Restrict Umbraco Back Office by IP

Reasons behind IP restriction:

In some cases, having the back office open to the public can be an issue for security, especially for high profile websites as it starts to become an issue for brute force. Not to mention employees accessing the admin interface from home or other unauthorised locations such as libraries etc.

A quick fix for this is to add an IP restriction to the Umbraco directory so that only people in authorised locations can access the service. Employees would then have to use a VPN or wait until they're into the office before they could access the UI.

Applying an IP restriction to the Umbraco back office so that is displays a 404 error:

To apply the restriction, you'll need to create a new web.config file within the Umbraco directory, providing one doesn't already exist, and add the following XML to it, then add/remove/update the IP addresses referenced in the example below so that they match the IP addresses of the office locations you'd like to grant access:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*surface*" negate="true" />
                    <conditions>
			<add input="{REMOTE_ADDR}" pattern="123.456.789.10" negate="true" />
                        <add input="{REMOTE_ADDR}" pattern="963.852.741.123" negate="true" />
                    </conditions>
                    <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Once you've implemented that, anyone trying to access the back office that doesn't have one of your defined IP addresses will see a 404 error within the browser.

Other methods:

Other methods of protecting the back office might include changing the directory that it resides in.


Published at

Tags: Umbraco,IIS

Luke Alderton

Comments

Post a comment
Sit tight...
We're adding your comment.
Thank you.
Your comment has been added.
There's been a problem.
Please try again later.
Share with
Tags
Latest Comments
By DavidassuG on MVC forms in Umbraco
12 Jul 2018, 10:54 AM
By Luke on Setting up tables in SQLite with a primary key on a Xamarin Forms app
11 Jul 2018, 09:18 AM
By Travis on Setting up tables in SQLite with a primary key on a Xamarin Forms app
7 Jul 2018, 15:44 PM
By Luke on Auto/Custom height on Xamarin Forms WebView for Android and iOS
15 Jun 2018, 09:43 AM
By vikki on Auto/Custom height on Xamarin Forms WebView for Android and iOS
14 Jun 2018, 13:35 PM
By jimbo on JQuery Unobtrusive Validation for dynamically created elements
13 Jun 2018, 17:13 PM
By ScottKem on MVC forms in Umbraco
8 Jun 2018, 10:29 AM
By Alaa on java.lang.UnsatisfiedLinkError: no rxtxSerial in java.library.path
3 Jun 2018, 20:16 PM
Categories
App Development
Event
Game Development
Mapping
Modelling
Programming
Review
Robotics
Tutorial
Web Development