Skip to content

Configuring IP address restrictions in web.config on IIS 7.5

September 21, 2012

For legacy support, my ASP MVC application needs to expose a SOAP web service.  This web service provides an authentication handover from another site hosted on the same network.  So while the site needs to run publicly, the web service should only be accessible on the local network.

To achieve this we decided to restrict access based on IP address, and for ease of deployment to configure this in web.config.

Like most things, it’s not too tricky as long as you know what you’re doing.  A little head scratching and half an hour of googling got me to the following solution.

1. Check that the IP and Domain Restrictions module is enabled for IIS

If you’re on Windows Server you can probably skip this step, but on Windows 7 it is not installed by default.  So enable it at:

Control Panel > Programs and Features > Turn Windows features on or off > Internet Information Services > World Wide Web Services > Security > IP Security

One restart later…

2. Make sure that IIS will allow your application’s web.config to override the ipSecurity settings

IIS by default seems to deny your web.configs the ability to override certain configuration sections.  On my machine, the ipSecurity section was one of these, so as soon as I tried to add this section I got the error:

This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault=”Deny”), or set explicitly by a location tag with overrideMode=”Deny” or the legacy allowOverride

To fix this, open C:\Windows\System32\inetsrv\config\applicationHost.config and search for the tag:

<section name="ipSecurity" overridemodedefault="Deny" />

Change this value to “Allow” and you’re almost there…

3. Add the IP restriction entries to your web.config

My web service’s asmx file is in a subfolder called /services, so to keep things neat, instead of adding the security restrictions to the ever growing root web.config, I created a new one in /services:

<!--?xml version="1.0" encoding="UTF-8"?-->


Some interesting things to note with this configuration:

  • You can restrict access to a single file by wrapping the configuration in a location tag.  The path attribute is relative to the web.config itself.  So in this case, the security settings are only applied to the MyService.asmx, which is what I wanted.
  • If you don’t specify a location tag, the the configuration will apply to this entire folder and its subfolders.
  • The allowUnlisted=”false” attribute of the ipSecurity tag blocks everything by default.  We can then add in allowed entries using the allowed=”true” attribute.  If you want to it’s entirely possible to do the reverse by allowing everything by default and blocking access to certain hosts.
  • You can specify single machines, or IP ranges by specifying a subnet mask.  Here we’re allowing anything from the local machine, and our internal network (anything with a 10-dot-something IP address).

From → Configuration

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: