IIS 10.0 FTP IP Security allow list

In this post I'll show you how to configure an IP allow list for IIS FTP Server using PowerShell, iisadministration and webadministration modules
Published on Tuesday, 21 January 2020

Screenshot by Jan Reilink

When you set up a new public facing FTP server in Windows Server IIS (FTPSvc), it is important to properly secure it. Of course there's authentication and authorization, but in this post I'll show you how to configure an IP allow list for IIS FTP Server using PowerShell, iisadministration and webadministration modules.

FTP IP Security <ipSecurity>

IIS FTP IP Address and Domain Restrictions

The ipSecurity element defines a list of IP-based security restrictions in IIS FTP. These restrictions can be based on the IP version 4 address, a range of IP version 4 addresses, or a DNS domain name.

Element add of the <ipSecurity> collection defines a unique IP security restriction. Each restriction can be based on the IP version 4 address, a range of IP version 4 addresses, or a DNS domain name.

Using PowerShell's webadministration module, you can use Set-WebConfigurationProperty to configure these settings. By the way, the iisadministration module is the better alternative. More on that later.

Learn How to add, list and remove IP addresses in Windows Firewall

Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell

Configure FTP access for unspecified clients

Use FTP IP Address and Domain Restrictions

The purpose of an IP allow list, is to block everything and only allow a small number of IP's (clients). Those are granted access. You must be able to deny all clients who are not allowed in IIS FTP. Luckily, you can use FTP IP Address and Domain Restrictions for just that.

In IIS Manager, set Access for unspecified clients to Allow on your IIS root, and Deny on your FTP Site.

Deny access for unspecified clients

IIS Manager is the GUI management tooling for IIS remote administration.

Setting the allowUnlisted attribute to false locks down the server, preventing access to all IP address unless they are listed. If you do not allow access for unspecified clients on your IIS root, then no one may access your FTP server. Unless you add your allow list in the root node which makes it compulsory configuration for all virtual FTP sites on your server. This may be exactly what you are looking for depending on your needs.

In PowerShell, use Set-WebConfigurationProperty to set allowUnlisted to True and False in different locations:

# Set allowUnlisted to $true (allowed) for IIS FTP root node,
# then deny access for unspecified clients (set to $false) on
# your virtual FTP Site in IIS.
Set-WebConfigurationProperty -Filter /system.ftpserver/security/ipsecurity -Name allowUnlisted -Value "True" -PSPath 'IIS:'
Set-WebConfigurationProperty -Filter /system.ftpserver/security/ipsecurity -Name allowUnlisted -Value "False" -PSPath 'IIS:' -Location "ftp.example.com"

Doing so ensures all clients may connect to your IIS FTP server, but only allowed IP addresses to your virtual site ftp.example.com. If you set Access for unspecified clients to Deny/False on IIS' root, only IP addresses that are added as allowed may connect.

Now it's time to add those IP addresses.

Allow FTP access for the following IP address or domain name

You can easily create an array of IP addresses and loop through it in PowerShell. In the following example, I'm using for documentation reserved IP addresses. FTP IP Address and Domain Restrictions accepts a specific IP address, or a range of IP addresses including a mask.

# single IP addresses from 203.0.113.0/24
$allowed_ips = @(
  "203.0.113.5",
  "203.0.113.6",
  "203.0.113.10",
  "203.0.113.36",
  "203.0.113.37",
  "203.0.113.38",
  "203.0.113.66",
  "203.0.113.76",
  "203.0.113.89",
  "203.0.113.90",
  "203.0.113.91"
)
foreach($ip in $allowed_ips) {
  Add-WebConfiguration -Filter /system.ftpserver/security/ipsecurity -PSPath 'IIS:' -Location "ftp.example.com" -Value @{ipAddress="$ip";subnetMask="255.255.255.255";allowed=$true}
}

# entire range 198.51.100.0/24 subnetMask="255.255.255.0":
$allowed_ips2 = @(
  "198.51.100.0"
)
foreach($ip2 in $allowed_ips2) {
  Add-WebConfiguration -Filter /system.ftpserver/security/ipsecurity -PSPath 'IIS:' -Location "ftp.example.com" -Value @{ipAddress="$ip2";subnetMask="255.255.255.0";allowed=$true}
}

In the example above, you've added a number of single IP addresses from 203.0.113.0/24 and the complete 198.51.100.0/24 netblock to your FTP IP allow list.

Allowed IP addresses (whitelisted) in IIS FTP

Only these IP's may connect to your server, it is as easy as that.

IIsadministration equivalent

Yes, I said using the iisadministration module is the better alternative for webadministration. Especially since we're using IIS 10.0 on Windows Server 2019 (Core edition, right?! :-P ). So in a nutshell, here are the iisadministration equivalents for Get-WebConfiguration and Add-WebConfiguration:

# Set allowUnlisted to True on your root node
Get-IISConfigSection -SectionPath "system.ftpServer/security/ipSecurity" | Set-IISConfigAttributeValue -AttributeName "allowUnlisted" -AttributeValue True

# Set allowUnlisted to False on your virtual FTP site
Get-IISConfigSection -SectionPath "system.ftpServer/security/ipSecurity" -Location "ftp.example.com" | Set-IISConfigAttributeValue -AttributeName "allowUnlisted" -AttributeValue False

Next you need to loop through your IP address array to add the IP's to your allow list. For this, you can create an object '$MyFtpSite'. Use Start-IISCommitDelay and Stop-IISCommitDelay to delay the commitment of changes. Failing to do so may result in an error message

New-IISConfigCollectionElement : The configuration object is read only, because it has been committed by a call to ServerManager.CommitChanges(). If write access is required, use ServerManager to get a new reference.

Start-IISCommitDelay
$MyFtpSite = Get-IISConfigSection "system.ftpServer/security/ipSecurity" -Location "ftp.example.com" | Get-IISConfigCollection
$allowed_ips = @(
  "203.0.113.5",
  "203.0.113.6",
  "203.0.113.10",
  "203.0.113.36",
  "203.0.113.37",
  "203.0.113.38",
  "203.0.113.66",
  "203.0.113.76",
  "203.0.113.89",
  "203.0.113.90",
  "203.0.113.91"
)
foreach($ip in $allowed_ips) {
  New-IISConfigCollectionElement -ConfigCollection $MyFtpSite -ConfigAttribute @{ipAddress="$ip";subnetMask="255.255.255.255";allowed=$true}
}
Stop-IISCommitDelay

HTH! This was how to create an IP restrictions allow list for your Windows Server IIS FTP Server with Powershell.

Update: renamed "whitelist" to "allow list".