IP Address and Domain Restrictions is one of the great built-in features of IIS. You can use it to selectively permit or deny access to an Identify instance and its resources (folders, files, or some endpoints) that make your Identify instance more secure. Specifically, we recommend that you should:
- Restrict access to Admin sites to specific IPs, for example intranet IPs or a VPN IP.
- Restrict access to the REST API to specific IPs, for example intranet IPs or IPs of the servers that have REST API consumer applications installed.
- Throttle requests to Identify runtime to mitigate brute-force attacks.
Installing IP and Domain Restrictions in IIS
To use the IP and Domain Restrictions feature, you need to install it first:
After the installation finishes, the IP Address and Domain Restrictions configuration will show up:
Limiting access to the Admin sites and REST API
Click to open the IP Address and Domain Restrictions page:
On the right-hand side, the Actions panel elements are the elements used for defining the rules for allowing or denying the specific IP address(es).
To restrict access to the Admin sites:
Click on the Admin application (note that the REST API is hosted in the same application)
Click on the Add Allow Entry setting on the right-hand site pane
Enter a specific IP address or an address range
Repeat the same steps for the Adminv2 application
Because Identify runtime must be opened to end users, restricting access using IPs is not an option. Instead, you can use IIS' Dynamic IP Restriction Settings to guard against DoS and brute-force attacks.
To throttle requests to Identify:
Click on the Identify website
Click on the Edit Dynamic Restriction Settings setting on the right-hand site pane
Select options that you want to use and enter necessary numbers accordingly. You need to select limits that are big enough to handle valid traffics but are small enough to detect and deny malicious traffics.
Restrict access for the whole server
To restrict access for the whole server, you need to select the root server, then choose the option IP Address and Domain Restrictions, and then perform the same steps above as you configured for an Identify instance.
You can read more about all IIS' features that are mentioned previously at https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions.