If you're a web administrator and you often work with Internet Information Services (IIS), you most likely already know about the IP Address and Domain Restrictions, a great built-in feature of IIS8 that allows to selectively allow or deny access to the web server, websites, folders or files that makes your server more secure.
However, such feature comes with some major flaws: for example, we can't modify the single entries, for example to edit their IP address - we can only delete and add them again; furthermore, we can't add notes, descriptions or other meta-data to these entries, which would be very helpful to give an actual "name" to those IP addresses, thus preventing us from forgetting why we've put them there or which service (or person) they belong to. Last but not least, we are completely unable to print or export a human-readable list of the blocked (or allowed) IP addresses.
To fix the first two features we would need to develop a dedicated software with read and write permissions to some critical system files, which would be rather complex to implement: luckily enough, the "human-readable list" can be generated quite easily, since it only requires to issue a query to the appcmd.exe file, normalize the generated output and print it to a text file.
That's what this post is about: introducing IIS-RestrictedAddressList, a simple PowerShell script that can be used to export the IIS IP Address and Domain Restriction settings to a text list.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# =============================================================================================== # IIS - Restricted Address List # PowerShell script to export the IIS IP Address and Domain Restriction settings to a text list # ----------------------------------------------------------------------------------------------- # (C) 2022, www.ryadel.com # # - GITHUB: https://github.com/Darkseal/IIS-RestrictedAddressList # - WEBSITE: https://www.ryadel.com/en/iis-ip-address-and-domain-restriction-export # =============================================================================================== # $defaultExportFile = (Get-Item -Path '.\' -Verbose).FullName + "\" + "IPRestricted_ExportList.txt" [string]$SitesVar = Read-Host "Enter one or more websites, separated by ','" $exportFile = Read-Host "Enter the full export file name and path (default: '$defaultExportFile')" sl c:\windows\system32\inetsrv\ $a = 0 $sites = $SitesVar.Split(",") $count = $Sites.count if ($exportFile -eq "") { $exportFile = $defaultExportFile } if (Test-Path $exportFile) { Remove-Item $exportFile } do { foreach ($site in $sites){ $site = $site.Trim() Add-Content -Path $exportFile -Value "---------------------------------------------" Add-Content -Path $exportFile -Value $site Add-Content -Path $exportFile -Value "---------------------------------------------" [xml]$out = .\appcmd.exe list config $site -section:system.webServer/security/ipSecurity $out."system.webserver"."security"."ipsecurity" | %{ Add-Content -Path $exportFile -Value ($_.innerxml.Split("<*>/",[System.StringSplitOptions]::RemoveEmptyEntries) -replace "add ", "" -join "`n") # $_.innerxml.Split("<*>/",[System.StringSplitOptions]::RemoveEmptyEntries) -replace "add ", "" -join "`n" | out-file -FilePath $exportFile } Add-Content -Path $exportFile -Value "`n" $a++ } } while ($a -ne $count) |
As we can see, the program allows to specify a single website or multiple (comma-separated) websites, and will print a text file containing a list of all the allowed or denied IP addresses, in the following format:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
--------------------------------------------- website1.example.com --------------------------------------------- ipAddress="90.188.92.0" subnetMask="255.255.255.0" allowed="true" ipAddress="127.0.0.1" allowed="true" ipAddress="10.100.0.12" allowed="true" --------------------------------------------- website2.example.com --------------------------------------------- ipAddress="127.0.0.1" allowed="true" ipAddress="10.100.0.12" allowed="true" |
In the above file we can see the list for two different websites: website1.example.com and website2.example.com.
Conclusions
We hope that our PowerShell script will be useful to other web administrators that need to export a list of the IP Address and Domain Restriction feature - just like we did.
