I found the command line below that is used to add IP addresses to restrict in IIS 7
appcmd set config /section:ipsecurity /+"[ipaddress='10.0.0.1',allowed='false']"
Is there an equivalent command for IIS 6?
Thanks!
I found the command line below that is used to add IP addresses to restrict in IIS 7
appcmd set config /section:ipsecurity /+"[ipaddress='10.0.0.1',allowed='false']"
Is there an equivalent command for IIS 6?
Thanks!
No, there's no built-in Windows command to do it. You can find evidence of scripts that people have written to mitigate for this.
Ultimately, you want to modify a metabase entry called IPSecurity
. Here's the thing: this IPSecurity entry can be set up at the top level (W3SVC service) all of the way down to individual files. So, you can define security for any of:
The example in your question is service-wide, so you'd want to target IIS://localhost/W3SVC
. If you wanted to configure only the default website, you'd target IIS://localhost/W3SVC/1/Root
.
Once you know what level you want to modify, you need to identify what the course of action is for a matching IP. You clearly want to block. That means you'll need to modify the IPDeny
List.
Now you just need to write a script in the language of your choice that connected to the metabase via ADSI and modifies the IPDeny list to include the additional IP.
I've modified the one from the MSDN page to take an argument:
Dim SecObj
Dim MyIPSec
Dim IPList
Set SecObj = GetObject("IIS://LocalHost/W3SVC")
Set MyIPSec = SecObj.IPSecurity
If (FALSE = MyIPSec.GrantByDefault) Then
MyIPSec.GrantByDefault = TRUE
End If
if WScript.Arguments.Count = 0 then
WScript.Echo "Missing IP Address"
WScript.Quit(1)
end if
' WScript.Echo "Adding " & WScript.Arguments(0)
IPList = MyIPSec.IPDeny
Redim Preserve IPList (Ubound(IPList)+1)
IPList (Ubound(IPList)) = WScript.Arguments(0)
MyIPSec.IPDeny = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
If you save this as blockip.vbs
, you can call it with:
wscript blockip.vbs 10.0.0.1
FYI, This works fine with IIS6, but works once, then fails after the list exists, on Win7 (IIS 7.5).