How to disable Windows Integrated authentication for Web sites that require only Anonymous access

Article translations Article translations
Article ID: 837139 - View products that this article applies to.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/dd450371.aspx
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes how to disable Windows Integrated authentication on Microsoft Internet Information Services (IIS) servers for Web sites and applications that require only Anonymous access, such as Internet Web sites. Microsoft recommends that you disable Windows Integrated authentication when the server is not in use to reduce the attack surface of the server.

MORE INFORMATION

This section explains how to use IIS Manager and Adsutil.vbs to disable Integrated Windows authentication in IIS 4.0, 5.0, 5.1, and 6.0.

How to use the IIS MMC snap-in, Internet Services Manager, to disable Integrated Windows authentication in IIS 4.0 and 5.0

  1. Open Internet Services Manager.
  2. In the console tree, right-click the server name, virtual directory, or file that you want to configure authentication for, and then click Properties.
  3. Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
  4. Click to clear the Integrated Windows authentication check box, and then click OK.
  5. If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or the virtual directory that you selected.
  6. Click OK.

How to use the IIS MMC snap-in, IIS Manager, to disable Integrated Windows authentication in IIS 5.1 and 6.0

  1. Open IIS Manager or add the IIS MMC snap-in to an existing management console.
  2. Expand the server that contains the Web site, virtual directory, or file that you want to configure authentication for, and then expand Web Sites.
  3. In the console tree, right-click the Web site, virtual directory, or file that you want to configure authentication for, and then click Properties.
  4. Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
  5. Click to clear the Integrated Windows authentication check box, and then click OK.
  6. If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or virtual directory that you selected.
  7. Click OK, and then quit IIS Manager.

How to use Internet Services Manager to disable Integrated Windows authentication in IIS 7.0

  1. Start Internet Services Manager.
  2. Expand the server that contains the Web site, the virtual directory, or the file for which you want to configure authentication, and then expand Sites.
  3. In the console tree, click the Web site or the virtual directory for which you want to configure authentication.
  4. In the center window frame, double-click Authentication.
  5. In the list of authentication types, right-click Windows Authentication, and then click Disable
  6. Exit Internet Services Manager.

How to use Adsutil.vbs to disable Integrated Windows authentication in IIS

  1. At a command prompt (Cmd.exe), change to the C:\Inetpub\Adminscripts directory. If the location of the Inetpub directory has been changed, locate that path.

    Note In IIS 4.0, the default location of Adsutil.vbs is the following:
    %<SystemRoot>%\system32\inetsrv\adminsamples
  2. Use the following command to set Integrated Windows authentication to False at the root of w3svc:
    cscript adsutil.vbs set w3svc/authntlm false
  3. Use the following command to verify that the setting has changed:
    cscript adsutil.vbs get w3svc/authntlm
  4. Use the following command to determine if any additional metabase nodes that enable Integrated Windows authentication are present:
    cscript adsutil.vbs find w3svc/authntlm
    If additional nodes are present, repeat step 2 through step 4 for each node to make sure that Integrated Windows authentication is disabled.

How to use Appcmd.exe to disable Windows authentication in IIS 7.0

  1. At a command prompt (Cmd.exe), change to the %SystemRoot%\System32\inetsrv directory.
  2. Use the following command to set Integrated Windows authentication to False at the root of w3svc:
    appcmd.exe set config /section:windowsAuthentication /enabled:false
  3. Use the following command to verify that the setting has changed:
    appcmd list config /section:windowsAuthentication

Properties

Article ID: 837139 - Last Review: July 3, 2008 - Revision: 5.1
APPLIES TO
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0
Keywords: 
kbinfo KB837139

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com