Is it possible to make part of a site on IIS only viewable from localhost?

Question

We\'ve got a webserver running IIS. We\'d like to run maybe a shared blog or something to keep track of information. Because of security issues, we\'d like for that part to

Answer 1

In IIS6 you can bring up the properties for the web and click on the directory security tab. Click the button in the middle of the tab for editing the IP and Domain restrictions. On this tab set all computers as denied, then add an exception for the IPs you want to allow access to this site.

I am not sure how to configure this on IIS7. I looked but couldn't find it, if I find it I will edit this answer.

Edit: Configuring IIS7

• Josh

Answer 2

Judging from the options present in the IIS MMC, you can also have a virtual directory only be accessible by certain IP-ranges. You could block everyone but 127.0.0.1. I have not tried this, however.

Answer 3

You could simply add this .NET to the top of the page.

string MyWebServerName = currentContext.Request.ServerVariables["SERVER_NAME"];

if ( MyWebServerName == "127.0.0.1" || MyWebServerName == "localhost" )
{
  // the user is local 
}
else
{
  // the user is NOT local
}

Answer 4

As suggested in https://stackoverflow.com/a/39870955/2279059, it is possible to configure the site's bindings to listen only on the loopback interface. This makes the site inaccessible from the network without having to use IP address restrictions.

To support both IPv4 and IPv6, add two bindings, one for 127.0.0.1 and one for [::1], and set the hostname to *, so either IP address or localhost can be used to access it as shown in the screenshot:

To add a "local" site programmatically, you can use:

appcmd add site /name:MyLoalSite /bindings:http/127.0.0.1:7103:*,http/[::1]:7103:* /physicalPath:"C:\path\to\site\"

Answer 5

You can grant or deny access to a site or folder from certain IPs to a site or folder. In IIS, go into properties for the site or folder in question.

(1) Click to the "Diectory Security" Tab

(2) Click Edit Under the "IP Address and Domain Name Restriction" frame.

(3) Click "Denied Access" (This tells IIS to block every IP except those you list)

(4) Click "Add..."

(5) Click "Single Computer"

(6) Enter 127.0.0.1 (the IP of localhost)

Note that it is best to use an IP here (as I've described) rather than a domain name because domains can be easily forged using a hosts file.

Answer 6

For some one doing it in IIS 8 / Windows 2012

1) In Server Manager, go to Manage, Add Roles and Features, Next, Next (get to Server Roles), scroll down to Web Server (IIS), expand that row, then expand Web Server, and finally expand Security. Make sure that IP and Domain Restrictions are installed.

2) In IIS Manager, drill down to the folder that you want to protect and left click select it. In the Features View of that folder select IP and Domain Restrictions In Actions choose Edit Feature Settings. Change 'Access for unspecified clients:' to 'Deny' then OK.

3) Finally go to 'Add Allow Entry' In the Actions menu. Type in the Specific IP address of your server.

Now only requests coming from your server will be allowed access. Or any server that shares that IP address. So in a small network, the office could share the IP address between all of the PCs in that offices, so all of those PCs could access that folder.

Last but not least is to remember that if your network has a dynamic IP address, then if that IP changes, you will expose your blog admin folder to whoever is using that IP now. Also, everyone on that new IP address will lose access to your that folder...