none
Using IP Address and Domain Restrictions with Windows Azure

    Question

  • We'd like to use the IP Address and Domain Restrictions feature of IIS 7.5 to restrict access to some of our services hosted on Windows Azure. However this feature isn't installed by default and we've only been able to get it working by connecting to the instances by remote desktop and installing the missing feature. Obviously this isn't a great solution for when we go to production.

    • What's the best way to automate this? Or can it be configured somewhere?
    • We would also like to allow this to be configured in the Web.config, which involves modifying D:\Windows\System32\inetsrv\config\applicationHost.config - can this modification be automated too?

    We're using:

    Azure SDK 1.3
    Azure OS 2.1 (~Windows Server 2008 R2)

    • Moved by Steve Marx Tuesday, January 11, 2011 9:10 AM not a storage question (From:Windows Azure Platform - SQL Azure, Windows Azure Storage & Data)
    Monday, January 10, 2011 5:02 PM

Answers

  • Hi tjrobinson,

    You could use the elevated startup task to install the IIS module and change applicationHost.config file.

    For Unattended setup to install IIS7, please refer to this article

    http://learn.iis.net/page.aspx/133/using-unattended-setup-to-install-iis-70/

    For modifying applicationHost.config by command line, please refer to this article

    http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe

    Thanks,


    Mog Liang
    • Marked as answer by tjrobinson Wednesday, January 12, 2011 12:02 PM
    Tuesday, January 11, 2011 2:32 AM
  • I don't think the site has been created yet when your startup task is run.  You might have to do some of this in OnStart in WebRole.cs instead (and run the role elevated).

    One debugging technique I use is to make the startup task "background" instead of "simple", have it log the output of commands to log files (e.g. ">>log.txt 2>>err.txt" at the end of every command), and then RDP in to take a look at what happened.

    • Marked as answer by tjrobinson Wednesday, January 12, 2011 12:02 PM
    Tuesday, January 11, 2011 10:34 PM
  • Thanks Steve, I didn't realise that but it does explain it. I managed to solve it by removing these lines from my StartupTasks.cmd:

    @echo Getting the name for the WebRole site (note: assumes there is only one site)
    for /F "tokens=*" %%i in ('%windir%\system32\inetsrv\appcmd list site /text:name') do set sitename=%%i
    @echo The site name is %sitename%

    @echo Setting access restrictions for the Admin directory
    %windir%\system32\inetsrv\AppCmd.exe set config "%sitename%/Admin" /section:ipSecurity /allowUnlisted:false
    %windir%\system32\inetsrv\AppCmd.exe set config "%sitename%/Admin" /section:ipsecurity /+"[ipaddress='555.555.555.555',allowed='true']"

    And instead configuring the restrictions in the Web.config:

    <location path="Admin">
        <system.webServer>
          <security>
            <ipSecurity allowUnlisted="false">
              <clear />
              <add allowed="true" ipAddress="555.555.555.555" />
              etc...
            </ipSecurity>
          </security>
        </system.webServer>
      </location>

    The deployment now works and correctly sets everything up :)

    • Marked as answer by tjrobinson Wednesday, January 12, 2011 12:02 PM
    Wednesday, January 12, 2011 12:00 PM

All replies

  • Hi tjrobinson,

    You could use the elevated startup task to install the IIS module and change applicationHost.config file.

    For Unattended setup to install IIS7, please refer to this article

    http://learn.iis.net/page.aspx/133/using-unattended-setup-to-install-iis-70/

    For modifying applicationHost.config by command line, please refer to this article

    http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe

    Thanks,


    Mog Liang
    • Marked as answer by tjrobinson Wednesday, January 12, 2011 12:02 PM
    Tuesday, January 11, 2011 2:32 AM
  • Thanks, I'm almost there but having problems getting the role to deploy/start when I enable the startup task - it just goes into a loop of attempting to start, then recovering and trying again.

    My .csdef file is as below:

     

    <?xml version="1.0" encoding="utf-8"?>
    <ServiceDefinition name="MyWebRole" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
      <WebRole ...>
        ...
        <Startup>
          <Task commandLine="Startup\StartupTasks.cmd" executionContext="elevated" taskType="simple" />
        </Startup>
      </WebRole>
    </ServiceDefinition>

     

    And then I have an ANSI encoded .cmd file in the WebRole project (Build Action: None, Copy to Output Directory: Copy always):

     

    @echo off

    @echo Installing "IPv4 Address and Domain Restrictions" feature 
    %windir%\System32\ServerManagerCmd.exe -install Web-IP-Security

    @echo Unlocking configuration for "IPv4 Address and Domain Restrictions" feature 
    %windir%\system32\inetsrv\AppCmd.exe unlock config -section:system.webServer/security/ipSecurity

    @echo Getting the name for the WebRole site (note: assumes there is only one site)
    for /F "tokens=*" %%i in ('%windir%\system32\inetsrv\appcmd list site /text:name') do set sitename=%%i
    @echo The site name is %sitename%

    @echo Setting access restrictions for the Admin directory
    %windir%\system32\inetsrv\AppCmd.exe set config "%sitename%/Admin" /section:ipSecurity /allowUnlisted:false
    %windir%\system32\inetsrv\AppCmd.exe set config "%sitename%/Admin" /section:ipsecurity /+"[ipaddress='555.555.555.555',allowed='true']"

     

    However, this only works if I:

     

    • Comment out the <Startup> section of the .csdef file
    • Deploy to Azure
    • Remote desktop into both of the instances
    • Execute E:\approot\bin\Startup\StartupTasks.cmd from an elevated command prompt
    I'm not sure why this isn't working automatically via the <Startup> section.

    I'm sure the path to the .cmd file is correct because if I put anything else, Visual Studio fails when I publish, saying it can't find the .cmd file.

    Any ideas what could be causing the problem and how I can diagnose it? Is there a time limit for startup tasks - the .cmd file takes a good few minutes to run. Though I did one test with an empty .cmd file and it still seemed to fail.

    If it helps, I've attempted a deployment (Deployment ID: a9b3c31e9ad04d97a593c00ec308afca) with the Startup section enabled.
    • Edited by tjrobinson Tuesday, January 11, 2011 4:34 PM Formatting
    Tuesday, January 11, 2011 4:32 PM
  • I don't think the site has been created yet when your startup task is run.  You might have to do some of this in OnStart in WebRole.cs instead (and run the role elevated).

    One debugging technique I use is to make the startup task "background" instead of "simple", have it log the output of commands to log files (e.g. ">>log.txt 2>>err.txt" at the end of every command), and then RDP in to take a look at what happened.

    • Marked as answer by tjrobinson Wednesday, January 12, 2011 12:02 PM
    Tuesday, January 11, 2011 10:34 PM
  • Can we please stop giving the advice to run elevated - just because something in Azure isn't working as expected? You would never ever do that in on-premise situations and I think Microsoft in general was vocal enough in the last years that this is bad practice.

    At least add a disclaimer about the increased attack surface and other attack vectors/scenarios you might run into by using elevated execution.


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Wednesday, January 12, 2011 5:03 AM
  • To clarify, running a web role elevated only runs your RoleEntryPoint code elevated, and that happens before the role goes out of the Busy state (so before you're receiving external traffic).  Assuming you only override OnStart, all the code that runs elevated stops before the website is even up.  I don't view that as a significant increase in the attack surface.
    Wednesday, January 12, 2011 7:30 AM
  • Ah OK - thanks for sharing another well kept secret with us ;) I thought this will change the security context of the web app.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Wednesday, January 12, 2011 11:48 AM
  • Thanks Steve, I didn't realise that but it does explain it. I managed to solve it by removing these lines from my StartupTasks.cmd:

    @echo Getting the name for the WebRole site (note: assumes there is only one site)
    for /F "tokens=*" %%i in ('%windir%\system32\inetsrv\appcmd list site /text:name') do set sitename=%%i
    @echo The site name is %sitename%

    @echo Setting access restrictions for the Admin directory
    %windir%\system32\inetsrv\AppCmd.exe set config "%sitename%/Admin" /section:ipSecurity /allowUnlisted:false
    %windir%\system32\inetsrv\AppCmd.exe set config "%sitename%/Admin" /section:ipsecurity /+"[ipaddress='555.555.555.555',allowed='true']"

    And instead configuring the restrictions in the Web.config:

    <location path="Admin">
        <system.webServer>
          <security>
            <ipSecurity allowUnlisted="false">
              <clear />
              <add allowed="true" ipAddress="555.555.555.555" />
              etc...
            </ipSecurity>
          </security>
        </system.webServer>
      </location>

    The deployment now works and correctly sets everything up :)

    • Marked as answer by tjrobinson Wednesday, January 12, 2011 12:02 PM
    Wednesday, January 12, 2011 12:00 PM
  • I tried to combine all the great information here into a HowTo blog post.  Hope this helps someone in the future.

    http://blog.liamcavanagh.com/2011/10/how-to-block-ip-addresses-in-windows-azure/

    Liam


    Sr. Program Manager, SQL Azure and Sync Framework - http://msdn.microsoft.com/sync/
    Monday, October 31, 2011 3:27 PM
  • Any idea how to implement ip-based blocking using the new Azure Webrole?  I tried going through your blog post, but I can't find options to do what you say in either the azure web interface, webmatrix 3, or visual studio 2012.
    Friday, May 03, 2013 3:05 PM