Import list of allowed IPs in IIS?
February 13, 2007 7:23 AM Subscribe
How can one easily import a list of allowed IPs in IIS 6 all in one fell swoop?
I need to allow only users from specific IPs for our company's Intranet and I am utterly ignorant of Web server configuration. The Microsoft IIS snap-in allows you to add one at a time and is tedious. Is there any way to import a list of allowed IPs, either through the snap-in, a script, or any other way not obviously apparent to do this?
Google, IIS manual, Yahoo, and Microsoft's own site turn up nothing.
If any IT people familiar with Microsoft's Web servers has an idea or can point me to the right answer, I would be incredibly grateful, as the thought of manually adding each one seems awful.
PS I know we can probably do this at the firewall, but we don't actually "Control" the firewall, so getting our service provider to do it would take time, (another unrelated issue and another askme question down the road.)
I need to allow only users from specific IPs for our company's Intranet and I am utterly ignorant of Web server configuration. The Microsoft IIS snap-in allows you to add one at a time and is tedious. Is there any way to import a list of allowed IPs, either through the snap-in, a script, or any other way not obviously apparent to do this?
Google, IIS manual, Yahoo, and Microsoft's own site turn up nothing.
If any IT people familiar with Microsoft's Web servers has an idea or can point me to the right answer, I would be incredibly grateful, as the thought of manually adding each one seems awful.
PS I know we can probably do this at the firewall, but we don't actually "Control" the firewall, so getting our service provider to do it would take time, (another unrelated issue and another askme question down the road.)
Wow, you didn't find anything when searching? I'm kind of surprised, there's a million resources out there. I've managed hundreds of IIS servers in my day, and this is a common problem. I've written scripts to solve it, and it's not that hard. The best resource at your fingertips is the non-MS run site IISFAQ, specifically under Management Scripts -> Scripts by Chris Crowe. You'll also want to have the MS Script Center site bookmarked, in this case this particular section.
Editing the metabase as an in-place xml is not necessarily a great idea, as small typos can totally throw off the XML format, although want you may want to explore is that if you're on IIS 6, you can export/import your entire web setup as an XML file using iiscnfg at the command line. This would allow you to edit a "perfect" site, export it, save it in your source versioning system or other backup location, and then easily rebuild sites and servers at the drop of a out using simple, automated processes. I'd recommend that longer term- less confusion and maintenance overhead regarding the state of your servers, if you can always just reinstall-> re-run a one-step folder copy & start process and be done with it.
That said: You'll want to check out this link. The basic idea is fairly simple, but can be confusing: you need to specify three things when specifying a restriction list: what level you're filtering at (root site, some virtual directory, or even on the file level), whether the default is "always grant, except the following" (useful if you're creating an on-the-fly IP filter for known bad IPs and ranges), and "never grant, except the following" (useful for IP ACLing), and then the list of IPs or network ranges that are being allowed/banned.
Sounds like you're looking for the latter, so you'd need to change that script slightly to use the line IPSecurity.GrantByDefault = False. There might be some other minor tweaks, but the idea is simple enough and should work nearly perfect out of the box.
posted by hincandenza at 1:37 PM on February 13, 2007
Editing the metabase as an in-place xml is not necessarily a great idea, as small typos can totally throw off the XML format, although want you may want to explore is that if you're on IIS 6, you can export/import your entire web setup as an XML file using iiscnfg at the command line. This would allow you to edit a "perfect" site, export it, save it in your source versioning system or other backup location, and then easily rebuild sites and servers at the drop of a out using simple, automated processes. I'd recommend that longer term- less confusion and maintenance overhead regarding the state of your servers, if you can always just reinstall-> re-run a one-step folder copy & start process and be done with it.
That said: You'll want to check out this link. The basic idea is fairly simple, but can be confusing: you need to specify three things when specifying a restriction list: what level you're filtering at (root site, some virtual directory, or even on the file level), whether the default is "always grant, except the following" (useful if you're creating an on-the-fly IP filter for known bad IPs and ranges), and "never grant, except the following" (useful for IP ACLing), and then the list of IPs or network ranges that are being allowed/banned.
Sounds like you're looking for the latter, so you'd need to change that script slightly to use the line IPSecurity.GrantByDefault = False. There might be some other minor tweaks, but the idea is simple enough and should work nearly perfect out of the box.
posted by hincandenza at 1:37 PM on February 13, 2007
« Older How do I get into an industry that I'm qualified... | Books about small amusement parks Newer »
This thread is closed to new comments.
posted by TungstenChef at 7:40 AM on February 13, 2007