Forum Discussion

Replicant's avatar
Replicant
Copper Contributor
Jan 30, 2023

Windows authentication with IIS

Can someone more familiar with IIS provide a link or a technical document that explains how to set up an IIS 10 server to reliably use Windows Authentication?  I have two IIS servers, one which was set up by a previous admin, where I can open the site and my Windows credentials are recognized.  The second site, where I've tried to duplicate the settings seen on the first, always presents the username/password challenge.

1 Reply

  • KapildevMishra's avatar
    KapildevMishra
    Copper Contributor
    Feb 06, 2023
    The answer is pretty simple: In order to secure an IIS site, all one needs to do is change the default permissions, enable Windows Authentication for user accounts, and disable Anonymous Authentication in IIS Manager. Here are the steps:
    How to secure your IIS site
    1.Select your site and click “Authentication”, In the screenshot below, you can see that I have many IIS sites, including one named “Default Web Site”.
    2. If you have Windows Authentication installed for IIS, proceed to step 3. If you don’t have Windows Authentication integrated in IIS, add this feature from Server Manager under “Roles / Services” for IIS”EX. IIS Windows Authentication Feature of IIS.
    3. Enable the Windows Authentication option for your site:
    4. Reconfigure the permissions of the web site. First, we will break inheritance and then we will remove “Users” from having any access:
    4.1 Right-click the site select “Edit Permissions”
    4.2 Click “Advanced.”
    4.3 Click “Change Permissions.”
    4.4 Uncheck the box “Include inheritable permissions from this objects parent”. When prompted with a warning, select ADD. This simply copies the existing permissions back without inheritance; this is very important as to not break the website for yourself and the system at large.
    4.5 Delete the permission for Users. This will disable the ability for any domain users to simply authenticate to your site to view the reports, while allowing local administrators and members of IIS_IUSRS to log in and view reports. (The set of base permissions can vary from OS to OS.) Also make sure that security principals like “Everyone” and “Authenticated Users” do not have any access.
    4.6 Last, you can now use the basic “Edit” button to add Read Only access for select users and groups. In my case, I gave Read access to my reports to Frank. For basic site usage, nothing more then Read access is really needed; don’t give anyone Modify or Full Control access unless there is some special need.
    ******************************FAQ
    What is Windows Authentication in IIS?
    Windows Authentication in IIS is a secure type of authentication in which user account credentials are hashed before being transmitted over the network.
    Is Windows Authentication the same as Active Directory?
    No. You can use Windows Authentication even if your server is not a member of an Active Directory domain.
    Does IIS Windows Authentication use LDAP?
    No. IIS Windows Authentication supports only the Kerberos and NTLM protocols.

Resources