We have an IIS site right now that has an allow list for a specific list of IP addresses, and all other IPs denied by default. We want to add another rule, that states that if the request coming in as a user-agent of a specific value, then allow it, regardless of if the IP is on the allow list or not. Is this possible?
Asked
Active
Viewed 1,258 times
0
-
What version of IIS are you using? – Evan Anderson Oct 23 '14 at 15:09
-
IIS 7.5 windows server 2008 r2 – M.R. Oct 23 '14 at 15:17
1 Answers
1
I don't see an easy solution for you in the stock IIS functionality. The <ipSecurity> HTTP module doesn't support factoring-in the User-Agent as part of the block decision, and the <filteringRules> module doesn't support using the client IP address.
I think you're going to be stuck writing a custom IIS module to do what you want.
Do remember that the User-Agent field is under the control of the client, so basing some kind of security decision on it is probably ill advised.
Evan Anderson
- 141,881
- 20
- 196
- 331