Setting IP address and domain filtering in IIS using PowerShell script

Restricting and allowing traffic to web application through IIS using PowerShell

Starting from IIS 7.0 Microsoft introduced IP and Domain restrictions feature as a part of IIS setup. However, if you do not have this feature installed on your IIS you can easily install it through windows features adding steps which are pretty much same for each Windows version (https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/add) or simply by using WebPlatform Installer.

Just run WebPlatform Installer and search for IP and Domain restrictions in search box. Click Add button and then Install button.

Web Pi Ip

The feature will be added to your IIS and will be available throught IIS Manager for the website you want rule s to be applied. It provides a simple interface for adding IP addresses and domains for filtering wether you want to block or allow traffic from.

Iis Ip Domain Filtering

However, if you do not have the access to IIS Manager UI on your host, you can set the IP and domain filtering rules through PowerShell script using Add-WebConfiguration which is a part of WebAdministration PowerShell module.

Let's assume you want to apply IP blocking rule for specific IP address to a website named Test on your IIS. You can execute the following PowerShell command 

# Add new IP address entry to restrictions to website Test
Add-WebConfigurationProperty  -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Location "Test" -Name "." -Value @{ipAddress="192.168.5.63";allowed="false";} -ErrorAction Stop
    

In case you want to add IP CIDR for the IP range you can simply add subnetMask attribute to the command

# Add new IP CIDR entry to restrictions to website Test
Add-WebConfigurationProperty  -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Location "Test" -Name "." -Value @{ipAddress="192.168.5.63";allowed="false";subnetMask="24";} -ErrorAction Stop
    

These settings will be seved to your host config file which is located on the machine at %WINDIR%\System32\inetsrv\config\applicationHost.config

<configuration>
    ...
    <location path="Test">
        <system.webServer>
            <security>
                <ipSecurity>
                    <add ipAddress="192.188.5.63" allowed="false" />
                    <add ipAddress="192.188.5.63" subnetMask="24" allowed="false" />
                </ipSecurity>
            </security>
        </system.webServer>
    </location>
    ...
</configuration>
    
Note

Unfortunately PowerShell does not have ability to do web.config changes out of the box, so you are pretty much stuck to setting configuration values for your web application throught %WINDIR%\System32\inetsrv\config\applicationHost.config and PowerShell. This method can also set values for your application settings section which will be automatically inherited from the applicationHost.config for your website

If you open IIS manager, point to your site to which you ran PowerShell for and open IP Address and Domain Restrictions section you will see your settings from PowerShell script

Iis Ip Filter

References

Disclaimer

Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.


About the author

DEJAN STOJANOVIC

Dejan Stojanovic is a passionate Software Architect/Developer. He is highly experienced in .NET programming platform includion ASP.NET MVC and WebApi. He likes working on new technologies and exciting challenging projects

CONNECT WITH DEJAN  Loginlinkedin Logintwitter Logingoogleplus Logingoogleplus

.NET

read more

JavaScript

read more

SQL/T-SQL

read more

Umbraco CMS

read more

Comments for this article