup feature:

    • Server performance decreases while DNS addresses are being looked up.

    • A user accessing your Web server through a proxy server will appear to have the IP address of the proxy server.

    • Some user server access problems can be corrected by using the "*.domainname.com" syntax rather than the "domainname.com" syntax.

  8. Click OK three times.

Grant or deny access to resources for a group of computers

A group of computers can be either denied or granted access based upon their network ID and a subnet mask. The network ID is the IP address of a host computer, usually a router for the subnet. The subnet mask determines which part of the IP address is a subnet ID, and which part is a host ID. All computers in a subnet have the same subnet ID, but have their own unique host ID. By specifying a network ID and a subnet mask, you can select a group of computers.

To grant access to resources for a group of computers

  1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file you want to configure, and click Properties.

  2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit.

  3. Click Granted access.

    When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access.

  4. Click Add.

  5. Click Group of computers.

  6. In the Network ID box, type the IP address of the host computer.

  7. In the Subnet mask box, type the subnet ID for the computer you want grant or deny access to.

  8. Click OK three times.

To deny access to resources for a group of computers

  1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file you want to configure, and click Properties.

  2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit.

  3. Click Denied access.

    When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access.

  4. Click Add.

  5. Click Group of computers.

  6. In the Network ID box, type the IP address of the host computer.

  7. In the Subnet mask box, type the subnet ID for the computer you want grant or deny access to.

  8. Click OK three times.

Configure Restrictions Based on Domain

Access to resources for a domain can be granted or denied by using IIS Manager.

To grant access to resources for a domain

  1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file you want to configure, and click Properties.

  2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit.

  3. Click Granted access.

    When you select Granted access, you grant access for all computers and domains, except for those that you specifically deny access.

  4. Click Add.

  5. Click Domain name. You will see a warning message saying that "Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance." Click OK to close the message dialog box.

  6. In the Domain name box, type the domain name.

  7. Click OK three times.

To deny access to resources for a domain

  1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file you want to configure, and click Properties.

  2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit.

  3. Click Denied access.

    When you select Denied access, you deny access for all computers and domains, except for those that you specifically grant access.

  4. Click Add.

  5. Click Domain name.

  6. In the Domain name box, type the domain name.

  7. Click OK three times.