Dynamic IP Restrictions for IIS 7.0 – Beta

ruslany — Tue, 17 Feb 2009 02:34:00 +0000

Today IIS team has released the Dynamic IP Restrictions Extension for IIS 7.0 – Beta. The Dynamic IP Restrictions Extension provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.

Install the Dynamic IP Restrictions Beta Today!

Microsoft Dynamic IP Restrictions for IIS 7.0 – Beta (x86)

Microsoft Dynamic IP Restrictions for IIS 7.0 – Beta (x64)

If IIS already has IPv4 Address and IP restrictions module enabled then Dynamic IP Restrictions installer will need to un-install the existing module in order to continue the setup process. Note that the existing IPv4 configuration will be preserved while old module is removed and new module is installed.

Features

The Dynamic IP Restrictions includes these key features:

Blocking of IP addresses based on number of concurrent requests – If HTTP client makes many concurrent requests then that client’s IP address gets temporarily blocked.
Blocking of IP addresses based on number of requests over a period of time – If HTTP client makes many requests over short period of time then that client’s IP address gets temporarily blocked.
Various deny actions – it is possible to specify what response to return to an HTTP client whose IP address is blocked. The module can return status codes 403 and 404 or just drop the HTTP connection and do not return any response.
Logging of dynamically denied requests – all denied requests can be logged into a W3C formatted log file.
Displaying currently blocked IP addresses – a list of currently blocked IP addresses can be obtained by using IIS Manager or by using IIS RSCA API’s.
IPv6 – the module fully supports IPv6 addresses.

In additions to these features, the Dynamic IP Restrictions for IIS 7.0 provides the same functionality that exists in IIS 7.0 built-in IPv4 and Domain Restrictions. Because of that the Dynamic IP Restrictions is provided as a replacement for IPv4 and Domain Restrictions.

More information

Module walkthrough: http://learn.iis.net/page.aspx/548/using-dynamic-ip-restrictions/

Support forum: http://forums.iis.net/1043.aspx

How to secure WordPress admin directory on IIS 7.0

ruslany — Sat, 07 Feb 2009 01:00:36 +0000

Recently I was told about Smashing Magazine, which turned out to be a pretty useful site. It is targeted for web developers and web designers and it contains tons of information, tools and freebies for web developers. One of the article on that site was about 10 Steps To Protect The Admin Area in WordPress. In that article step #7 described how to use web server’s built-in authentication to provide an extra protection layer for wp-admin directory, where all WordPress admin scripts are located. The article described how to do that in Apache by using .htaccess file. In this post I will explain how to protect WordPress wp-admin directory on IIS 7.0 by using IIS built-in Forms Authentication.

Prerequisites

First thing to make sure is to confirm that IIS Forms authentication and URL authorization modules are installed and enabled on your IIS server. To quickly check that, open an elevated command prompt and run the following commands:

C:\Windows\System32\inetsrv>appcmd list modules | find "FormsAuthentication"
MODULE "FormsAuthentication" ( type: System.Web.Security.FormsAuthenticationModule,preCondition: )

C:\Windows\System32\inetsrv>appcmd list modules | find "UrlAuthorization"
MODULE "UrlAuthorization" ( type: System.Web.Security.UrlAuthorizationModule, preCondition: managedHandler )
MODULE "UrlAuthorizationModule" ( native, preCondition: )

If the output from the commands look similar to above then the necessary modules are installed.

Another thing to ensure is that the WordPress site is hosted in an Application Pool with Integrated Managed Pipeline Mode. To check that run the following command from elevated command prompt (replace “DefaultAppPool” with the name of your AppPool if necessary):

C:\Windows\System32\inetsrv>appcmd list apppools | find "DefaultAppPool"
APPPOOL "DefaultAppPool" (MgdVersion: v2.0,MgdMode: Integrated,state: Started)

The output should contain MgdMode:Integrated.

Configuration steps

Download the zip file below:

IIS Forms Authentication for WordPress (4.1 KB)

Extract the two folders – App_Code and App_Data – into the root folder or your WordPress web site. For example if your WordPress files are located in folder C:\inetpub\wwwroot, then there should be two new files present at the following paths:

C:\inetpub\wwwroot\App_Code\CustomProvider.cs
C:\inetpub\wwwroot\App_Data\Users.xml

The CustomProvider.cs file contains an implementation of membership provider for IIS that uses Users.xml file as a storage for usernames and passwords. To learn more about providers refer to the Membership Providers article. The code for CustomProvider.cs was literally copied from that article.

The Users.xml file is a simple credentials storage. Its content looks like below:


  
    your_username_here
    your_password_here
    user@ruslany.net

Note that it is important that this file is located in App_Data directory, because this directory, as well as App_Code, is protected by IIS Request Filtering module, which prevents anyone from requesting any files from these folders.

Also it is important to pick a user name and a password different from the ones that are used for the WordPress authentication.

Also extract the Login.aspx file into the root folder of the web site, e.g.:

C:\inetpub\wwwroot\Login.aspx

Now you need to register this custom membership provider and enable Forms authentication. To do that add the following XML configuration element into the element inside of the web.config file, located at the root folder of your WordPress site:

With the custom provider registered and configured, it is time to configure IIS to protect wp-admin folder with extra authentication that uses this custom provider. To do that add the following XML configuration fragment into the element inside of the web.config file, located at the root folder of the WordPress site:

Last thing you will need to do is to configure IIS modules that are used for Forms Authentication and for URL authorization to run for all kinds of requests. Both those modules are Managed modules (that is they are implemented using .NET Framework) and by default they are configured to run only for requests that are made for ASP.NET content. In order for them to work with PHP content then need to be configured to run for all requests. This can be done by using the following configuration section. Add it inside of / element:

At this point the WordPress wp-admin directory is protected by IIS Forms Authentication in addition to the standard WordPress authentication. Update the users.xml file with the username and password of your choice and then try to request http://localhost/wp-admin/. The IIS Forms Authentication logon page will be shown first:

Once you provided the user name and password as specified in users.xml file, the standard WordPress login page will be shown next. In that page you can provide your WordPress logon credentials:

Now the entire content of the wp-admin directory is protected by two different authentication mechanisms, which makes it harder for anyone to hack into it. And the nice thing about this configuration is that it can be done even if your site is hosted on a shared server. All that is necessary is to have ASP.NET and IIS URL authorization enabled on a shared server by a shared hosting provider.

Download all the necessary files as well as an example of web.config file from the link below.