Friday, October 14, 2005

Don't Forget About IIS Directory/File Security

Two different problems were presented to me today, and I came up with the exact same solution for both.

One involved defeating piracy: My client didn't want their clients to make copies of the Windows Form application that we developed, and have unauthorize access made to a webservice.

Another involved restricting access to a critical ASP: Code on the ASP is intended to be executed only by a service running on a different machine. They need to prevent the ability for anyone to access that ASP from a web browser, and using credentials was not sufficient enough.

The solution for both was to use the Directory (or File) Security functionality of IIS to restrict access based on the IP address. By default, IIS grants access to all IP addresses, and you can build a blacklist. However, by flipping the switch and denying access to all IP addresses, you're able to build a whitelist. In this way, requests to a webservice or ASP that did not originate from a certain list of IP addresses would be blocked.

What's better is that no code had to be altered to make this solution work--it's completely a metabase change.