IIS website is set to prohibit direct access through IP address

How Do I Disable Direct Access Through IP Addresses in IIS Websites of Windows Instances?

Problem Description

When the IIS site on the Windows instance is configured to allow direct access through the IP address (that is, an empty host header is bound in IIS), you can directly access the default site in IIS on the server through the IP address. When a domain name (including a malicious domain name or an unregistered domain name, etc.) is resolved to the IP address, the content of the website will be directly accessed through the domain name, which poses a security risk.

Problem Causes

When there is an empty host header bound in IIS, the IP address can be used to directly access the website corresponding to the empty host header bound to IIS.

Solution

Note The operation steps in this article take the 64-bit Chinese version of Windows Server 2019 Data Center Edition as an example. The actual operation depends on your actual Windows instance operating system.

You can prohibit direct access to IIS websites through IP addresses by deleting the empty host header bound in IIS. The operation steps are as follows:

1. Remotely connect to the Windows instance.

2. Open IIS Manager.

a. In the lower left corner of the desktop, select the Start icon > Server Manager.

b. In the upper right corner of the Server Manager page, select Tools > Internet Information Services (IIS) Manager.

3. Click the target website in the left navigation bar, then click Bind in the Operation column, and then bind a website domain name based on the empty host header (that is, the host name parameter is empty) in the website binding dialog box.

Take binding example.aliyundoc.com domain name as an example.

4. Use the public IP address of the server and the bound example.aliyundoc.com domain name to access the website.

• The website can be accessed through the server's public IP and domain name.

• If other malicious domain names or unrecorded domain names (such as demo.aliyundoc.com) are resolved to the IP address of the server, although the host header is not bound in IIS, the website can still be accessed successfully.


5. It is forbidden to directly access the website through the IP address.

a. Click the target website in the left navigation bar of Internet Information Services (IIS) Manager, and then click Binding in the Action column.

b. In the website binding dialog box, click an empty host header (that is, the host name parameter is empty), click Delete, and keep the domain name you need.

Take the reserved example.aliyundoc.com domain name as an example, as shown in the figure. add domain name

c. Use other malicious domain names or non-recorded domain names to re-visit the website to verify whether it is successful and prohibit direct access to the website through the IP address.

Malicious domain names or unregistered domain names (such as demo.aliyundoc.com) cannot be accessed normally even if they are resolved to the IP address of the server, as shown in the figure, that is, direct access to the website through the IP address is successfully prohibited.

What should I do if the website configured based on IIS cannot be accessed because the service port is occupied?

Problem Description

Access to the website based on IIS configuration fails, and then use the netstat command on the Windows instance to check that the IIS service port is in the normal listening state and the website system process is running.

Problem Causes

The website cannot be accessed because the website server port is occupied.

Solution

Explanation This operation step takes the website service port as port 80, and the Windows instance operating system based on IIS configuration website as Windows Server 2019 Data Center Edition 64-bit Chinese version as an example. The specific operation depends on your actual service port and Windows instance operating system prevail.

1. Remotely connect to the Windows instance.

2. Enter cmd in the search bar, and click Command Prompt.

3. Execute the netstat -ano | findstr 80 command to check whether the service port is monitored, that is, whether the service port is in the LISTENING state.

Take the process whose PID number is process program number 4 occupies the 80 service port of IIS and makes it impossible to access the website as an example, the display example is as follows.

Is port 80 in listening state?

• The service port is listening:

If port 80 is in the listening state, it may be that other programs occupy port 80. You can use taskkill (in the command, is the process ID of the program) to close the relevant program, and then restart the IIS program.

In this example, you need to execute the taskkill 4 command to close the program occupying port 80, and then restart the IIS program.

NOTE For details about restarting the IIS program, see Restarting IIS.

• Service port not listening:

If port 80 is not listening, please re-run the IIS program or check whether the website is running.

4. Revisit the site.

The website access is successful and the problem is solved.