IIS6.0 UI vs. IIS7.x UI Series: Anonymous Authentication

This week in the blog series (Introduction to the series – here), let’s talk about Anonymous Authentication feature in IIS6 UI and compare it to IIS7.x UI.

Anonymous Authentication feature in IIS6.0

Anonymous authentication gives users access to the public areas of your Web/FTP site without prompting the user for username/password. When a user tries to connect to your site, the web server (IIS) assigns the connection to the Windows user account IUSR_computername (computername is the name of the machine where IIS is running). By default this user is included in the Users and Guests user groups.

IIS6 UI – Anonymous Authentication

IIS6_Authentication

 

To enable, disable anonymous authentication, you would

- Launch IIS Manager (run inetmgr)

- Select and expand the local computer node in the tree view

- Right click on the site, folder or file that you would like to enable anonymous authentication for and click on “Properties” from the context menu. 

- Click on Directory Security or File Security (for a file) tab.

- In the Authentication and access control section, Click on the button “Edit…”

- You can now Enable/Disable anonymous access by checking/un-checking the checkbox next to “Enable anonymous access”

- If you would like to change the Windows user account for anonymous access (from IUSR_computername), click the “Browse…” button and specify the new anonymous user identity.

- Click on all the “Ok” buttons

 

Anonymous Authentication feature in IIS 7.x

There are a couple of security account changes in IIS7.x, the article http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/ talks about this change in more detail.

- IUSR: the anonymous user is now IUSR instead of IUSR_computername in IIS 6.0.   The anonymous user is always the same and this account is built into Windows. IIS no longer needs to control the password - (it doesn't really have a password)

- IIS_IUSRS : is a new built-in user group, replaces the IIS_WPG user group in IIS 6.0

Apart from the account changes, IIS 7.x also enables designating the Application pool identity as the  anonymous user account. This main advantage of using the application pool identity as the anonymous user is that you do not have to manage security for another user account.

IIS7 UI – Anonymous Authentication

IIS7_ServerHomePage_Auth

 

IIS7_AnonymousAuth

 

To enable, disable anonymous authentication, you would

- Launch IIS Manager (run inetmgr)

- Select and expand the local computer node in the tree view

- Select the site, folder or file that you would like to enable anonymous authentication for in the tree view and click.

- Open “Authentication” feature from the Home Page.

- Select “Anonymous Authentication” from the Authentication page list view, you can now Enable/Disable anonymous access by clicking on the Enable/Disable (toggle)link label in the Actions Pane

- If you would like to change the Windows user account for anonymous access (from IUSR), click the “Edit…” link label from the Actions pane.

- You can either select the application pool identity to be the anonymous user identity or specify a specific user (clicking on the “Set…” button). Click Ok on the Edit Anonymous Authentication Credentials when done.

 

Next blog in the series: Basic Authentication

As always, please drop a comment if there are any specific UI modules/properties you would like to be compared next and also if you have any feedback on the level of detail.

No Comments