There are several authentication methods available to IIS administrators for controlling access to the server and files. These password authentication methods include Anonymous, Basic, Windows NT Challenge/Response, and digital certificates. In addition to these methods, you can add custom authentication methods by writing ISAPI filters.

Anonymous Access

When Allow Anonymous Access is enabled, users do not supply a username and password to access unprotected resources. Instead, IIS uses an individual guest account (typically lUSR_computername) as the login account and uses this account to open resources for the connected user.

The Internet Guest account IUSR_computername is created during IIS setup and is part of the Guests and Everyone groups. You should review the file permissions given to these groups to ensure they are appropriate for your anonymous users. You can explicitly deny the Internet Guest account access to sensitive information if it is not suitable for anonymous users.

Anonymous access authentication does not use passwords, thus preventing people from gaining access to sensitive information with fraudulent or illegally obtained passwords. For some situations, this can provide the best security.

Basic and Windows NT Challenge/Response Security

These two authentication methods require the user to provide a valid Windows NT username and password to the server before accessing resources.

TTP Basic Authentication

Basic authentication is the standard method as defined in the HTTP specification. Most browsers support it and will prompt the user for a name and password during the authentication process. The user account and password are sent unencrypted join the Web browser to the server.

Using Basic authentication means that you will send your Windows NT username and password unencrypted over public networks. Thus, intruders can easily learn usernames and passwords. Microsoft recommends using Basic authentication with SSL encryption or using the Windows NT Challenge/Response method of password authentication.

Windows NT Challenge/Response

Windows NT Challenge/Response is an authentication method created by Microsoft that does not transmit an actual password across the network. Instead, the server engages in a cryptographic exchange with the Web browser to prove the correctness of the supplied password. This method is significantly safer than HTTP basic authentication. Microsoft Internet Explorer versions 2.0 or later support Windows NT Challenge/Response authentication.

Note Windows NT Challenge/Response authentication takes precedence over Basic authentication. It means that if the user's Web browser supports both methods, it will choose Windows NT Challenge/Response authentication.

Authentication with Certificates

Using the Web server's SSL 3.0 security feature to authenticate users, the server checks the contents of an encrypted digital identification submitted by the user's Web browser during the login process. Users obtain these digital identifications, called client certificates, from a mutually trusted third-party organization. Client certificates usually contain identifying information about the user and the organization that issued the certificate.