2

The web.config on a fresh IIS install contains the sites configuration details, except for <ipSecurity>. However, the (site local) IP restrictions work fine and can be edited through the IIS manager console.

In my web.config I do see things like

<rewrite>
    <rules>
...

but I do not see any IP security rules, that I add tthrough the IIS manager (like feature settings or allow/forbidden addresses). I expected to find them here, just like any other setting.

bjoster
  • 4,805
  • 5
  • 25
  • 33
  • https://docs.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/deep-dive-into-iis-configuration-with-iis-7-and-iis-8#configuration-levels Read from "Security: Occasionally, machine administrators want to be able to control the configuration everywhere on the server". – Lex Li Apr 26 '21 at 16:51

1 Answers1

4

The web.config file in the root of your web site is not the only file where configuration is/can be stored in IIS.

Further web.config file can exist in sub-folders of your site.

Many settings are by default not supposed to be saved in the site's web.config and therefor be edited by a normal user. These settings are stored in a central file which also has the configuration for the server level.

the file is at:

 C:\Windows\System32\inetsrv\Config\ApplicationHost.config

IP security rules are by default stored in ApplicationHost.config

If you open IIS Manager and select the server level, and then under Management click on the Feature Delegation icon you can see a list of features.

IP Address and Domain Restrictions are listed as Read Only which means they can only bo stored in the ApplicationHost.config file. If you change this to Read/Write they may be stored in your site's web.config file as well.

If you are going to use IIS a lot, make yourself familiar with the hierarchical configuration system in IIS.

Peter Hahndorf
  • 14,058
  • 3
  • 41
  • 58