4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Not Logging Only Mode

Information

IIS Dynamic IP Address Restrictions capability can be used to thwart DDos attacks. This is complimentary to the IP Addresses and Domain names Restrictions lists that can be manually maintained within IIS. In contrast, Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified request threshold. The default action Deny action for restrictions is to return a Forbidden response to the client.

Solution

1. Open IIS Manager.
2. Open the IP Address and Domain Restrictions feature.
3. Click Edit Dynamic Restrictions Settings..
4. Check the Deny IP Address based on the number of concurrent requests and the Deny IP Address based on the number of requests over a period of time boxes. The values can be tweaked as needed for your specific environment.

Default Value:
By default Dynamic IP Restrictions are not enabled.

See Also

https://workbench.cisecurity.org/files/166

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: Windows

Control ID: c8d6dbcdea778b1353f3f80954f6ffed96992408c21f33271b9d22cfd5a0cf44