Securing and restricting access to IIS websites to specific computers

Mohammad Ganji 1 Reputation point
2021-11-18T01:24:06.46+00:00

Hi,

There are some public computers outside of the company that connect to our IIS website. I'd like to make sure only these can connect not anyone else or better to say any computer whose user has the credentials; and I guess this can be achieved via certificates. Also we must be sure that the certificate may not be exported and used to another PC. Recommended solutions in this regards or any other suggestions would be appreciated

Regards,
M. Ganji

Internet Information Services
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Bruce Zhang-MSFT 3,756 Reputation points
    2021-11-18T08:06:57.377+00:00

    Hi @Mohammad Ganji ,

    IIS has a module to restrict the IP access site. You can use it to deny anyone else.

    Set this module to let IIS deny all unspecified clients.
    150475-1.jpg

    Then add the IP of public computer outside to allow list.
    150504-2.jpg


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    1 person found this answer helpful.

  2. Limitless Technology 39,796 Reputation points
    2021-11-19T09:37:04.683+00:00

    Hi there,

    Open the IIS console and go to the Properties of your Web site.
    Click on the Directory Security tab.
    Click Edit in the IP address and domain name restrictions section - you can add the IP address of a single computer, a group of computers or the entire domain name that should have access. Click OK until all the windows are closed.


    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  3. Bruce Zhang-MSFT 3,756 Reputation points
    2021-11-22T02:31:42.093+00:00

    Hi @Mohammad Ganji ,

    Disable export of certificate may difficult but you can disable export of private key. Certificate will useless when they don't have private key. I don't know how you generate the certificate and only some special certificate tools provide this feature. If possible, please suggest your team store private key in a smart card. In this way, private key will never be leaked unless the card was stolen and cracked by someone else.

    Another way is using authentication. You can design an authentication to verify the users who want to access the site. Or the simplest way is use windows authentication. Only users have windows account can access site. But the risk is that users who know this account might leak it out.
    151311-1.jpg


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.