Windows server: restrict user by ip

iisSecuritywindows

As an extra layer of security I use "Integrated Windows authentication" in IIS to protecte our admin tool.

To setup new user accounts I got to "Computer Management" -> "Local User and Groups" -> "Users".

To my question: Is it possible to restrict access for a specific user to a certain ip address. For example I only want my consultants to be able to login from our office?

I've tried Select User -> "Properties" -> "Dial-in" -> "Assign a static IP Address" but it didn't work. Do I need to change something else too?

Best Answer

You could do this with a URL Rewriter, like IIRF.

IIRF provides examples of how to block requests based on the IP address of the remote machine. 

# Iirf.ini
#
# ini file for blocking by IP address
#

RewriteLogLevel 1
RewriteLog c:\inetpub\iirfLogs\Iirf
RewriteEngine ON
StatusUrl /iirfStatus
IterationLimit 5

RewriteCond %{REMOTE_ADDR} ^24\.132\.226\.94$  [OR]
RewriteRule ^/(.*)$ /$1 [F]

I think what you're doing is allowing based on IP address, so .. the reverse. 

# Iirf.ini
#
# ini file for allowing requests by IP address range
#

RewriteLogLevel 1
RewriteLog c:\inetpub\iirfLogs\iirf
RewriteEngine ON
StatusUrl /iirfStatus
IterationLimit 5

# If the IP address is not in the specified range, return 404
# (NF = Not Found)
RewriteCond %{REMOTE_ADDR} ^(?!24\.132\.(\d+)\.(\d+))
RewriteRule ^/.*$ - [NF]

# If URL processing has gotten this far, do nothing (no rewrite),
# which means, implicitly, allow the request.

If you also want to allow access for authenticated users, you would have to modify that ini file to also consider an authentication cookie, or something.

Related Topic