Microsoft IIS 10.0 – IP address and domain restrictions

How to Activate Windows Server 2019

In this recipe, we will log in to the IIS server first and then open the IP address and domain restrictions feature. We will add an allow rule and deny rule for specific IP addresses. We will discuss and review dynamic IP restriction.

Getting ready

We require an up-and-running IIS 10.0 instance. Security components should be installed. You should have administrative privileges.

How to do it…

  1. Log in to Windows Server 2016 with an account with administrative privileges.
  2. Open Server Manager from the Start menu or use the search window to find it.
  3. Click on the Tools menu from Server Manager; you will find IIS Manager. Open it and click on the WIN2016IIS IIS server. Expand the Sites folder and click on Go to the Features View of and select IP Address and Domain Restrictions:
  1. You will get the IP Address and Domain Restrictions configuration window, as shown in the following screenshot:
  1. Go to the Actions pane, click on Add Allow Entry, and you will get the allow IP and domain window, as shown here:
  1. Add Allow Restriction Rule will help us to allow specific IP addresses or domain names (, or an IP address range with a subnet mask or prefix (domain name). Add the IP and click on OK. You’ve now created the allow restriction rule. Let’s move on to create a deny rule.
  2. Go to the IP Address and Domain Restrictions Actions pane, click on Add Deny Entry…, and you will get the Add Deny Restriction Rule window:
  1. Here, we are creating a deny rule for the IP We can add a deny rule for a specific IP, domain, or range of IP addresses. We’ve added a single IP for now: Click on the OK button. We’ve now created the deny rule.
  2. We need to configure the dynamic IP address restriction setting. Go to the IP Address and Domain Restrictions Actions pane. Click on Dynamic IP Restriction Settings. You will get a new window:
  1. Here, we set the deny IP address rule based on the number of concurrent requests; for example, with the first option, we can allow a single IP address to access the website with a maximum of four simultaneous sessions. More than four website access requests will be denied (terminated). With the second option, we can require that each IP be able to make only a specific number of website access requests for a specified time period. We are not configuring this part here, but when you publish your website on the internet, you can do this to protect against certain cyber attacks.



How it works…

In this recipe, we looked at IP address and domain restriction features. We then added an allow rule the IP address and a deny rule for the address. We discussed and had an overview of dynamic IP restriction.

Comments are closed.