Restrict access to a specific URL, running on IIS7 / ASP.NET

Question

I am deploying a public ASP.NET website on an IIS7 web farm.

The application runs on 3 web servers and is behind a firewall.

We want to create a single page on the website that is accessible only to internal users. It is primarily used for diagnostics, trigger cache expiry, etc.

/admin/somepage.aspx

What is the best way to control access to this page? We need to:

1. Prevent all external (public) users from accessing the URL.
2. Permit specific internal users to access the page, only from certain IPs or networks.

Should this access control be done at the (a) network level, (b) application level, etc.?

Answer 1

Here is how to secure specific page for specific users and only them

<configuration>
    <location path="admin/somepage.aspx">
        <system.web>
            <authorization>
                <allow users="User1,User2" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

To set allowed IP you need to configure web site in IIS via IPv4 Address and Domain Restriction where add a wildcard Deny Entry and specif Allow Entries.

Also you can setup all this programmatically.

Answer 2

A simple implementation would be to set File Security on that File in IIS to Integrated Windows Authentication only.

Then in that file's code behind, check for the user's ID..if they are authenticated, they will have an ID, and let them access the page.

if(!HttpContext.Current.User.Identity.IsAuthenticated)
{
   //Direct user to other page or  display message.
}

When users go to that page, it will ask them for their network login