How to Use Wildcards with NETSH HTTP ADD URLACL for Port 80 Access in Windows 7/2008 R2


6 views

When working with IIS Express or any web server on Windows, you may need to configure URL ACLs (Access Control Lists) to allow HTTP traffic. The netsh http add urlacl command is the tool for this job, but its wildcard support isn't always intuitive.

While you might expect to use *:80/ as a wildcard pattern (similar to how it works in other networking contexts), the HTTP Server API in Windows 7/2008 R2 has specific limitations:

netsh http add urlacl url=*:80/ user=*
// This will NOT work as expected

For port 80 access without domain restrictions, you have several options:

1. Strong Wildcard Syntax

The correct wildcard format for all HTTP traffic on port 80 is:

netsh http add urlacl url=http://*:80/ user=DOMAIN\username

2. Using + for All Users

To allow all authenticated users:

netsh http add urlacl url=http://*:80/ user=+

3. Network Service Account

For IIS Express scenarios:

netsh http add urlacl url=http://*:80/ user="NT AUTHORITY\NETWORK SERVICE"
  • Always run command prompt as Administrator
  • Check existing reservations with netsh http show urlacl
  • Remove conflicting reservations if needed

While wildcards are convenient, they can create security risks. Consider:

// More secure alternative
netsh http add urlacl url=http://localhost:80/ user=DOMAIN\username

When working with IIS or self-hosted web applications on Windows, you'll often need to manage URL access control lists (URLACLs) to grant permission for specific URLs. The netsh http commands provide this functionality at the system level.

Many administrators wonder if they can use wildcards to:

  • Open all URLs on a specific port
  • Allow access to all users
  • Simplify configuration for development environments

The basic syntax for adding URLACLs is:

netsh http add urlacl url=http://example.com:80/ user=DOMAIN\username

However, wildcard support is limited in these versions:

netsh http add urlacl url=*:80/ user=*
// This will NOT work as expected

For IIS Express or local development, consider these alternatives:

Option 1: Reserve for All Hostnames (Weak Wildcard)

netsh http add urlacl url=http://+:80/ user=Everyone
netsh http add urlacl url=http://*:80/ user=Everyone

Option 2: Use Specific URL Patterns

// For local development
netsh http add urlacl url=http://localhost:80/ user=Everyone
netsh http add urlacl url=http://127.0.0.1:80/ user=Everyone

Option 3: Port Sharing Configuration

netsh http add iplisten ipaddress=0.0.0.0
netsh http add urlacl url=http://+:80/ user=NT AUTHORITY\INTERACTIVE

While wildcards seem convenient, they pose security risks:

  • Opening port 80 globally could expose services
  • Using 'Everyone' or '*' reduces security boundaries
  • In production, always specify exact URLs and users

After making changes, verify with:

netsh http show urlacl
netsh http show iplisten