Blocking Anonymous Access to IIS

Blocking Anonymous Access to IIS
Most Web servers on the Internet are set up for anonymous access, but that usually isn't the first choice for a Web server running on your own system. If you're the only person planning to use the server, you should disable anonymous access. You don't incur the inconvenience of entering passwords, because when you go to your local Web site (using http://localhost) Internet Explorer automatically logs you in using your current user name and password.

To disable anonymous access in IIS, open the Internet Information Services console. Right-click Default Web Site and choose Properties. On the Directory Security tab, click Edit in the Anonymous Access And Authentication Control box. In the Authentication Methods dialog box, shown in Figure 17-12, clear the Anonymous Access check box.


Figure 17-12. For the best security, disable anonymous access to your IIS server and do not enable Basic Authentication.
Integrated Windows Authentication was previously named NT Challenge Response, and the old name provides a clue to how it works. Instead of a client sending an actual password over the network, the server sends the client a "challenge phrase" consisting of some bytes of data. The server sends a different challenge phrase each time, but the actual content isn't important. The client takes the challenge phrase, modifies it using the password as a key, and then sends the modified challenge phrase back to the server as the response. Meanwhile, the server has performed the same calculation on its end, using the password that it expects from the client. If the response sent by the client matches the server's calculated value, the two must have used the same password to perform the calculation, and permission is granted.

Basic Authentication takes the direct and insecure approach. The user name and password are sent across the network essentially in plain-text form. Anyone with network monitoring software can pick up this information and use it at any time to log in to the server. An attacker can obtain this information in several other ways, even without network monitoring. For example, a proxy server could cache this information and it could be retrieved if the security of the proxy was compromised.

Since Basic Authentication is so insecure, you should avoid turning it on for your server. However, you might encounter situations in which you can't avoid it. Only Internet Explorer supports Integrated Windows Authentication. If you turn off anonymous access to the Web site and don't turn on Basic Authentication, users with browsers other than Internet Explorer will receive the error message "HTTP 401.2 - Unauthorized: Logon failed due to server configuration" when they go to your site. (This is confusing but technically correct; the server configuration issue is the lack of Basic Authentication.)

TIP
--------------------------------------------------------------------------------

Use Internet Explorer's automatic logon feature

If you frequently access an IIS Web server on another system on your local network, you can avoid constantly typing your user name and password, even when you've disabled anonymous access in IIS. On the system running IIS, create a user with the same user name and password as the one you'll be using on the remote system. With its standard default settings, Internet Explorer will then automatically log on using your current user name and password, no prompting required. If you still receive prompts in Internet Explorer, select Tools, Internet Options, Security and select the Local Intranet zone. Click the Sites button and select the Include All Local (Intranet) Sites Not Listed In Other Zones check box. Click OK, and then click the Custom Level button and scroll to the bottom of the list. Under User Authentication, select Automatic Log on Only In Intranet Zone.