We've got a webserver running IIS. We'd like to run maybe a shared blog or something to keep track of information. Because of security issues, we'd like for that part to be only viewable from localhost so people have to remote in to use it.
So, to repeat my question, can part of a website be made viewable from localhost only?
Depending on exactly what you want to happen if an unauthorized user tries to visit it.
You could try to setup the specific section as a virtual directory, then deny view to anonymous users. However, they will be prompted for login, and if they can login then they could see it.
you might be able to do as Mitchel said but only allow a specific group of users to look at it such as technical users for only those developing the site
You could simply add this .NET to the top of the page.
string MyWebServerName = currentContext.Request.ServerVariables["SERVER_NAME"];
if ( MyWebServerName == "127.0.0.1" && MyWebServerName == "localhost" )
{
// the user is local
}
else
{
// the user is NOT local
}
Judging from the options present in the IIS MMC, you can also have a virtual directory only be accessible by certain IP-ranges. You could block everyone but 127.0.0.1. I have not tried this, however.
In IIS6 you can bring up the properties for the web and click on the directory security tab. Click the button in the middle of the tab for editing the IP and Domain restrictions. On this tab set all computers as denied, then add an exception for the IPs you want to allow access to this site.
I am not sure how to configure this on IIS7. I looked but couldn't find it, if I find it I will edit this answer.
Edit: Configuring IIS7
You can grant or deny access to a site or folder from certain IPs to a site or folder. In IIS, go into properties for the site or folder in question.
(1) Click to the "Diectory Security" Tab
(2) Click Edit Under the "IP Address and Domain Name Restriction" frame.
(3) Click "Denied Access" (This tells IIS to block every IP except those you list)
(4) Click "Add..."
(5) Click "Single Computer"
(6) Enter 127.0.0.1 (the IP of localhost)
Note that it is best to use an IP here (as I've described) rather than a domain name because domains can be easily forged using a hosts file.
I agree with the recommendations to use IIS "Directory Security" to block all IP address except 127.0.0.1 (localhost).
That said, I'm wondering how this strategy of requiring users to remote in could possibly be more secure. Wouldn't it be more secure (as well as much simpler) to use standard IIS authentication mechanisms rather than have to manage Windows roles and permissions on the server machine?