Show / Hide Table of Contents

    Protecting Safewhere Identify using IP and domain restrictions

    Introduction

    IP Address and Domain Restrictions is one of the great built-in features of IIS. You can use it to selectively permit or deny access to an Identify instance and its resources (folders, files, or some endpoints) that make your Identify instance more secure. Specifically, we recommend that you should:

    • Restrict access to Admin sites to specific IPs, for example intranet IPs or a VPN IP.
    • Restrict access to the REST API to specific IPs, for example intranet IPs or IPs of the servers that have REST API consumer applications installed.
    • Throttle requests to Identify runtime to mitigate brute-force attacks.

    Installing IP and Domain Restrictions in IIS

    To use the IP and Domain Restrictions feature, you need to install it first:

    Select server roles Screen

    After the installation finishes, the IP Address and Domain Restrictions configuration will show up:

    IP Address and Domain Restrictions Option

    Limiting access to the Admin sites and REST API

    Click to open the IP Address and Domain Restrictions page:

    IP Address and Domain Restrictions Configuration Panel

    On the right-hand side, the Actions panel elements are the elements used for defining the rules for allowing or denying the specific IP address(es).

    To restrict access to the Admin sites:

    1. Click on the Admin application (note that the REST API is hosted in the same application)

      click-to-the-website-aplication.png

    2. Click on the Add Allow Entry setting on the right-hand site pane

      click-to-the-add-entry.png

    3. Enter a specific IP address or an address range

      enter-ip-address-or-range-of-ip-addresses.png

    4. Repeat the same steps for the Adminv2 application

    Throttling requests

    Because Identify runtime must be opened to end users, restricting access using IPs is not an option. Instead, you can use IIS' Dynamic IP Restriction Settings to guard against DoS and brute-force attacks.

    To throttle requests to Identify:

    1. Click on the Identify website

      dynamic ip registration settings

    2. Click on the Edit Dynamic Restriction Settings setting on the right-hand site pane

      dynamic ip registration settings selected

    3. Select options that you want to use and enter necessary numbers accordingly. You need to select limits that are big enough to handle valid traffics but are small enough to detect and deny malicious traffics.

      dynamic ip registration settings configuration

    Throttling OAuth 2.0 endpoints

    Besides throttling at IIS level, you can configure throttling at the endpoint level for some OAuth 2.0 endpoints via editing the OAuth 2.0's throttling policy in the Runtime's web.config:

    OAuth throttle policy

    To use it, you must enable the setting OAuth 2.0 endpoint throttling option under the System settings page:

    OAuth limitation rates

    When the OAuth 2.0 endpoint throttling option setting is enabled, the limitation rate OAuth 2.0 endpoint time limitation per minute and OAuth 2.0 endpoint time limitation per second* settings are applied for the configured endpoints.

    Other OAuth 2.0 endpoints have not had support added for throttling at the endpoint level yet.

    Note that when the OAuth 2.0 enable open registration option setting is enabled, users can send registration requests to OIDC Provider without an access token. These requests must be rate-limited or the registration endpoint must be placed behind a firewall to prevent denial-of-service attacks. Because the registration endpoint is on the Admin application, you can apply the IP Address restriction or Dynamic IP Restriction Settings to the whole Admin application.

    Restrict access for the whole server

    To restrict access for the whole server, you need to select the root server, then choose the option IP Address and Domain Restrictions, and then perform the same steps above as you configured for an Identify instance.

    ip-and-domain-restrictions-configuration-for-server.png

    Reference

    You can read more about all IIS' features that are mentioned previously at https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions.

    Back to top Generated by DocFX