Secure the Umbraco Folder in IIS

A simple way to secure the Umbraco folder to allow specified IP addresses only

Seann Hicks

Saturday, October 5, 2019

Why should we control access to the Umbraco Folder?

The Umbraco folder in a site is the content authoring and administration entry point to your site.  Serving your Umbraco site with HTTPS is critical to securing the login, but HTTPS alone isn't enough to keep the CMS secure.

Digital security is all about reducing the attack surface, the open technology landscape of your web site including the infrastructure, OS, network and application.  Restricting the Umbraco admin portal to only allow specific IP addresses help reduce this attack surface.

Obscuring the technology that is behind your site also helps protect it.


You'll need the IP address or address range (or ranges) that you want to restrict.  For this example I'm using the VM that hosts this site.  It's a Windows Server 2019 Azure VM with Umbraco 7.7.1.  But this setup works with older versions of Server and IIS.  The formal documentation is here IIS IP Security

Setup IIS for IP Restrictions

IP Security is not installed in IIS by default, to add it open Server Manager.  Select "Manage" in the top right corner and select "Add Roles and Features".  The Installation Type is "Role-based of feature-based installation".  Select the server onto which to install this feature.

Under "Server Roles" add the IP and Domain Restrictions feature into IIS.  It is under Web Server (IIS)->Web Server->Security.

 IIS IP Security Screen Shot

Add Restrictions on the Umbraco Folder in IIS

The easiest way to add IP restrictions is through the IIS front end.  Open IIS and navigate to the "umbraco" folder in your site.

 IIS Screen showing Umbraco folder and IP Restrictions app

With the "umbraco" folder selected, open the IP Address and Domain Restrictions applet.  By default the IP restrictions are set to allow all.  If you add IP address with the default configuration, IIS will assume that you want to block those IP addresses.  This isn't what we want. To reverse this behaviour, select "Edit Feature Settings...".  Change the "Access  for unspecified clients" to "Deny" and set the "Deny Action Type".  I have chosen a 404 response.  Anyone that attempts to access the umbraco page without being white-listed will receive a 404.

You are now setup to start white-listing IP addresses.  In my case, I have added the loopback address so that I can test the Umbraco back end from the server.  I have also added my office IP address.  A range can be specified by including a sub-net mask.  CIDR format does not seem to be available yet.

All of these settings can be specified in the web.config in case you are running a Umbraco in an Azure App Service.  Check the Microsoft documentation for these settings.

Good Luck!

Photo by Jason Blackeye on Unsplash