VBScript: Windows XP/IIS 5.1 DOES Support Denying Access by IP Addresses

In helping a visitor to troubleshoot running my IIS FTP ban script, I realized that while XP makes it appear as though it doesn't support banning users by IP address, it actually does provide that support; you just have to ban the IPs programatically.

Here, you can see that the IP address and domain name restrictions section is greyed out. However, you can use the following VBScript to enable and ban users in IIS' Default Web SIte. The first script listed does the following:

1. Ensures that AllowByDefault is set to true (which is the default anyway) 2. Bans a few example IP addresses 3. Confirms the addresses were successfully banned

strComputer = "localhost" arrBanTheseIPs = Array("10.0.0.200","42.42.42.42")

'Set Objects Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1") Set objIPRestrict = objWebSite.IPSecurity

objIPRestrict.GrantByDefault = True objIPRestrict.IPDeny = arrBanTheseIPs objWebSite.IPSecurity = objIPRestrict objWebSite.SetInfo

WScript.Echo "The following IP addresses are now banned:" arrDeniedIPs = objIPRestrict.IPDeny for i = 0 to Ubound(arrDeniedIPs) WScript.Echo arrDeniedIPs(i) next

'Kill Objects Set objIPRestrict = Nothing Set objWebSite = Nothing

To Delete All Previously Banned IPs, you would use the following code which overwrites all the IPs with one invalid IP.

strComputer = "localhost"

'Set Objects Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1") Set objIPRestrict = objWebSite.IPSecurity

objIPRestrict.GrantByDefault = True objIPRestrict.IPDeny = Array("0.0.0.0") objWebSite.IPSecurity = objIPRestrict objWebSite.SetInfo

'Kill Objects Set objIPRestrict = Nothing Set objWebSite = Nothing

If you find yourself needing to unban a single IP address, you can use the following code which gathers all the banned IPs except the one you want to delete and rebans them (IPDeny requires a full list each time you set it).

strComputer = "localhost"

'Set Objects Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1") Set objIPRestrict = objWebSite.IPSecurity

strUnbanSingleIP = "10.0.0.200" arrIPAddresses = objIPRestrict.IPDeny

For i = 0 to ubound(arrIPAddresses) strClientIP = Left(arrIPAddresses(i),InStr(arrIPAddresses(i),",")-1) If strClientIP <> strUnbanSingleIP Then If Len(strStillBanned) = 0 Then strStillBanned = strClientIP Else strStillBanned = strStillBanned & "," & strClientIP End If End If Next

If Len(strStillBanned) = 0 Then strStillBanned = "0.0.0.0" 'just in case it was the only one arrStillBannedIPs = split(strStillBanned,",")

objIPRestrict.IPDeny = arrStillBannedIPs objWebSite.IPSecurity = objIPRestrict objWebSite.SetInfo

'Kill Objects Set objIPRestrict = Nothing Set objWebSite = Nothing

If your script is successful, banned users will see the following message:

You are not authorized to view this page

HTTP 403.6 - Forbidden: IP address rejected

To show all of the current IPs which have been banned, run the following script

strComputer = "localhost"

'Set Objects Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1") Set objIPRestrict = objWebSite.IPSecurity

arrDeny = objWebSite.Get("IPSecurity").IPDeny For i = 0 to Ubound(arrDeny) strBannedIPs = strBannedIPs & arrDeny(i) & vbCrlf Next

If len(strBannedIPs) > 0 Then msgbox "IP, Subnet: " & vbCrLF & strBannedIPs Else msgbox "No IPs have been banned." End if

'Kill Objects Set objIPRestrict = Nothing Set objWebSite = Nothing

While I haven't tested it, the same scripts should work if you want to deny all IPs except those explicitly listed. To do so, simply set objIPRestrict.GrantByDefault to False and replace the above mentions of IPDeny with IPGrant. Same goes for MSFTPSVC -- if you want to modify the FTP service settings, just change the above instances of "W3SVC" to "MSFTPSVC".