Develop Reference

restricting IP security

Having an issue with restricting IP security.
I have made a web.config file and placed it in the folder I am trying to restrict see below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" enableProxyMode="true" denyAction="Forbidden">
<clear />
<add ipAddress="123.456.789" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</configuration>
I have also adjusted the applicationHost.config to:
<section name="ipSecurity" overrideModeDefault="Allow" />
However when browsing to a file in that folder I get a 403.
I have restarted IIS and IP address is correct.
What am I missing?

Check the client IP (c-ip) in IIS logs and add that to ip - restrictions rules.

How to load index.asp in IIS 7.5

I have a site/application I would like to load in IIS. The root of the folders contains a web.config and index.asp. The sub folders are asp, scripts, styles, images.
I add Add Web site in IIS, define the physical path to the location of the index.asp, assign the IP address for host name I tried local host, IP, and leaving it blank. When I click on Browse Website I receive a HTTP 500 Internal Server Error. IIS is running and the Web Site is started in the Manage Website menu.
If I write a short index.html hello world page and set it as default document it displays ok. When I change default document back to index.asp I get the 500 error again.
Could someone give me a tip on how to proceed?
Here is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

This is going to be a guess at best, since a 500 can mean anything without a sub-status code. It probably is due to configuration inheritance. index.asp is already in the default list of default documents at the server level. By adding index.asp, it may be causing a unique hey violation when the configuration inheritance is flattened into the effective configuration.
Suggestion:
Add a <clear /> element right above the <add value="index.asp" /> and try again. Otherwise, we will need to go get the sub status code of that 500 to get more information. The IIS log usually contains the sub status in the sc-substatus.
Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
If this works, then the reason it originally works with index.html because index.html is not in the default files list.
Additional Note
The other thing I can think of is that impersonation being enabled. If you are running the application pool in Integrated Pipeline mode, you'll need to turn off integrated mode configuration validation. More information can be found here: Integrated Pipeline mode configuration validation.
New Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="False" />
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

Sitecore Content Delivery security hardening admin folder

We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?

Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering

you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>

How do I enable directory listing in a specific IIS folder via web.config?

I have this as my web.config in my images folder:
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
But no dice.
Any help?

On IIS 7 and above you could use the following.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
On IIS 6 you'll have to configure it via IIS Manager.

How to configure static content cache per folder and extension in IIS7?

I would like to set up rules in IIS7 for static content caching in my ASP.NET website.
I have seen these articles, which details how to do it using the <clientCache /> element in web.config:
Client Cache <clientCache> (IIS.NET)
Add Expires or Cache Control Header to static content in IIS (Stack Overflow)
However, this setting appears to apply globally to all static content. Is there a way to do this just for certain directories or extensions?
For example, I may have two directories which need separate cache settings:
/static/images
/content/pdfs
Is it possible to set up rules for sending cache headers (max-age, expires, etc) based on extensions and folder paths?
Please note, I must be able to do this via web.config because I don't have access to the IIS console.

You can set specific cache-headers for a whole folder in either your root web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!-- Note the use of the 'location' tag to specify which
folder this applies to-->
<location path="images">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:15" />
</staticContent>
</system.webServer>
</location>
</configuration>
Or you can specify these in a web.config file in the content folder:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:15" />
</staticContent>
</system.webServer>
</configuration>
I'm not aware of a built in mechanism to target specific file types.

You can do it on a per file basis. Use the path attribute to include the filename
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="YourFileNameHere.xml">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
</configuration>

I had the same issue.For me the problem was how to configure a cache limit to images.And i came across this site which gave some insights to the procedure on how the issue can be handled.Hope it will be helpful for you too
Link:[https://varvy.com/pagespeed/cache-control.html]