Protecting Safewhere Identify using IP and domain restrictions

Introduction

IP Address and Domain Restrictions is one of the great built-in features of IIS. You can use it to selectively permit or deny access to an Identify instance and its resources (folders, files, or some endpoints) that make your Identify instance more secure. Specifically, we recommend that you should:

• Restrict access to Admin sites to specific IPs, for example intranet IPs or a VPN IP.
• Restrict access to the REST API to specific IPs, for example intranet IPs or IPs of the servers that have REST API consumer applications installed.
• Throttle requests to Identify runtime to mitigate brute-force attacks.

Installing IP and Domain Restrictions in IIS

To use the IP and Domain Restrictions feature, you need to install it first:

After the installation finishes, the IP Address and Domain Restrictions configuration will show up:

Limiting access to the Admin sites and REST API

Click to open the IP Address and Domain Restrictions page:

On the right-hand side, the Actions panel elements are the elements used for defining the rules for allowing or denying the specific IP address(es).

To restrict access to the Admin sites:

1. Click on the Admin application (note that the REST API is hosted in the same application)

   

2. Click on the Add Allow Entry setting on the right-hand site pane

   

3. Enter a specific IP address or an address range

   

4. Repeat the same steps for the Adminv2 application

Throttling requests

Because Identify runtime must be opened to end users, restricting access using IPs is not an option. Instead, you can use IIS' Dynamic IP Restriction Settings to guard against DoS and brute-force attacks.

To throttle requests to Identify:

1. Click on the Identify website

   

2. Click on the Edit Dynamic Restriction Settings setting on the right-hand site pane

   

3. Select options that you want to use and enter necessary numbers accordingly. You need to select limits that are big enough to handle valid traffics but are small enough to detect and deny malicious traffics.

   

Throttling OAuth 2.0 endpoints

Besides throttling at IIS level, you can configure throttling at the endpoint level for some OAuth 2.0 endpoints via editing the OAuth 2.0's throttling policy in the Runtime's web.config:

To use it, you must enable the setting OAuth 2.0 endpoint throttling option under the System settings page:

When the OAuth 2.0 endpoint throttling option setting is enabled, the limitation rate OAuth 2.0 endpoint time limitation per minute and OAuth 2.0 endpoint time limitation per second* settings are applied for the configured endpoints.

Other OAuth 2.0 endpoints have not had support added for throttling at the endpoint level yet.

Note that when the OAuth 2.0 enable open registration option setting is enabled, users can send registration requests to OIDC Provider without an access token. These requests must be rate-limited or the registration endpoint must be placed behind a firewall to prevent denial-of-service attacks. Because the registration endpoint is on the Admin application, you can apply the IP Address restriction or Dynamic IP Restriction Settings to the whole Admin application.

Restrict access for the whole server

To restrict access for the whole server, you need to select the root server, then choose the option IP Address and Domain Restrictions, and then perform the same steps above as you configured for an Identify instance.

Reference

You can read more about all IIS' features that are mentioned previously at https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions.