How to Block Specific IPs and IP Ranges in IIS7 Using ipSecurity and URL Rewrite


1 views

If you don't see the "IPv4 Address and Domain Name Deny Rules" icon in IIS7 Manager, it's likely because the IP Security feature isn't installed. Here's how to add it:

Server Manager > Add Features > Role Services > Web Server (IIS) > Security > IP and Domain Restrictions

The most efficient way to block IPs across all sites is through the web.config file. Create or modify your applicationHost.config (located in %windir%\\system32\\inetsrv\\config) with these rules:

<system.webServer>
    <security>
        <ipSecurity allowUnlisted="true">
            <add ipAddress="192.168.1.1" subnetMask="255.255.255.0" allowed="false"/>
            <add ipAddress="10.0.0.0" subnetMask="255.0.0.0" allowed="false"/>
        </ipSecurity>
    </security>
</system.webServer>

For more complex scenarios, use URL Rewrite module:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="Block IP Range" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                <conditions>
                    <add input="{REMOTE_ADDR}" pattern="192.168.100.*" />
                </conditions>
                <action type="AbortRequest" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

To apply blocks across all sites on your server:

  1. Open IIS Manager
  2. Select the server node (not individual sites)
  3. Open "IP Address and Domain Restrictions"
  4. Add deny entries for specific IPs or ranges

Test your configuration using PowerShell:

Test-NetConnection -ComputerName localhost -Port 80 -InformationLevel Detailed

Or check the IIS logs (%SystemDrive%\\inetpub\\logs\\LogFiles) for HTTP 403.6 entries indicating blocked IPs.

Many administrators find the IP restriction functionality mysteriously absent from their IIS 7 Manager. This isn't an installation error - the feature simply isn't included in the default IIS installation. Here's how to get it:

Server Manager → Add Features → Select "IP and Domain Restrictions"

After installation, access the feature through:

IIS Manager → Select Server/Site → IP Address and Domain Restrictions

For a single IP (e.g., 192.168.1.100):

Add Deny Entry → Specific IP: 192.168.1.100

For an IP range (e.g., 192.168.1.0/24):

Add Deny Entry → IP Address Range: 192.168.1.0
Mask: 255.255.255.0

For developers who prefer code-based configuration:

<system.webServer>
    <security>
        <ipSecurity allowUnlisted="true">
            <add ipAddress="192.168.1.100" allowed="false"/>
            <add ipAddress="192.168.2.0" subnetMask="255.255.255.0" allowed="false"/>
        </ipSecurity>
    </security>
</system.webServer>

For more complex scenarios, consider using URL Rewrite module with conditions:

<rule name="Block Bad Bots" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*"/>
    <conditions>
        <add input="{REMOTE_ADDR}" pattern="192.168.1.*"/>
    </conditions>
    <action type="CustomResponse" statusCode="403" statusReason="Forbidden"/>
</rule>

Test your restrictions using:

Request.AddHeader("X-Forwarded-For", "192.168.1.100")

Common issues to check:

  • Feature delegation settings in IIS
  • ApplicationHost.config vs web.config precedence
  • Proxy servers affecting REMOTE_ADDR