Can I programmatically add an IP address to Dynamic IP Restrictions extension in IIS7 from my ASP.NET app?

Question

I\'m creating a forums based site and want to block the members that post spam or abuse. I was thinking about using an HTTPModule to do this but I came across the Dynamic IP Res

Answer 1

I was also interested in this.

At first I was using the UI in IIS7 to blacklist IP addresses.

I did take a look at the Rick Strahl link mentioned above but found a great resource here:

http://www.iis.net/configreference/system.webserver/security/ipsecurity/add

The code sample on that page shows you how to perform the action using C#. Here is the snip from that site

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection ipSecuritySection = config.GetSection("system.webServer/security/ipSecurity", "Default Web Site");
         ConfigurationElementCollection ipSecurityCollection = ipSecuritySection.GetCollection();

         ConfigurationElement addElement = ipSecurityCollection.CreateElement("add");
         addElement["ipAddress"] = @"192.168.100.1";
         addElement["allowed"] = false;
         ipSecurityCollection.Add(addElement);

         ConfigurationElement addElement1 = ipSecurityCollection.CreateElement("add");
         addElement1["ipAddress"] = @"169.254.0.0";
         addElement1["subnetMask"] = @"255.255.0.0";
         addElement1["allowed"] = false;
         ipSecurityCollection.Add(addElement1);

         serverManager.CommitChanges();
      }
   }
}

To get the Microsoft.Web.Administration package, in visual studio goto Tools -> Nuget Package Manager -> Package Manager Console.

Then type:

Install-Package Microsoft.Web.Administration

Another way of performing the same task is to use the command line and the appcmd command.

The following command does the same thing:

appcmd.exe set config "Default Web Site/SSM" -section:system.webServer/security/ipSecurity /+"[ipAddress='192.168.100.1',allowed='False']" /commit:apphost

and could be called from code using:

string website = "Default Web Site/SSM";
string ipAddress = "192.168.100.1";
string allowDeny = "False";

string cmd = string.Format("%systemroot%\\system32\\inetsrv\\appcmd.exe set config \"{0}\" -section:system.webServer/security/ipSecurity /+\"[ipAddress='{1}',allowed='{2}']\" /commit:apphost", website, ipAddress, allowDeny);
Process.Start(cmd);

The above command works but it turns out if you call it from C# it complains saying "The system cannot find the file specified Exception". To get around that you have to supply an admin username/password.

Here is the function:

void BlacklistIP(string ipAddress)
{
    string website = "Default Web Site/SSM";
    string allowDeny = "False";
    string domain = "";

    string args = string.Format(" set config \"{0}\" -section:system.webServer/security/ipSecurity /+\"[ipAddress='{1}',allowed='{2}']\" /commit:apphost", website, ipAddress, allowDeny);

    System.Security.SecureString password = new System.Security.SecureString();
    password.AppendChar('y');
    password.AppendChar('o');
    password.AppendChar('u');
    password.AppendChar('r');
    password.AppendChar('p');
    password.AppendChar('a');
    password.AppendChar('s');
    password.AppendChar('s');
    password.AppendChar('w');
    password.AppendChar('o');
    password.AppendChar('r');
    password.AppendChar('d');

    Process.Start(@"C:\windows\System32\inetsrv\appcmd.exe", args, "Administrator", password, domain);
}

Et Voila!

Answer 2

It looks likes Rick Strahl has achieved this using the IIS API, please see link below:

http://www.west-wind.com/WebLog/posts/59731.aspx

Andrew