Securing EPiServer edit and admin mode by IP address
Sep 20, 2010
Recently I read an EPiServer forum post about securing EPiServer edit and admin mode. If I understood the post correctly then there is a public facing EPiServer site, using the standard SQL providers. The requirement was to prevent access to edit and admin mode to all but a restricted set of IP addresses.
This is quite easily achieved by following these steps:
IIS 6
- Under your site > Create a virtual directory name that matches /path/to/your/UI (e.g. /epiUI/)
- Ensure the virtual directory points to an EMPTY directory on your machine
- Right click on new folder > Click "Properties"
- "Directory Security" Tab
- "IP address and domain name restrictions" > Edit button
- Edit IP restrictions as appropriate
- Click OK
- Click OK to close the "Properties" window
IIS 7
- Under your site > Create a virtual directory name that matches /path/to/your/UI (e.g. /epiUI/)
- Ensure the virtual directory points to an EMPTY directory on your machine
- Click the newly folder created folder
- Double click "IP Address and Domain Restrictions" (if you do have have access to this feature see my other post which describes how to enable features in IIS 7 amongst other things)
- Under actions > Click "Edit Feature settings"
- In "Access for unspecified clients" select Deny > Click OK
- Under actions > Click > Add Allow Entry
- Add IP entries or ranges as appropriate
- Click OK
If you try to access the restricted folder and are denied access then you will get a HTTP 403.6 error. In the light of recent Microsoft Security Announcements you should monitor for this error and take appropriate action.
You may need to restart you site/IIS for the changes to take effect.