iis | security | aspnet

IP Security - Configure IP address restrictions in Web.Config on IIS

Restrict access to your website using IIS IP security

Abhith Rajan
Abhith RajanJanuary 09, 2018 · 1 min read · Last Updated:
IP Security - Configure IP address restrictions in Web.Config on IIS

When your website is using some kind of proxy/firewall just like Sucuri to increase the security, you need to make sure that only the allowed ones are accessing the site directly, so that all the requests to the site is going through the firewall.

To ensure this, we use the IP security feature in IIS, in which we can configure which IP’s are allowed.

<system.webServer>
  ...
  <security>
    <ipSecurity allowUnlisted="false">
      <clear />
      <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
      <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
      <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
      <add ipAddress="-.-.-.-" subnetMask="-.-.-.-" allowed="true" />
    </ipSecurity>
    ...
  </security>
</system.webServer>

In the above code, we set allowUnlisted attribute to false to prevent access to all IP address unless they are listed. And then we add the allowed IP addresses one by one. eg.

<add ipAddress="192.168.134.0" subnetMask="255.255.254.0" allowed="true" />

Additional Resource

iissecurityaspnet

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Abhith Rajan

Written byAbhith Rajan
Abhith Rajan is a software engineer by day and a full-stack developer by night. He's coding for almost a decade now. He codes 🧑‍💻, write ✍️, learn 📖 and advocate 👍.
Connect

Is this page helpful?

Buy me a coffee

Related SnippetsView All

SQL Server
Create New Database Level User

Create a database-level user in SQL Server/Azure SQL.

Last Updated · January 23, 2022

Related ArticlesView All

Azure - Configuring End-to-End SSL for IIS Website by using Application Gateway
Azure - Configuring End-to-End SSL for IIS Website by using Application Gateway
September 24, 2019 · 3 min read

This article brief about the steps involved in making an end to end HTTPS website which hosted in a VM IIS, in Azure and the traffic need to be routed via Application Gateway.

abhith rajan
by Abhith Rajan
azureiisazure-application-gateway
C# - Get Web.Config Connection String in a Class Library
C# - Get Web.Config Connection String in a Class Library
September 15, 2019 · 1 min read

If you can, pass the connection string as a parameter to the class library. Second option is System.Configuration.ConfigurationManager

abhith rajan
by Abhith Rajan
aspnetc-sharpweb-config
IIS - Disable CORS
IIS - Disable CORS
August 14, 2019 · 1 min read

Disable CORS for IIS 10 website by allowing all origins in two simple steps.

abhith rajan
by Abhith Rajan
iisweb-config
IIS - OPTIONS Requests Returns 404
IIS - OPTIONS Requests Returns 404
April 19, 2018 · 2 min read

If OPTIONS preflight request getting 404 and URLScan enabled on your hosting machine, check out this article.

abhith rajan
by Abhith Rajan
iisaspnet
.NET Interview Questions and Answers
.NET Interview Questions and Answers
April 12, 2018 · 14 min read

Here I am listing some of the interview questions I have faced when applied for .NET developer/Software engineer roles.

abhith rajan
by Abhith Rajan
jobsdotnetaspnetwcf
Enable Click-Jacking Protection - Umbraco
Enable Click-Jacking Protection - Umbraco
April 07, 2018 · 2 min read

If your site is allowed to be IFRAMEd by another site and thus would be susceptible to click-jacking. This can be prevented by setting X-Frame-Options header or CSP. Setting X-Frame-Options explained in this article.

abhith rajan
by Abhith Rajan
umbracosecurityaspnet

Related VideosView All

Signal - the most secure messenger for everyone

privacysecurityandroid

Common API Security Pitfalls - Philippe De Ryck

apisecurity

How to use Azure Bastion to connect securely to your Azure VMs | Azure Friday

azuresecurity

Related StoriesView All

ASP.NET
Does ASP:Textbox TextMode Securely Enforce Input Validation? : Developer Notes
jardinesoftware.net · Dec 13, 2023

aspnet
Security
What is a Nonce? - Cryptographic Nonce from SearchSecurity
techtarget.com · Jul 20, 2022

Nonce is a random or semi-random number that is generated for a specific use. See the full cryptographic nonce definition and more today.

security
Security
Mass Assignment - OWASP Cheat Sheet Series
cheatsheetseries.owasp.org · Jun 22, 2022

Website with the collection of all the cheat sheets of the project.

securityaspnet-core
Security
Hackers Breach Okta's GitHub Repositories, Steal Source Code
thehackernews.com · Dec 22, 2022

Okta recently discovered that some of its source code repositories on GitHub had been compromised earlier in the month.

security
GitHub
Introducing the Allstar GitHub App - Open Source Security Foundation
openssf.org · Jul 01, 2022

githubsecurityopen-source
Security
Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw
thehackernews.com · Jul 05, 2021

Azure users are being urged by Microsoft to update PowerShell in order to patch a critical RCE flaw.

security

Related Tools & ServicesView All

haveibeenpwned.com

Have i been pwned?

Check if you have an account that has been compromised in a data breach
security
SmarterASP.NET

SmarterASP.net - Unlimited ASP.NET Web Hosting

ASP.NET Hosting by SmarterASP.net. Unlimited ASP.NET Hosting Plans Starting at $2.95 a month.
hostingsql-serveraspnet