Configure IPv4 Address and Domain Name Deny Rules (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In IIS 7, all IP addresses, computers, and domains can access your site by default. To enhance security, you can restrict access to your site by creating a deny rule for all IP addresses, a specific IP address, a range of IP addresses, or a specific domain. For example, if you have a site on an intranet server that is connected to the Internet, you can prevent Internet users from accessing your intranet site by allowing access only to members of your intranet, and explicitly denying access to outside users.


IP address restrictions apply only to IPv4 addresses.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see IPv4 Address and Domain Name Rules Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

To deny access based on IP Address or domain name

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click IPv4 Address and Domain Restrictions.

  3. In the Actions pane, click Add Deny Entry.

  4. In the Add Deny Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, and type the IPv4 address, range, mask, or domain name, and then click OK.


To add domain names, you must first enable domain name restrictions by clicking Edit Feature Settings in the Actions pane and then selecting Enable domain name restrictions in the Edit IP and Domain Restrictions Settings dialog box.


To create a deny rule for IPv4 address and domain restriction, use the following syntax:

appcmd set config /section:ipsecurity /+"[ipaddress='string',allowed='false',subnetMask='string',domainName='string']"

The variable ipaddress string is a single IPv4 address. The variable **subnetMask **string is a subnet mask. Use the subnet mask in combination with the IPv4 address to identify an address space that applies to this rule. The variable **domain name **string is a domain name. Typically, you would use an IP address or a domain name, but not both in the same rule.

For example, to create a deny rule for IPv4 address, type the following at the command prompt, and then press ENTER:

appcmd set config /section:ipsecurity /+"[ipaddress='',allowed='false']"

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).


The procedure in this topic affects the following configuration elements:


For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • IPSecuritySection class

  • IPSecuritySection.IpSecurity property

  • IPSecuritySection.Add method

  • IPAddressFilterElement.Allowed property

  • IPSecuritySection.Remove method


To delete an instance of this object, use the object’s Delete_ system method that it inherits from WMI. For more information about Delete_, see SWbemObject.Delete_ on the MSDN site.

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.