4.11 Ensure 'Dynamic IP Address Restrictions' is enabled

Information

IIS Dynamic IP Address Restrictions capability can be used to thwart DDos attacks. This is complimentary to the IP Addresses and Domain names Restrictions lists that can be manually maintained within IIS. In contrast, Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified request threshold. The default action Deny action for restrictions is to return a Forbidden response to the client.

Rationale:

Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified number of requests or requests frequency. Ensure that you receive the Forbidden page once the block has been enforced.

Solution

1. Open IIS Manager.
2. Open the IP Address and Domain Restrictions feature.
3. Click Edit Dynamic Restrictions Settings..
4. Check the Deny IP Address based on the number of concurrent requests and the Deny IP Address based on the number of requests over a period of time boxes. The values can be tweaked as needed for your specific environment.

Default Value:

By default Dynamic IP Restrictions are not enabled.

See Also

https://workbench.cisecurity.org/benchmarks/14293

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: Windows

Control ID: 44d35be67640138c4b2ee0c9e154e514943d4e6656f65c232e87ad12b6c577bf