Photo by Pixabay on Pexels.com

Purpose

I have been recently tasked to add large number of IPs under ‘IP and Domain Restriction’ of IIS. It is a tedious and error prone task. hence I used this script to achieve it.

I am using Default Web Site/Cert website for demo and IP and Domain Restriction’ setting is blank for ‘Default Web Site/CertSrv‘, Here is the screenshot :-

CSV File for Input

Create a csv file named allowlist.csv with these headers and necessary IP and subnet mask details and copy that to your servers desktop :-

ipaddresssubnetmask
192.168.10.10024

Report of existing entries

Reporting before making change :

# Reporting of existing IPs in EWS Virtual Directory
$appPath = "Default Web Site/EWS"
$b = Get-WebConfigurationProperty -Filter system.webServer/security/ipSecurity -Location $appPath -name collection
$b | select -Property ipaddress, subnetmask -ExpandProperty attributes | Export-Csv select $home\Desktop\web.csv -NoTypeInformation
Invoke-Item  $home\Desktop\web.csv

Backup Config File

Copy file from below location, It stores the values under ipSecurity Section and in case if you break anything then just restoring this file will revert the changes :

C:\Windows\System32\inetsrv\config\applicationHost.config

Script

Copy this code to a .ps1 file on your servers’ desktop and copy allowlist.csv on desktop as well. Now you are ready to execute the script.

# This script will make changes to ipSecurity section of below file C:\Windows\System32\inetsrv\config\applicationHost.config
# Location of the website, which will be updated with the enteries

#Create a CSV file with these field ipaddress, subnetMask value in similar format and save that to desktop with name allowlist.csv
#ipaddress,subnetmask
#192.168.10.100,24
#192.168.11.199,24

# You can update this path if you have to make changes to a different path like "Default Web Site/CertSrv"
$appPath = "Default Web Site/EWS"

$csv = Import-Csv $home\desktop\allowlist.csv
foreach ($csv1 in $csv){
$value = @{ipAddress=$csv1.ipaddress; subnetMask=$csv1.subnetmask; allowed="True"}
Add-WebConfigurationProperty  -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Location $appPath -Name COLLECTION -Value $value -ErrorAction Stop
}

Run reporting and verify website

# Reporting of existing IPs in EWS Virtual Directory
$appPath = "Default Web Site/EWS"
$b = Get-WebConfigurationProperty -Filter system.webServer/security/ipSecurity -Location $appPath -name collection
$b | select -Property ipaddress, subnetmask -ExpandProperty attributes | Export-Csv select $home\Desktop\web.csv -NoTypeInformation
Invoke-Item  $home\Desktop\web.csv

After running script configuration looks like below and you can see new ips in the list.