HOW TO: Restrict Site Access by IP Address or Domain Name


This article describes how to translate the Apache settings that restrict access to a folder or a Web site by Internet Protocol (IP) address or domain name to the settings that are required in IIS.

Setting Folder Security by IP Address or Domain Name

Apache uses the Allow and Deny directives to determine the sites that can access a particular Web site or folder. However, Apache provides discretionary access control; you must either deny all sites and provide a specific list of sites or IP addresses that can access a folder or allow all sites and deny only those sites that you do not want to have access. For example, if you use the following directive, all client computers are denied access unless they are recognized as part of the domain:

   Deny from all
Allow from

IIS works the same way. All clients are specifically denied or granted access, except for those that are listed.

Define Access Control for Specific Folder or Site

  1. Log on to the Web server computer as an administrator.
  2. Click Start, point to Settings, and then click Control Panel.
  3. Double-click Administrative Tools, and then double click Internet Services Manager.
  4. If you want to limit access for the whole site, select the Web site from the list of different served sites in the left pane.

    If you want to limit access only for a specific folder, click the folder you want to control.
  5. Right-click the Web site or folder, and then click Properties.
  6. Click the Directory Security panel.
  7. If you want to limit access to a specific set of sites but deny access to all other sites, click Denied Access.
  8. If you want to grant access to all clients by default but exclude a specific list of clients, click Granted Access.
  9. To update the list of hosts or domains in the Except list, click Add.
  10. To add a single computer to the list, click Single computer, type the IP address in the appropriate box, and then click OK.
  11. To add a range of computers in a specific address range, click Group of computers, type the IP address for the network in the appropriate box, type the subnet mask for the network range you want to configure, and then click OK.
  12. To add computers by their identified domain name, click Domain name, and then type the domain name in the appropriate box.
  13. Click Properties, type the domain name, and then click OK.
  14. Click OK, and then click OK.
NOTE: If you use domain name restrictions, the server has to perform a reverse DNS lookup for each request to check the host's registered domain name. Microsoft recommends that you use an IP address or network range whenever you can.


For additional information about securing IIS for a migration from UNIX to Windows, click the article number below to view the article in the Microsoft Knowledge Base:

324216 HOW TO: Secure IIS in a UNIX-to-Windows Migration


ID articol: 324066 - Ultima examinare: 21 nov. 2006 - Revizie: 1