Windows 7 : Controlling and Customizing Your Website (part 4) - Disabling Anonymous Access

3/23/2011 9:33:35 AM

Disabling Anonymous Access

I showed you how to give yourself Full Control permission on the wwwroot folder to make it easier (and in some cases possible) to add and edit content in that folder. When you access your website on the IIS computer using the http://localhost/, http://127.0.0.1/, or http://Computer/ addresses (where Computer is the name of the IIS computer), you access the site using your own user account. Everyone else on your network, and anyone who surfs to your site from the Internet (including you if you navigate to the site using http://IPAddress/, where IPAddress is your router’s external IP address) accesses the site as an anonymous user. This means that IIS gives the person read-only access to the site without requiring a username and password, a technique called anonymous authentication.

However, you may have content that you want to restrict to people who have user accounts on Windows 7. In that case, you need to disable anonymous access for the website and switch to basic authentication, which means IIS prompts each user for a username and password before allowing access to the site.

Follow these steps to disable anonymous access:

1.	Open IIS Manager.
2.	Open the Computer, Sites branch (where Computer is the name of the computer running IIS).
3.	If you want to disable anonymous authentication on the entire site, select Default Web Site; if you want to disable anonymous authentication only on a specific folder within the site, open the Default Web Site branch and select the folder.
4.	Click Features View.
5.	Double-click the Authentication icon to display the Authentication page.
6.	Select Anonymous Authentication.
7.	In the Actions pane, click the Disable link.
8.	Select Basic Authentication.
9.	In the Actions pane, click the Enable link. The Authentication page should now appear as shown in Figure 6. Figure 6. To secure your website or a folder within the website, disable anonymous authentication and enable basic authentication.
10.	Click the Back button to return to the website’s main page in IIS Manager.

When an anonymous user attempts to access your website or website folder, he sees a Connect dialog box similar to the one shown in Figure 7 . The user must enter a username and password for an account that exists on the Windows 7 machine that’s running IIS.

Figure 7. With basic authentication enabled, users must enter a valid Windows 7 username and password to access the website or folder.

Tip

Switching to basic authentication means that any user with a valid account on Windows 7 can access the website. What if there are one or more users with Windows 7 accounts that you do not want to view the website? In that case, you must adjust the security of the website’s home folder directly. Use Windows Explorer to display the website’s home folder, right-click the folder, and then click Properties. In the Security tab, click Edit, click Add, type the name of the user, and then click OK. Select the user, and then activate the Full Control check box in the Deny column. This tells Windows 7 not to allow that user to view the folder, thus barring the user from viewing the website.