Protecting Safewhere Identify using IP and domain restrictions

Introduction

IP Address and Domain Restrictions is one of the great built-in features of IIS. You can use it to selectively permit or deny access to an Identify instance and its resources (folders, files, or some endpoints) that make your Identify instance more secure. Specifically, we recommend that you should:

  • Restrict access to Admin sites to specific IPs, for example intranet IPs or a VPN IP.
  • Restrict access to the REST API to specific IPs, for example intranet IPs or IPs of the servers that have REST API consumer applications installed.
  • Throttle requests to Identify runtime to mitigate brute-force attacks.

Installing IP and Domain Restrictions in IIS

To use the IP and Domain Restrictions feature, you need to install it first:

select-server-roles-screen

After the installation finishes, the IP Address and Domain Restrictions configuration will show up:

ip-address-and-domain-restrictions-option

Limiting access to the Admin sites and REST API

Click to open the IP Address and Domain Restrictions page:

ip-and-domain-restrictions-configuration-panel

On the right-hand side, the Actions panel elements are the elements used for defining the rules for allowing or denying the specific IP address(es).

To restrict access to the Admin sites:

  1. Click on the Admin application (note that the REST API is hosted in the same application)

    click-to-the-website-aplication

  2. Click on the Add Allow Entry setting on the right-hand site pane

    click-to-the-add-entry

  3. Enter a specific IP address or an address range

    enter-ip-address-or-range-of-ip-addresses

  4. Repeat the same steps for the Adminv2 application

Throttling requests

Because Identify runtime must be opened to end users, restricting access using IPs is not an option. Instead, you can use IIS' Dynamic IP Restriction Settings to guard against DoS and brute-force attacks.

To throttle requests to Identify:

  1. Click on the Identify website

    dynamic ip registration settings

  2. Click on the Edit Dynamic Restriction Settings setting on the right-hand site pane

    dynamic-ip-registration-settings-selected

  3. Select options that you want to use and enter necessary numbers accordingly. You need to select limits that are big enough to handle valid traffics but are small enough to detect and deny malicious traffics.

    dynamic-ip-registration-settings-configuration

Restrict access for the whole server

To restrict access for the whole server, you need to select the root server, then choose the option IP Address and Domain Restrictions, and then perform the same steps above as you configured for an Identify instance.

ip-and-domain-restrictions-configuration-for-server

Reference

You can read more about all IIS' features that are mentioned previously at https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions.