Click here to Skip to main content
13,732,747 members
Click here to Skip to main content
Add your own
alternative version


51 bookmarked
Posted 31 Jul 2003

How to Programmatically add IP Addresses to IIS's Deny Access List using C# and WMI

, 31 Jul 2003
Rate this:
Please Sign up or sign in to vote.
An article that shows the basic steps to programmatically adding an IP address to the IIS deny access list.


Over the course of a few days, I've been spending a lot of time trying to secure my personal web server. I have used the IISLockDown tool and installed the latest URLScan. Since that time, I've been looking through my IIS logs and have found entries where people have been attempting to get into my system, either intentionally or because they've fallen victim to a "worm" or virus. It's annoying to see so many entries in my logs of where attacks have occurred.

So, one day as I was browsing other sites similar to CodeProject, I came across a snippet of code someone wrote to automatically report abuse to the ISP that owns the IP address of where the attack originated from. So, after modifying the code quite a bit to fit my needs, I got it up and running. Of course, the next thing I wanted to do was to ban these reported IP addresses from my site, hence this article.

Before I go any further, let me state that there are a few downsides with the approach I'm taking here to add additional "security" to my personal web server:

  1. only the "kid" hackers using daddy's computer will get caught because they don't spoof their IP addresses
  2. the prevalence of dynamic IPs foils the blocking of reported IPs attempting to be malicious
  3. This does nothing for new types of attacks since this solution is dependant on what URLScan knows.
  4. It's a reactive response to an attack that has already occurred.

With that said, it was still an interesting exercise.

The Catch

In order to gain access to the IIS server for my project, you have to use Windows Management Instrumentation (WMI) and Active Directory Service Interfaces (ADSI). For a general overview of these two items, refer to the MSDN website.

Since I've never worked with WMI, the first thing I did was look for examples. I found a few, but what I found were in VBScript. I'm not sure why, other than administrators wanting to write a few quick scripts to get something done or maybe it has something to do with the fact that you have to use late binding. I've had to work with objects that were late bound in ATL, and it was not fun. VB/VBScript makes it quite easy to do (which may be why I saw so many examples in VB). Anyway, I've never really had to do anything with late binding in C#, so it took me a few minutes to get acquainted with it. For those of you not familiar with early vs late binding, check here for an explanation:

Parameter passing and method execution are lots of fun if you're not used to it if late binding is involved.

The Code

using System;
using System.IO;
using System.Collections;
using System.DirectoryServices;
using System.Reflection;

namespace soccerwrek
 class IISWMI

  static void Main(string[] args) 
            // retrieve the directory entry for the root of the IIS server

            System.DirectoryServices.DirectoryEntry IIS = 
               new System.DirectoryServices.DirectoryEntry(

            // retrieve the list of currently denied IPs

                "Retrieving the list of currently denied IPs.");

            // get the IPSecurity property

            Type typ = IIS.Properties["IPSecurity"][0].GetType();
            object IPSecurity = IIS.Properties["IPSecurity"][0];

            // retrieve the IPDeny list from the IPSecurity object
            Array origIPDenyList = (Array) typ.InvokeMember("IPDeny", 
                       BindingFlags.DeclaredOnly | 
                       BindingFlags.Public | BindingFlags.NonPublic | 
                       BindingFlags.Instance | BindingFlags.GetProperty, 
                       null, IPSecurity, null);

            // display what was being denied
            foreach(string s in origIPDenyList)
               Console.WriteLine("Before: " + s);

            // check GrantByDefault.  This has to be set to true, 
            // or what we are doing will not work.
            bool bGrantByDefault = (bool) typ.InvokeMember("GrantByDefault", 
                        BindingFlags.DeclaredOnly | 
                        BindingFlags.Public | BindingFlags.NonPublic | 
                        BindingFlags.Instance | BindingFlags.GetProperty, 
                        null, IPSecurity, null);

            Console.WriteLine("GrantByDefault = " + bGrantByDefault);
                      BindingFlags.DeclaredOnly | 
                      BindingFlags.Public | BindingFlags.NonPublic | 
                      BindingFlags.Instance | BindingFlags.SetProperty, 
                      null, IPSecurity, new object[] {true});

            // update the list of denied IPs.  This is a 
            // complete replace.  If you want to maintain what
            // was already being denied, you need to make sure 
            // those IPs are in here as well.  This area
            // will be where you will most likely modify to
            // your needs as this is just an example.
            Console.WriteLine("Updating the list of denied IPs.");
            object[] newIPDenyList = new object[4];
            newIPDenyList[0] = ",";
            newIPDenyList[1] = ",";
            newIPDenyList[2] = ",";
            newIPDenyList[3] = ",";
            Console.WriteLine("Calling SetProperty");

            // add the updated list back to the IPSecurity object
                     BindingFlags.DeclaredOnly | 
                     BindingFlags.Public | BindingFlags.NonPublic | 
                     BindingFlags.Instance | BindingFlags.SetProperty, 
                     null, IPSecurity, new object[] {newIPDenyList});
            IIS.Properties["IPSecurity"][0] = IPSecurity;            
            Console.WriteLine("Commiting the changes.");

            // commit the changes

            // check to see if the update took
            Console.WriteLine("Checking to see if the update took.");
            IPSecurity = IIS.Properties["IPSecurity"][0];
            Array y = (Array) typ.InvokeMember("IPDeny", 
                      BindingFlags.DeclaredOnly | 
                      BindingFlags.Public | BindingFlags.NonPublic | 
                      BindingFlags.Instance | BindingFlags.GetProperty, 
                      null, IPSecurity, null);
            foreach(string s in y)
               Console.WriteLine("After:  " + s);
         catch (Exception e) 
            Console.WriteLine("Error: " + e.ToString());

In Closing

As you can see it's not terribly difficult or complicated. The hardest part of this exercise is just looking up what you need to know and putting it all together.


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Scott Burgett
Web Developer
United States United States
Currently a manager at a healthcare IT company, I've spent the last 7 years managing a variety of projects that range from web based kiosk applications to larger transaction based applications. Previously, I spent 8 years as a software engineer developing messaging, image editing, web based applications, and mainframe applications.

You may also be interested in...

Comments and Discussions

GeneralLong Live IIS 7 Pin
_PolyGram_1-Mar-10 1:49
member_PolyGram_1-Mar-10 1:49 
GeneralIPDeny doesn't work Pin
afterburn24-Jul-09 14:23
memberafterburn24-Jul-09 14:23 
GeneralRe: IPDeny doesn't work Pin
David Wyn Evans10-Feb-10 13:35
memberDavid Wyn Evans10-Feb-10 13:35 
QuestionWhere? Pin
GotzBoost31-Jan-07 8:11
memberGotzBoost31-Jan-07 8:11 
GeneralThere is a simpler way to this Pin
hmehanna2-Nov-06 11:22
memberhmehanna2-Nov-06 11:22 
Generalcreate new site Pin
horhen2-Nov-06 10:51
memberhorhen2-Nov-06 10:51 
QuestionHow can i doo Pin
flashwebb27-Sep-06 23:42
memberflashwebb27-Sep-06 23:42 
AnswerRe: How can i doo Pin
Scott Burgett28-Sep-06 2:41
memberScott Burgett28-Sep-06 2:41 
GeneralRe: How can i doo Pin
flashwebb28-Sep-06 3:36
memberflashwebb28-Sep-06 3:36 
GeneralNew site Pin
sja215-Feb-06 11:25
membersja215-Feb-06 11:25 
GeneralRe: New site Pin
Scott Burgett10-Jun-06 4:38
memberScott Burgett10-Jun-06 4:38 
GeneralDocumentation Pin
perlmunger17-Dec-04 11:47
memberperlmunger17-Dec-04 11:47 
GeneralRe: Documentation Pin
Scott Burgett31-Dec-04 7:46
memberScott Burgett31-Dec-04 7:46 
GeneralWMI on remote machine !!! Pin
dharani23-Jun-04 6:10
memberdharani23-Jun-04 6:10 
GeneralIIS MIME table. Pin
Seth.8-Jun-04 15:39
sussSeth.8-Jun-04 15:39 
GeneralRe: IIS MIME table. Pin
selat28-Jan-05 1:50
memberselat28-Jan-05 1:50 
GeneralThanks! Pin
Xanadu200023-Mar-04 10:46
memberXanadu200023-Mar-04 10:46 
I spent my day looking at many websites about WMI and ADSI, probably the same you initially went to, trying to figure out VBScript (which I know nothing of), finding your site and deleting all my attempts at .vbs files for going back to C#... this was exactly what I was looking for, and it works great. Thanks a lot.
GeneralRe: Thanks! Pin
Scott Burgett23-Mar-04 11:26
memberScott Burgett23-Mar-04 11:26 
GeneralSpecified cast is not valid Pin
Ben Merrills15-Oct-03 6:16
memberBen Merrills15-Oct-03 6:16 
GeneralRe: Specified cast is not valid Pin
Scott Burgett15-Oct-03 6:22
memberScott Burgett15-Oct-03 6:22 
GeneralRe: Specified cast is not valid Pin
Ben Merrills15-Oct-03 6:28
memberBen Merrills15-Oct-03 6:28 
GeneralFYI - Your example is ADSI, not WMI Pin
Anonymous9-Sep-03 16:35
memberAnonymous9-Sep-03 16:35 
GeneralRe: FYI - Your example is ADSI, not WMI Pin
Scott Burgett2-Oct-03 3:26
memberScott Burgett2-Oct-03 3:26 
GeneralRe: FYI - Your example is ADSI, not WMI [modified] Pin
abutun31-Mar-06 3:18
memberabutun31-Mar-06 3:18 
General"kid hackers" Pin
Anonymous5-Aug-03 4:16
memberAnonymous5-Aug-03 4:16 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web01-2016 | 2.8.180920.1 | Last Updated 1 Aug 2003
Article Copyright 2003 by Scott Burgett
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid