IIS : Disable HTTP access

I have a series of web services that are exposed to the world via IIS. The problem is I only want users to have HTTPS access to these.

At the moment everything is working fine, however users can access services via HTTP (port 80) and HTTPS (port 443). Using the IIS manager I have attempted to remove port 80, however it will not allow me to do this.

So the question is, how can I close of HTTP access within IIS?

I don’t think you can without shutting off the service entirely. Sounds more like you need a router blocking the incoming traffic to your network for ports 80/443.

I had a horrible feeling this is the answer I would find

The problem is compunded by the fact that I have a series of other services etc that are hosted on the same IIS instance. These other services are, by design and specification, accessible via standard HTTP. So at the moment I am protecting the “special” services by doing checks in code to ensure the connection is SSL, however I would have preferred to do this within IIS itself.

what about using an index.asp(x) file to redirect all http traffic to the https address? (sorry, coffee hadn’t kicked in yet when i posted earlier)

Sorry, that is dead wrong. Fix is easy–under the Directory Security tab of the website or virtual directory in question, click Edit in the Secure Communications area. Then check the “require secure channel” box. Bingo–SSL only access is enforced.

You should probably backstop this stuff in code–do you trust your IIS admin completely? It is not particularly hard to do so in asp.net. Just force a check for SSL in Application_BeginRequest event handler. Bonus points for making it a configuration-driven check.