I need to limit access of an .asmx web service to specific IP addresses. I figure I could add a hardcoded check into each method, but that seems like a code maintenance nightmare. Is there a web configuration entry I can make, or a IIS 6 setting I can apply to the .asmx file?

In IIS 6.0 Manager, right click on the .asmx file.

Go to the File Security tab, and Click the Edit button in the IP Address and domain name restrictions.

Click the 'Denied Access' radio button, then add your whitelisted ip addresses to the list.

For IIS 7.5, it's a little tricky as the file doesn't show in the navigation panel. You need to go to the Content View tab (in the lower part of the window), right click on your file and choose Switch to Features View. Open IP Address and Domain Restriction, click on Edit Feature Settings and choose to deny unspecified hosts. Now you can add authorizations by clicking on Add Allow Entry.

Add a custom section to your web.config, and then query that section for the whitelist of IP addresses.