4

I like to secure all aspx files in a folder ~/Secure/ secure such that specific IP addresses can access the folder's aspx files. I added the following web.config file to the folder, hoping that it adds to the parent web.config: 

<configuration>
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear/>
        <add ipAddress="192.168.100.1" />
        <add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
      </ipSecurity>
    </security>
  </system.webServer>
</configuration>

The problem is that I get this error when I try to access to any of the aspx pages in the folder:

This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

What does it take to make this idea happen? I like to just include one web.config file to a folder and that enforces the IP address authorization. I like this idea, since it is no-code and config only.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
Allan Xu
  • 7,998
  • 11
  • 51
  • 122

2 Answers2

1

You cannot do it in the website web.config only.

If you can use IIS manager: Open IIS Manager, locate the site, click on the folder you want to protect, then click on IP address and Domain Restrinctions.

Also click on "Edit feature settings" in the right Actions panel" to specify actions for unspecified clients (i.e. Deny with Forbidden, or simply Deny With Not Found).

This will generate the right configuration for you.

Stefano Altieri
  • 4,550
  • 1
  • 24
  • 41
  • I was really hoping that this can be done, since i can maintain the web.config as part of my application source. Do we know where this configuration section is locked? Is it in machine.config? – Allan Xu Apr 22 '14 at 23:46
  • Check this link: http://mikechamberlain.net/2012/09/21/configuring-ip-address-restrictions-in-web-config-for-a-specific-web-service-in-iis-7-5/ – Stefano Altieri Apr 23 '14 at 08:12
0

In your root web.config use the location element:-

<location path="Secure">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear/>
        <add ipAddress="192.168.100.1" />
        <add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
      </ipSecurity>
    </security>
  </system.webServer>
</location>
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • I added that to the application root web.config and I get this error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false". – Allan Xu Apr 22 '14 at 23:43
  • @AllanXu Make sure you remove the `web.config` in the subfolder. It has also been [suggested](http://stackoverflow.com/a/6108168/413180) that you might need to enable IP and Domain Restrictions (`Control Panel > Programs and Features > Turn Windows features on or off > Internet Information Services > World Wide Web Services > Security and tick IP Security`). – SilverlightFox Apr 23 '14 at 08:18
  • I've removed the web.config in the subfolder. I followed all instructions here: http://www.iis.net/configreference/system.webserver/security/ipsecurity still the same error. I am running under Windows 2012. – Allan Xu Apr 23 '14 at 13:28
  • have you had a chance to have it working in your environment? – Allan Xu Apr 23 '14 at 13:30