Install Basic Auth and IP Filtering in IIS 8

This short how-to will explain how to set up basic authentication and ip filtering on an IIS 8 website/API. To start, grab hold of a URL which will test the access to that site and make sure it works. You will need it later when you start putting the locks in place.

We are now going to set some IP based restrictions and basic authentication for an existing IIS 8 based website or API. To begin, let’s install the components we need; we can do this in one go to save time.

Component Installation

In Server Manager:

  • Click on Dashboard
  • Click on 2 Add roles and features in the middle-top pane
  • Click Next
  • Ensure Role-based or feature-based installation is chosen in the option group in the middle-top pane
  • Click Next
  • Click Next
  • Scroll down the middle list and expand the Web Server (IIS) section
  • Expand Web Server
  • Expand Security
  • Check Basic Authentication
  • Check IP and Domain Restrictions
  • Click Next
  • Click Next
  • Click Install

Once installed, you will be able to close the window. Whilst it can work in the background, we want to know it is done before continuing, so hang in there a second. Now that we have those and since the IP filtering is easiest, let’s start with that as a quick-win.

Add IP Filtering

  • Run inetmgr.
  • Double-click IP Address and Domain Restrictions
  • On the right, click on Add Allow Entry...
  • Type in your specific IP address that you want to allow to connect to the website
  • Click OK

That tells IIS who can use it but we now need to stop anyone we don’t want.

Deny everyone else

  • Click on Edit Feature Settings...
  • Choose Deny in the drop-down referring to Access for unspecified clients
  • Click OK

Testing IP Filtering

From the allowed IP address, try and access the website. Now try on another machine - it should say it is forbidden. Let’s now move onto the authentication, just as a small extra layer of security.

Adding Basic Authentication

In the following steps, we’re going to create an unprivileged user to log in with then need to turn authentication before disabling the anonymous access. Ready? Time for that new user.

  • Run Server Manager
  • Click the Tools menu drop-down (top-right)
  • Click on Computer Management
  • Expand Local Users and Groups in the left pane
  • You should now see two options: Click on Users underneath it
  • Click on More Actions on the right
  • Select New User...
  • Add a user name, full name, password and confirmed password. E.g. api, "API User" and a password
  • Uncheck the User must change password at next logon and optionally, Password never expires
  • Click Create then Close

Reducing the Power!

Now that we have our user, let’s make him/her a little less powerful by removing them from the Users group and adding them into one which can only use IIS (IIS_IUSRS).

  • Right-click on the user you just created: e.g. api
  • Choose Properties
  • In the Member Of tab, click on Users and then press the Remove button
  • Now click Add... and type: IIS_IUSRS
  • Click Check Names. If you did it correctly, it will replace what you typed with a version that is underlined.
  • Click OK
  • Click OK

Turning the lights on and off

We’re almost done. We just need to finish off the authentication by specifying that anonymous access is no longer allowed but basic authentication is.

  • Click back on your website in inetmgr in the left pane
  • Now double-click on Authentication
  • Disable Anonymous Authentication and enable Basic Authentication by right-clicking on each and choosing the appropriate option.

Final Remarks

Those steps should have set everything up for you but you need to realise that without an SSL certificate, those credentials in the basic authorisation are going to be zipping left and right over the wire in clear text form. Please consider also adding a valid certificate, too.

If you want another perspective on the IP filtering, here’s some basic information which might also help from the excellent Microsoft documentation.

Hi! Did you find this useful or interesting? I have an email list coming soon, but in the meantime, if you ready anything you fancy chatting about, I would love to hear from you. You can contact me here or at stephen ‘at’