Other IIS Security Features

There are a couple of other ways you can control access to your Web server, though they are generally less useful—however you may find that they fit in with your applications. In particular, the first of these can be used when you implement an Extranet, where you only want to permit access for a selected set of customers.

Limiting Access By IP Address

If you only want to allow particular users or groups of users to access your site, you can use the IP Address and Domain Restrictions dialog to grant access only to specific IP addresses, and deny all others. Alternatively, though generally less useful, is to deny access to specific IP addresses and allow access to all others:

However, recall that (as we discussed earlier) many Web users dial into the Internet via an ISP who allocates IP addresses on demand, and so this type of user's IP address will be different each time they visit your site.

Using Non-Default Port Numbers

The default port that the WWW service listens on is port 80 (and port 443 for SSL/PCT requests). You can set IIS to listen on other ports as well, and remove port 80 if required. This way visitors will have to know and specify as part of the URL the correct port number in order to gain access to your site, for example

http://yoursite.com:8671/default.htm
. You change the default port allocations in the Properties dialog for that directory, or use the Advanced dialog to set up multiple ports:

This isn't going to do much good if you then publish the full URL, but may be useful if you want to hide your site from casual browsers, or from search engines and agents that generate random IP numbers to see if any servers respond. Anyone can search the publicly available lists of domain name allocations to find you site's IP address anyway, but using a non-standard port makes it that bit harder to gain access.

Good Practice With IIS

There are some general points that you should keep in mind when setting up IIS:

© 1998 by Wrox Press. All rights reserved.