VBScript: Windows XP/IIS 5.1 DOES Support Denying Access by IP Addresses

In helping a visitor to troubleshoot running my IIS FTP ban script, I realized that while XP makes it appear as though it doesn’t support banning users by IP address, it actually does provide that support; you just have to ban the IPs programatically.

Here, you can see that the IP address and domain name restrictions section is greyed out. However, you can use the following VBScript to enable and ban users in IIS’ Default Web SIte. The first script listed does the following:

1. Ensures that AllowByDefault is set to true (which is the default anyway)
2. Bans a few example IP addresses
3. Confirms the addresses were successfully banned

strComputer = “localhost”
arrBanTheseIPs = Array(“10.0.0.200″,”42.42.42.42”)

‘Set Objects
Set objWebSite = GetObject(“IIS://” & strComputer & “/W3SVC/1”)
Set objIPRestrict = objWebSite.IPSecurity

objIPRestrict.GrantByDefault = True
objIPRestrict.IPDeny = arrBanTheseIPs
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo

WScript.Echo “The following IP addresses are now banned:”
arrDeniedIPs = objIPRestrict.IPDeny
for i = 0 to Ubound(arrDeniedIPs)
WScript.Echo arrDeniedIPs(i)
next

‘Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

To Delete All Previously Banned IPs, you would use the following code which overwrites all the IPs with one invalid IP.

strComputer = “localhost”

‘Set Objects
Set objWebSite = GetObject(“IIS://” & strComputer & “/W3SVC/1”)
Set objIPRestrict = objWebSite.IPSecurity

objIPRestrict.GrantByDefault = True
objIPRestrict.IPDeny = Array(“0.0.0.0”)
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo

‘Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

If you find yourself needing to unban a single IP address, you can use the following code which gathers all the banned IPs except the one you want to delete and rebans them (IPDeny requires a full list each time you set it).


strComputer = “localhost”

‘Set Objects
Set objWebSite = GetObject(“IIS://” & strComputer & “/W3SVC/1”)
Set objIPRestrict = objWebSite.IPSecurity

strUnbanSingleIP = “10.0.0.200”
arrIPAddresses = objIPRestrict.IPDeny

For i = 0 to ubound(arrIPAddresses)
strClientIP = Left(arrIPAddresses(i),InStr(arrIPAddresses(i),”,”)-1)
If strClientIP strUnbanSingleIP Then
If Len(strStillBanned) = 0 Then
strStillBanned = strClientIP
Else
strStillBanned = strStillBanned & “,” & strClientIP
End If
End If
Next

If Len(strStillBanned) = 0 Then strStillBanned = “0.0.0.0” ‘just in case it was the only one
arrStillBannedIPs = split(strStillBanned,”,”)

objIPRestrict.IPDeny = arrStillBannedIPs
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo

‘Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

If your script is successful, banned users will see the following message:

You are not authorized to view this page

HTTP 403.6 – Forbidden: IP address rejected

To show all of the current IPs which have been banned, run the following script


strComputer = “localhost”

‘Set Objects
Set objWebSite = GetObject(“IIS://” & strComputer & “/W3SVC/1”)
Set objIPRestrict = objWebSite.IPSecurity

arrDeny = objWebSite.Get(“IPSecurity”).IPDeny
For i = 0 to Ubound(arrDeny)
strBannedIPs = strBannedIPs & arrDeny(i) & vbCrlf
Next

If len(strBannedIPs) > 0 Then
msgbox “IP, Subnet: ” & vbCrLF & strBannedIPs
Else
msgbox “No IPs have been banned.”
End if

‘Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

While I haven’t tested it, the same scripts should work if you want to deny all IPs except those explicitly listed. To do so, simply set objIPRestrict.GrantByDefault to False and replace the above mentions of IPDeny with IPGrant. Same goes for MSFTPSVC — if you want to modify the FTP service settings, just change the above instances of “W3SVC” to “MSFTPSVC”.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in IIS, Security, VBScript