Securing Web Sites

Web Site security is configured through the Directory Security tab from the Web Site or Web Sites Folder properties To configure security right-click on the Web Site.

Use the buttons below to navigate through the lesson


Select Properties. Select Directory Security. From the Directory Security Tab options such as Anonymous Access and domain name restrictions can be configured. IIS can also be used in conjunction with certificate services to provide secure communications. To configure Anonymous access and authentication control, click on Edit. Currently Anonymous access has been enabled. If this is unselected then every user connecting to the Web site will have to log in.

The account used for anonymous access is in the form of IUSR_computername. The user account used for anonymous access can be changed by selecting Browse. N.B. You can apply permissions to the IUSR account just as you can to any other account. If anonymous access is disabled then logins can be controlled through the Authenticated access options. There are four options for Authenticating users.

Basic Authentication:

Basic Authentication requires a Windows Server 2003 user account. If anonymous access is disabled or if the account doesn’t have permission to access the resource the user will be prompted to specify a user name and password. With this method, all passwords are sent as clear text, therefore this option should be used with caution.

Digest Authentication:

Digest Authentication works only for Active Directory domain accounts. Passwords are stored encrypted.

Integrated Windows Authentication:

Integrated Windows Authentication uses secure authentication to transmit the Windows username and password.

.NET Passport:

.NET passport allows you to authenticate users using Microsoft’s .NET passport authentication services. .NET passport services are used throughout Microsoft, e.g. Hotmail and MSDN.  N.B. .NET authentication is not a free service.

To configure IP address and domain name restrictions click on the Edit button. From the IP address and Domain Name Restrictions box computers can be granted or denied access to the website based on its IP address or Domain name.