How to disable Windows Integrated authentication for Web sites that require only Anonymous access (837139)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services version 6.0
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

INTRODUCTION

This article describes how to disable Windows Integrated authentication on Microsoft Internet Information Services (IIS) servers for Web sites and applications that require only Anonymous access, such as Internet Web sites. Microsoft recommends that you disable Windows Integrated authentication when the server is not in use to reduce the attack surface of the server.

MORE INFORMATION

This section explains how to use IIS Manager and Adsutil.vbs to disable Integrated Windows authentication in IIS 4.0, 5.0, 5.1, and 6.0.

How to use the IIS MMC snap-in, Internet Services Manager, to disable Integrated Windows authentication in IIS 4.0 and 5.0

  1. Open Internet Services Manager.
  2. In the console tree, right-click the server name, virtual directory, or file that you want to configure authentication for, and then click Properties.
  3. Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
  4. Click to clear the Integrated Windows authentication check box, and then click OK.
  5. If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or the virtual directory that you selected.
  6. Click OK.

How to use the IIS MMC snap-in, IIS Manager, to disable Integrated Windows authentication in IIS 5.1 and 6.0

  1. Open IIS Manager or add the IIS MMC snap-in to an existing management console.
  2. Expand the server that contains the Web site, virtual directory, or file that you want to configure authentication for, and then expand Web Sites.
  3. In the console tree, right-click the Web site, virtual directory, or file that you want to configure authentication for, and then click Properties.
  4. Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
  5. Click to clear the Integrated Windows authentication check box, and then click OK.
  6. If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or virtual directory that you selected.
  7. Click OK, and then quit IIS Manager.

How to use Adsutil.vbs to disable Integrated Windows authentication in IIS

  1. At a command prompt (Cmd.exe), change to the C:\Inetpub\Adminscripts directory. If the location of the Inetpub directory has been changed, locate that path.

    Note In IIS 4.0, the default location of Adsutil.vbs is the following:

    %<SystemRoot>%\system32\inetsrv\adminsamples

  2. Use the following command to set Integrated Windows authentication to False at the root of w3svc:
    cscript adsutil.vbs set w3svc/authntlm false
  3. Use the following command to verify that the setting has changed:
    cscript adsutil.vbs get w3svc/authntlm
  4. Use the following command to determine if any additional metabase nodes that enable Integrated Windows authentication are present:
    cscript adsutil.vbs find w3svc/authntlm
    If additional nodes are present, repeat step 2 through step 4 for each node to make sure that Integrated Windows authentication is disabled.
Modification Type:MinorLast Reviewed:11/9/2005
Keywords:kbinfo KB837139 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.