DEV Community

Arina Cholee
Arina Cholee

Posted on

Protecting IIS on Windows Server with SafeLine (Beginner-Friendly Guide)

#websecurity #cybersecurity #waf #safeline

If you run internal systems like OA / ERP / intranet apps on Windows Server + IIS, you’ve probably hit the same wall many traditional IT teams face:

  • Most WAF tutorials assume Linux
  • Commands everywhere, Docker CLI, Nginx configs
  • Fear of breaking IIS or taking down production

I’ve been there too.

After trying (and abandoning) several options, I finally found a setup that works cleanly on Windows without deep Linux knowledge: SafeLine WAF on Windows Server.

Who This Is For

This guide is ideal if you are:

  • Running Windows Server 2019 / 2022
  • Using IIS to host internal or public web apps
  • New to WAFs or security tooling
  • Looking for a low-risk, low-cost way to add protection

No Linux background required.

The Core Problem: Why IIS on Windows Is Hard to Protect

In many traditional companies:

  • IIS apps are deployed years ago
  • No reverse proxy
  • No WAF
  • Security is added only after an audit or incident

Common solutions don’t help much:

Option Problem
Linux-based WAF Tutorials don’t translate to Windows
Commercial WAFs Expensive, complex licensing
IIS plugins Too basic, easy to bypass

What we need is:

  • Runs on Windows
  • Doesn’t replace IIS
  • Minimal configuration
  • Visual UI instead of endless commands

That’s where SafeLine fits.

What Is SafeLine (Plain English)

SafeLine is a Web Application Firewall (WAF).

In simple terms, it sits in front of your website and:

  • Inspects incoming HTTP requests
  • Blocks attacks like SQL injection, XSS, bots, scanners
  • Lets normal users through without noticing anything

Think of it as a security checkpoint between users and IIS.

On Windows, SafeLine runs inside Docker, so it stays isolated and won’t mess up your system.

Architecture (No Jargon) 


User → SafeLine WAF → IIS → Web App
Enter fullscreen mode Exit fullscreen mode
  • IIS stays unchanged
  • SafeLine handles traffic filtering
  • If SafeLine stops, IIS is still intact

Step-by-Step: Install SafeLine on Windows Server

Step 1: Install Docker Desktop (≈10 minutes)

SafeLine runs as a container, so Docker is required.

  1. Download Docker Desktop for Windows Server
  2. Install with default options
  3. Reboot
  4. Open Docker Desktop
  5. Wait until the status icon turns green

What is Docker?

Docker lets you run software in a self-contained environment so it doesn’t affect your system directly.

If Docker complains about WSL:

  • Enable Windows Subsystem for Linux
  • Reboot again

Step 2: Start SafeLine (2 Commands Only)

Open PowerShell as Administrator and paste:

docker run -d `
  --name safeline `
  -p 80:80 -p 443:443 `
  --restart=always `
  safeline/waf:windows
Enter fullscreen mode Exit fullscreen mode

Then get the initial password:

docker logs safeline
Enter fullscreen mode Exit fullscreen mode

Look for Initial password.

That’s it.

No config files.
No YAML.
No Linux shell.

Step 3: Access the SafeLine Dashboard

Open your browser:

  • Local: http://localhost
  • Remote: http://<server-ip>

Login with:

  • Username: admin
  • Password: from the logs

You’ll be asked to change the password on first login.

Connecting IIS (No IIS Changes Required)

Inside SafeLine dashboard:

  1. Go to Website Management
  2. Click Add Website
  3. Fill in:
Field What to Enter
Site Name Any name
Domain Your internal domain or IP
Backend Address IIS server IP
Backend Port IIS port (usually 80)

Save.

Within seconds, SafeLine starts protecting traffic without restarting IIS.

Beginner-Friendly Security Tweaks (Highly Recommended)

1. Restrict Access to Internal IPs

If your app is internal only:

  • Go to Access Control
  • Add your LAN range (example: 192.168.1.0/24)
  • Block all non-whitelisted IPs

This alone stops most automated attacks.

2. Protect Admin Paths

Most IIS apps expose URLs like:

  • /admin
  • /manage
  • /login

Enable high-strength protection for these paths and set:

  • Lock IP after multiple failed logins
  • Temporary ban duration

No scripting required.

Common Windows-Only Issues (And Fixes)

Docker Won’t Start

  • Run Docker Desktop as Administrator
  • Enable Hyper-V if needed

Port 80 Conflict with IIS

  • Temporarily stop IIS service
  • Start SafeLine
  • Re-enable IIS afterward

Login Fails After Enabling WAF

  • Enable Preserve Original Headers in HTTP settings

Why This Works Well for Windows Teams

From real usage:

  • No Linux learning curve
  • IIS remains untouched
  • Visual configuration
  • Easy rollback
  • Suitable for audits

For teams without dedicated security engineers, this matters.

Final Thoughts

If you’re responsible for a Windows Server + IIS environment and feel stuck between:

  • “Too complex”
  • “Too expensive”
  • “Too risky”

SafeLine is a practical middle ground.

You can go from zero protection to real WAF coverage in under 30 minutes — without rewriting your infrastructure.

For Windows-first environments, that’s a big win.

If you’re new to WAFs and want security without the Linux headache, this setup is absolutely worth trying.

Official Website: https://safepoint.cloud/landing/safeline

Top comments (0)