Restricting IIS Website Access by IP Address

Updated on October 7, 2015
Restricting IIS Website Access by IP Address header image

IIS is a very powerful web server. It provides a built-in interface to block/allow IP addresses. It's also possible to do this per domain. Aside from specific IP address blocking, IIS also allows for dynamic IP address restriction when too many requests are made, for example. In this guide, you'll see how to set this up to increase the security of your website.

Step 1: Editing feature settings

Feature settings can be configured per website. First off, open the IIS Manager and navigate to your website. Click "IP Address and Domain Restrictions" under the "IIS" section. In the sidebar, click "Edit Feature Settings...". "Allow for unspecific clients" depends on how you want to configure your website. If you select "Allow" here, all visitors will be allowed, except for those added to the "Blocked" list. If this is set to "Deny", all IP addresses in the list will be allowed, whereas all others will be denied access. This can be incredibly handy for a simple intranet, for example.

As for the "Deny Action Type", this depends on your preference. Whenever access is denied, you can either return "Unauthorized", "Forbidden", "Not Found", or "Abort".

Click "OK" to save the changes.

Step 2: Editing dynamic restriction settings

In order to increase security of your website, IIS allows for dynamic blocking of IP addresses. You can access these settings by clicking "Edit Dynamic Restriction Settings..." in the sidebar. IP addresses can be restricted dynamically based on the number of requests to detect and block threats by checking "Deny IP Addresses based on the number of concurrent requests". You can enter the maximum allowed number of concurrent requests here.

You can also block IP addresses over a period of time, again, based on requests. If a visitor exceeds the amount of allowed requests, they will be temporarily blocked from accessing your website.

Click "OK" to save the changes.

Step 3: Adding restriction rules

You can add both allow and deny entries. You can do this by selecting either "Add Allow Entry..." or "Add Deny Entry...". You can add a single IP address, or a range. Again, depending on your setup, you can choose between these. Click "OK" to save the entry.

Congratulations! You can now block/allow IP addresses, and you have increased the security of your website with the dynamic IP restriction settings.