How to Password Protect Folders in IIS. Regarding server security, it is very important for users and business owners to make sure that these sections are not insecure and are not visible to users when creating new sections on the website.
There are many ways to lock a folder or a domain when creating it. This will safeguard a folder or an entire site using the security feature built into IIS called password protection.
In this article, you will see how easy it is to restrict access to a site or a folder. Stay with us.
Brief description of IIS
IIS stands for Internet Information Services. This is the default web server that is integrated with the Windows server software packages. IIS has a graphical interface, used for managing the Microsoft Windows server.
How to Password Protect Folders in IIS.
One of the features that IIS has implemented, is called .Net Authorization. These features allow you to make custom rules sets that will delineate who has access to a folder or website.
There are multiple options we have available to select when adding these custom, allow or deny rules. Some of these rules include the following options:
– All users: This rule will deny access to a folder for any user which attempt to access it.
If you would like to block content for everyone, make sure that this rule is on top of the list of all other rules.
– All anonymous users: This rule will block access to all users that are not authenticated. In other words, any user attempting to access the folder or site must have specific access granted.
Any user who needs access must be added to the Users and Groups section, otherwise it will be blocked.
– Specified roles or user groups: This rule will block access to all users that do not have a basic or custom user account and password set up.
Block everyone Access
To block everyone from accessing, follow these steps:
1. Open your IIS Manager from the Windows Start button.
2. Select the site that you want to edit from the left side menu.
3. Open the .Net Authorization rules and Click on add rule and select the type of rule you would like to add.
Now, you should specify the users it will apply to.
4. Click OK.
Your site now has a custom rule in place. You can add as many custom rules as you would like.
Custom Folder Protection
Another method used for authentication and protection is called authentication.
In this section, you have multiple options that are available to modify.
1. Active Directory Client Certificate Authentication: This is a form of authentication that requires the IIS 7 server to be a member of the Active Directory domain as well as the user accounts that are stored in active directory.
2. Anonymous Authentication: This is a feature that provides access to the public areas of your website.
If FTP is enabled, by default it will allow users to access the contents of the site.
3. ASP. NET Impersonation: This is a security feature that allows specific users to execute code.
This feature is used for anonymous users who do not have credentials, but we want to allow them to have access.
4. Basic Authentication: This option provides access to users that have accounts on the server’s domain.
In order to access the public-facing content, basic authentication should be enabled to allow the user to set a password in Local Users and Groups.
The important thing to note here is that when accessing content, passwords are sent via a clear text format and as such, considered insecure.
5. Digest Authentication: This option is similar to Basic Authentication, but credentials are sent in a more secure manner using hashing instead of plain text.
This method provides more security and also requires a user’s password to be set.
6. Forms Authentication: This option works by authenticating the user by reviewing the forms’ authentication ticket (which is the container for the forms’ authentication cookie), which is usually included within the user’s collection of cookies.
7. Windows Authentication:Windows authentication option is used in a more corporate setting, or when numerous users are present within a network.
This certification uses Windows-based authentication between a client and the Windows IIS server to verify the user who is attempting access must have a Windows account.
In all the options we have seen for protecting folders, we find it is best to use Basic Authentication or Digest authentication. Both options require a username and password.
Let’s review how to set this up:
1. Open the Server Manager dashboard.
2. On the right side under Tools select Computer Management.
3. Navigate to the Local Users and Groups section.
4. Click on the Users and on the right side select More Actions > New User.
5. Here you can set up a new username and password for a user, and once complete, save it to provide access.
6. To select a folder, let’s open our IIS Manager and select the site or folder that you want to limit access to.
7. The types of authentication section will open.
Disable Anonymous Authentication and enable Basic or Digest authentication for a site or folder.
Dear user, we hope you would enjoy this tutorial, you can ask questions about this training in the comments section, or to solve other problems in the field of Eldernode training, refer to the Ask page section and raise your problem in it as soon as possible. Make time for other users and experts to answer your questions.
How to Password Protect Folders in IIS.