Install Basic Auth and IP Filtering in IIS 8
This short how-to will explain how to set up basic authentication and ip filtering on an IIS 8 website/API. To start, grab hold of a URL which will test the access to that site and make sure it works. You will need it later when you start putting the locks in place.
We are now going to set some IP based restrictions and basic authentication for an existing IIS 8 based website or API. To begin, let’s install the components we need; we can do this in one go to save time.
Component Installation
In Server Manager
:
- Click on
Dashboard
- Click on
2 Add roles and features
in the middle-top pane - Click Next
- Ensure
Role-based or feature-based installation
is chosen in the option group in the middle-top pane - Click Next
- Click Next
- Scroll down the middle list and expand the
Web Server (IIS)
section - Expand
Web Server
- Expand
Security
- Check
Basic Authentication
- Check
IP and Domain Restrictions
- Click Next
- Click Next
- Click Install
Once installed, you will be able to close the window. Whilst it can work in the background, we want to know it is done before continuing, so hang in there a second. Now that we have those and since the IP filtering is easiest, let’s start with that as a quick-win.
Add IP Filtering
- Run
inetmgr
. - Double-click
IP Address and Domain Restrictions
- On the right, click on
Add Allow Entry...
- Type in your specific IP address that you want to allow to connect to the website
- Click OK
That tells IIS who can use it but we now need to stop anyone we don’t want.
Deny everyone else
- Click on
Edit Feature Settings...
- Choose
Deny
in the drop-down referring toAccess for unspecified clients
- Click OK
Testing IP Filtering
From the allowed IP address, try and access the website. Now try on another machine - it should say it is forbidden. Let’s now move onto the authentication, just as a small extra layer of security.
Adding Basic Authentication
In the following steps, we’re going to create an unprivileged user to log in with then need to turn authentication before disabling the anonymous access. Ready? Time for that new user.
- Run
Server Manager
- Click the
Tools
menu drop-down (top-right) - Click on
Computer Management
- Expand
Local Users and Groups
in the left pane - You should now see two options: Click on
Users
underneath it - Click on
More Actions
on the right - Select
New User...
- Add a user name, full name, password and confirmed password. E.g.
api
,"API User"
and a password - Uncheck the
User must change password at next logon
and optionally,Password never expires
- Click Create then Close
Reducing the Power!
Now that we have our user, let’s make him/her a little less powerful by removing them from the Users
group and adding them into one which can only use IIS (IIS_IUSRS
).
- Right-click on the user you just created: e.g.
api
- Choose
Properties
- In the
Member Of
tab, click onUsers
and then press theRemove
button - Now click
Add...
and type:IIS_IUSRS
- Click
Check Names
. If you did it correctly, it will replace what you typed with a version that is underlined.
- Click OK
- Click OK
Turning the lights on and off
We’re almost done. We just need to finish off the authentication by specifying that anonymous access is no longer allowed but basic authentication is.
- Click back on your website in
inetmgr
in the left pane - Now double-click on
Authentication
- Disable
Anonymous Authentication
and enableBasic Authentication
by right-clicking on each and choosing the appropriate option.
Final Remarks
Those steps should have set everything up for you but you need to realise that without an SSL certificate, those credentials in the basic authorisation are going to be zipping left and right over the wire in clear text form. Please consider also adding a valid certificate, too.
If you want another perspective on the IP filtering, here’s some basic information which might also help from the excellent Microsoft documentation.
Hi! Did you find this useful or interesting? I have an email list coming soon, but in the meantime, if you ready anything you fancy chatting about, I would love to hear from you. You can contact me here or at stephen ‘at’ logicalmoon.com