Create a Deny Rule for URL Authorization (IIS 7)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Create a Deny rule when you want to prevent access to Web content for specific roles, groups, or users. If you want to further restrict the actions a client request can take, you can also specify that the server will only evaluate this rule when the client attempts to use certain HTTP verbs—for example, GET or POST.
For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see URL Authorization Feature Requirements (IIS 7).
Exceptions to Feature Requirements
To create a Deny rule for URL authorization
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
To use the UI
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
In Features View, double-click Authorization Rules.
In the Actions pane, click Add Deny Rule.
In the Add Deny Authorization Rule dialog box, select one of the following types of access:
All users, specifies that all users, whether they are anonymous or identified, can access the content.
All anonymous users, specifies that anonymous users can access the content.
Specified roles or user groups, specifies that only members of certain roles or user groups can access the content. Type the role or user group in the text box.
Specified users, specifies that only certain users can access the content. Type the user ID in the text box.
Optionally, check Apply this rule to specific verbs if you want to require that the users, roles, or groups allowed to access the content can only use a specific list of HTTP verbs. Type those verbs in the text box.
To create a Deny rule for URL authorization, use the following syntax:
appcmd set config /section:system.webServer/security/authorization /+"[accessType='Deny',roles='string',users='string',verbs='string']"
The variable users string is a single user or a list of users, each separated by a comma. The variable roles string is a single role or a list of roles, each separated by a comma. The variable verbs string is a single verb or a list of verbs, each separated by a comma. For example, to create a Deny rule for all users, type the following at the command prompt, and then press ENTER:
appcmd set config /section:system.webServer/security/authorization /+"[accessType='Deny',users='*']"
To create a Deny rule for anonymous users, type the following at the command prompt, and then press ENTER:
appcmd set config /section:system.webServer/security/authorization /+"[accessType='Deny',users='?']"
To create a Deny rule for the Admin and Guest roles as well as User1 and User2, then apply that rule to the
POST verbs, type the following at the command prompt, and then press ENTER:
appcmd set config /section:system.webServer/security/authorization /+"[accessType='Deny',roles='Admin,Guest',users='User1,User2',verbs='GET,POST']"
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).
The procedure in this topic affects the following configuration elements:
<add> under <authorization>
For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.
Use the following WMI classes, methods, or properties to perform this procedure:
For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.