VBScript: Windows XP/IIS 5.1 DOES Support Denying Access by IP Addresses
In helping a visitor to troubleshoot running my IIS FTP ban script, I realized that while XP makes it appear as though it doesn't support banning users by IP address, it actually does provide that support; you just have to ban the IPs programatically.
Here, you can see that the IP address and domain name restrictions section is greyed out. However, you can use the following VBScript to enable and ban users in IIS' Default Web SIte. The first script listed does the following:
1. Ensures that AllowByDefault is set to true (which is the default anyway)
2. Bans a few example IP addresses
3. Confirms the addresses were successfully banned
strComputer = "localhost"
arrBanTheseIPs = Array("10.0.0.200","42.42.42.42")
'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity
objIPRestrict.GrantByDefault = True
objIPRestrict.IPDeny = arrBanTheseIPs
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo
WScript.Echo "The following IP addresses are now banned:"
arrDeniedIPs = objIPRestrict.IPDeny
for i = 0 to Ubound(arrDeniedIPs)
WScript.Echo arrDeniedIPs(i)
next
'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing
To Delete All Previously Banned IPs, you would use the following code which overwrites all the IPs with one invalid IP.
strComputer = "localhost"
'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity
objIPRestrict.GrantByDefault = True
objIPRestrict.IPDeny = Array("0.0.0.0")
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo
'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing
If you find yourself needing to unban a single IP address, you can use the following code which gathers all the banned IPs except the one you want to delete and rebans them (IPDeny requires a full list each time you set it).
strComputer = "localhost"
'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity
strUnbanSingleIP = "10.0.0.200"
arrIPAddresses = objIPRestrict.IPDeny
For i = 0 to ubound(arrIPAddresses)
strClientIP = Left(arrIPAddresses(i),InStr(arrIPAddresses(i),",")-1)
If strClientIP <> strUnbanSingleIP Then
If Len(strStillBanned) = 0 Then
strStillBanned = strClientIP
Else
strStillBanned = strStillBanned & "," & strClientIP
End If
End If
Next
If Len(strStillBanned) = 0 Then strStillBanned = "0.0.0.0" 'just in case it was the only one
arrStillBannedIPs = split(strStillBanned,",")
objIPRestrict.IPDeny = arrStillBannedIPs
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo
'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing
If your script is successful, banned users will see the following message:
You are not authorized to view this pageHTTP 403.6 - Forbidden: IP address rejected
To show all of the current IPs which have been banned, run the following script
strComputer = "localhost"
'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity
arrDeny = objWebSite.Get("IPSecurity").IPDeny
For i = 0 to Ubound(arrDeny)
strBannedIPs = strBannedIPs & arrDeny(i) & vbCrlf
Next
If len(strBannedIPs) > 0 Then
msgbox "IP, Subnet: " & vbCrLF & strBannedIPs
Else
msgbox "No IPs have been banned."
End if
'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing
While I haven't tested it, the same scripts should work if you want to deny all IPs except those explicitly listed. To do so, simply set objIPRestrict.GrantByDefault to False and replace the above mentions of IPDeny with IPGrant. Same goes for MSFTPSVC -- if you want to modify the FTP service settings, just change the above instances of "W3SVC" to "MSFTPSVC".
