Botective
Tutorial

Blocking IP addresses with IIS

September 25, 2025
iis windows security ip-blocking bots

IIS (Internet Information Services) provides built-in tools for blocking unwanted IP addresses directly at the web server layer. This helps protect your applications from abusive traffic, bots, and potential attackers before they reach your application logic. The implementation can vary slightly depending on whether you’re using the IIS Manager GUI, PowerShell, or configuration files.

For the complete official documentation, see IIS IP Security.

Method 1: The IIS Manager GUI

  1. Open IIS Manager (inetmgr).
  2. In the Connections pane, select your server, site, or application.
  3. In the Features View, double-click IP Address and Domain Restrictions.
  4. In the Actions pane (right side), choose Add Deny Entry.
  5. Enter the IP address or range you want to block:
    • Single IP Address: e.g., 198.244.168.25
    • IP Range: e.g., 198.244.168.0 – 198.244.168.255
    • Subnet: e.g., 198.244.168.0/24
  6. Click OK to apply.

Blocked clients will now receive an HTTP 403 (Forbidden) response.

Method 2: The web.config File

You can also configure IP restrictions in your application’s web.config file. This is useful for version control and deployment scenarios.

<configuration>
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="true">
        <!-- Block specific AI bot IP ranges -->
        <add ipAddress="142.44.220.0" subnetMask="255.255.255.0" allowed="false" />
        <add ipAddress="148.113.128.0" subnetMask="255.255.255.0" allowed="false" />
        <add ipAddress="15.235.27.0" subnetMask="255.255.255.0" allowed="false" />
        <add ipAddress="198.244.168.0" subnetMask="255.255.255.0" allowed="false" />
      </ipSecurity>
    </security>
  </system.webServer>
</configuration>
  • allowUnlisted="true" → allows all IPs unless explicitly denied.
  • Change to false if you only want to allow whitelisted IPs.

Method 3: Server-Level Configuration

For global restrictions across all sites, edit the applicationHost.config file (usually located at:
C:\Windows\System32\inetsrv\config\applicationHost.config).

Inside the <system.webServer> section:

<system.webServer>
  <security>
    <ipSecurity allowUnlisted="true">
      <!-- Block specific AI bot IP ranges -->
      <add ipAddress="142.44.220.0" subnetMask="255.255.255.0" allowed="false" />
      <add ipAddress="148.113.128.0" subnetMask="255.255.255.0" allowed="false" />
      <add ipAddress="15.235.27.0" subnetMask="255.255.255.0" allowed="false" />
      <add ipAddress="198.244.168.0" subnetMask="255.255.255.0" allowed="false" />
    </ipSecurity>
  </security>
</system.webServer>

This applies server-wide and is useful for large infrastructures.

Method 4: PowerShell Automation

PowerShell allows automation of IP restrictions—ideal for dynamically updating blocklists.

Import-Module WebAdministration

# Navigate to a site
cd IIS:\Sites\Default Web Site

# Block AI bot IP ranges
Add-WebConfiguration "/system.webServer/security/ipSecurity" `
    -value @{ipAddress="142.44.220.0"; subnetMask="255.255.255.0"; allowed="false"} `
    -PSPath "IIS:\Sites\Default Web Site"

Add-WebConfiguration "/system.webServer/security/ipSecurity" `
    -value @{ipAddress="198.244.168.0"; subnetMask="255.255.255.0"; allowed="false"} `
    -PSPath "IIS:\Sites\Default Web Site"

Method 5: Dynamic IP Restrictions

For protection against brute-force and denial-of-service attacks, enable Dynamic IP Restrictions:

  1. In IIS Manager, select your site.
  2. Open IP Address and Domain Restrictions.
  3. In the Actions pane, click Edit Dynamic Restriction Settings.
  4. Configure rules such as:
    • Deny IP addresses based on number of concurrent requests (e.g., more than 10).
    • Deny IP addresses based on request rate (e.g., more than 30 requests in 30 seconds).

This module automatically blocks abusive clients without manually maintaining blocklists.

Dynamic IP Blocking with Windows Firewall

Windows doesn’t have a direct equivalent to Fail2ban, but you can replicate the behavior using Windows Firewall + log monitoring:

  1. Enable IIS Logging

    • IIS logs are stored at C:\inetpub\logs\LogFiles\W3SVC1\
    • Look for frequent 401, 403, or 404 errors.

  2. Create a PowerShell Script
    Example script to parse logs and block offending IPs:

    $logPath = "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
$banList = @()

# Get IPs with more than 20 403 errors in the last hour
Get-Content (Get-ChildItem $logPath | Sort-Object LastWriteTime -Descending | Select-Object -First 1) |
  ForEach-Object {
    if ($_ -match '(\d+\.\d+\.\d+\.\d+).+ 403 ') {
      $banList += $matches[1]
    }
  }

$banList = $banList | Group-Object | Where-Object { $_.Count -gt 20 } | Select-Object -ExpandProperty Name

foreach ($ip in $banList) {
  Write-Host "Blocking $ip"
  netsh advfirewall firewall add rule name="IISBlock_$ip" dir=in action=block remoteip=$ip
}
    • Schedule this script using Task Scheduler (e.g., every 10 minutes).
    • Offending IPs are dynamically blocked at the firewall level.

Testing & Troubleshooting

  • Use curl or a browser from the blocked IP to confirm access is denied (403 Forbidden).
  • Check IIS logs at C:\inetpub\logs\LogFiles\W3SVC1\
  • Restart IIS if necessary: 
    iisreset

Best Practices

  • Prefer automation: Use PowerShell or centralized configuration for large-scale deployments.
  • Whitelist critical IPs: Always allow your own admin IPs before enabling strict blocking.
  • Keep lists updated: Regularly review and update blocked IPs.
  • Monitor logs: Regularly review access logs for suspicious traffic.
  • Test before deploying: Misconfiguration can lock out legitimate traffic—including yourself.