VBScript: Windows XP/IIS 5.1 DOES Support Denying Access by IP Addresses
In helping a visitor to troubleshoot running my IIS FTP ban script, I realized that while XP makes it appear as though it doesn't support banning users by IP address, it actually does provide that support; you just have to ban the IPs programatically.
Here, you can see that the IP address and domain name restrictions section is greyed out. However, you can use the following VBScript to enable and ban users in IIS' Default Web SIte. The first script listed does the following:
- Ensures that AllowByDefault is set to true (which is the default anyway)
- Bans a few example IP addresses
- Confirms the addresses were successfully banned
1strComputer = "localhost"
2arrBanTheseIPs = Array("10.0.0.200", "42.42.42.42")
3
4'Set Objects
5Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
6Set objIPRestrict = objWebSite.IPSecurity
7
8objIPRestrict.GrantByDefault = True
9objIPRestrict.IPDeny = arrBanTheseIPs
10objWebSite.IPSecurity = objIPRestrict
11objWebSite.SetInfo
12
13WScript.Echo "The following IP addresses are now banned:"
14arrDeniedIPs = objIPRestrict.IPDeny
15For i = 0 To UBound(arrDeniedIPs)
16 WScript.Echo arrDeniedIPs(i)
17Next
18
19'Kill Objects
20Set objIPRestrict = Nothing
21Set objWebSite = Nothing
To Delete All Previously Banned IPs, you would use the following code which overwrites all the IPs with one invalid IP.
1strComputer = "localhost"
2
3'Set Objects
4Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
5Set objIPRestrict = objWebSite.IPSecurity
6
7objIPRestrict.GrantByDefault = True
8objIPRestrict.IPDeny = Array("0.0.0.0")
9objWebSite.IPSecurity = objIPRestrict
10objWebSite.SetInfo
11
12'Kill Objects
13Set objIPRestrict = Nothing
14Set objWebSite = Nothing
If you find yourself needing to unban a single IP address, you can use the following code which gathers all the banned IPs except the one you want to delete and rebans them (IPDeny requires a full list each time you set it).
1strComputer = "localhost"
2
3'Set Objects
4Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
5Set objIPRestrict = objWebSite.IPSecurity
6
7strUnbanSingleIP = "10.0.0.200"
8arrIPAddresses = objIPRestrict.IPDeny
9
10For i = 0 To UBound(arrIPAddresses)
11 strClientIP = Left(arrIPAddresses(i), InStr(arrIPAddresses(i), ",") - 1)
12 If strClientIP <> strUnbanSingleIP Then
13 If Len(strStillBanned) = 0 Then
14 strStillBanned = strClientIP
15 Else
16 strStillBanned = strStillBanned & "," & strClientIP
17 End If
18 End If
19Next
20
21If Len(strStillBanned) = 0 Then
22 strStillBanned = "0.0.0.0" 'just in case it was the only one
23End If
24arrStillBannedIPs = Split(strStillBanned, ",")
25
26objIPRestrict.IPDeny = arrStillBannedIPs
27objWebSite.IPSecurity = objIPRestrict
28objWebSite.SetInfo
29
30'Kill Objects
31Set objIPRestrict = Nothing
32Set objWebSite = Nothing
If your script is successful, banned users will see the following message:
You are not authorized to view this page
HTTP 403.6 - Forbidden: IP address rejected
To show all of the current IPs which have been banned, run the following script
1strComputer = "localhost"
2
3'Set Objects
4Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
5Set objIPRestrict = objWebSite.IPSecurity
6
7arrDeny = objWebSite.Get("IPSecurity").IPDeny
8For i = 0 To UBound(arrDeny)
9 strBannedIPs = strBannedIPs & arrDeny(i) & vbCrLf
10Next
11
12If Len(strBannedIPs) > 0 Then
13 MsgBox "IP, Subnet: " & vbCrLf & strBannedIPs
14Else
15 MsgBox "No IPs have been banned."
16End If
17
18'Kill Objects
19Set objIPRestrict = Nothing
20Set objWebSite = Nothing
While I haven't tested it, the same scripts should work if you want to deny all IPs except those explicitly listed. To do so, simply set objIPRestrict.GrantByDefault to False and replace the above mentions of IPDeny with IPGrant. Same goes for MSFTPSVC -- if you want to modify the FTP service settings, just change the above instances of "W3SVC" to "MSFTPSVC".