IIS 10 - Deny all IP restriction

Question

I come from the Windows 2003 Server world and it's IIS version is much different then IIS 10 on Windows 2016 Server. The 2003 server appears to have denied all IP addresses by default. How to I deny all IP's in IIS 10. I have a few IP ranges I would like to allow and see how to enter those, but how do I deny all IP ranges in IIS 10?

Answer 1

First you need to add a Windows Server Role from Web Server (IIS) > Web Server > Security > [x] IP and Domain Restrictions. This will add an IP Address and Domain Restrictions feature to your IIS Manager, and you can add the required deny / allow entries. See <ipSecurity>.

The <ipSecurity> element defines a list of IP-based security restrictions in IIS 7 and later. These restrictions can be based on the IP version 4 address, a range of IP version 4 addresses, or a DNS domain name.

The default installation of IIS does not include the role service or Windows feature for IP security. To use IP security on IIS, you must install the role service or Windows feature.

On IIS Manager you can create a list of Allow / Deny entries. IP address ranges are specified as Classless Inter-Domain Routing (CIDR) subnets using either network mask or CIDR notation. I personally prefer to use the latter. The first match is used, so you'd add the global deny last.

This example denies usage from single specific IP 198.51.100.5, allows others in range 198.51.100.0 - 198.51.100.255 (/24) and denies rest i.e. 0.0.0.0 - 255.255.255.255 (/0):

Mode    Requestor          Entry Type
=====================================
Deny    198.51.100.5       Local
Allow   198.51.100.0(24)   Local
Deny    0.0.0.0(0)         Local

View Ordered List... in both Actions pane and the context menu allows ordering. Unordered list has more options (Edit Feature Settings...) like the ability to choose the deny action (403 Forbidden default, 401 Unauthorized, 404 Not Found or Abort that refuses the connection).