0

We have a website set up in IIS that is for security reasons only allowed to be accessed by itself. It sits on the same webserver as publically accesible websites.

The way this has been enforced is by having its only Binding being set to "localhost", so that only requests made via "http://localhost/" (ie this PC), will be accepted. It took me a while to spot this as I'd have thought IP Restrictions would be the normal go to place to do this.

Is it acceptable/recommended/advised against to restrict to LOCAL access only to like via binding settings? If not, is there a recommended best practice?

Arkiliknam
  • 111
  • 5
  • It is ambiguous when you said having its only Binding being set to "localhost". The site bindings `127.0.0.1:80:*`, `*:80:localhost` and so on are different from each other a lot. Site bindings are filters on destination IP for HTTP packets, while IP Restriction rules are filters on source IP mainly. So both can be used if you really want to. There can be hardly a recommended option, as requirements vary. – Lex Li May 20 '20 at 18:57
  • Apologies in advance, I'm a dev and this infrastructure stuff isn't my realm. The only binding that has been set in IIS is specifically set to "localhost", is that ambiguous? In this instance it has been used as a way to restrict access from all requests with destination not localhost. It's almost as though it's tricked it into restricting external access, as only itself can get here with "localhost" as its destination (to my knowledge). I just want to know if this is an acceptable way of restricting access like this. You're saying "you can", but "should you?" or "it doesn't matter"? – Arkiliknam May 22 '20 at 08:29
  • The common way to tell what bindings you set is to open IIS configuration file and reveal the relevant XML tags, like https://docs.jexusmanager.com/tutorials/binding-diagnostics.html#background Without that, descriptions of bindings like yours are ambiguous. – Lex Li May 22 '20 at 14:35

0 Answers0