So you’ve got a client that wants to password protect their sites. Easy-peasy! But wait, they’re running IIS without any sort of control panel? The horrors! Luckily, IIS makes this fairly simple, as long as you’re okay with using Windows user accounts.
There are a few prerequisites set up for this. If you installed IIS 7 and you know all of the available Security modules are installed, you may skip this step. Otherwise, we need to install the Windows Authentication and URL Authorization modules.
- Open Server Manager – Start->Administrative Tools->Server Manager
- Navigate Roles->Web Server (IIS).
- Click “Add Features”
- Ensure that “Windows Authentication” and “URL Authorization” are checked off under the “Security” options.
Creating the User Accounts
- Open Computer Management – Start->Administrative Tools->Computer Management.
- Expand Local Users and Groups, select Users
- Right-click, select New User…
- Fill in an appropriate username and password – and I recommend putting the domain name in the Full Name field, for record-keeping. Make sure to uncheck “user must change password at next logon,” and check “Password never expires” to prevent issues down the road.
- Repeat as needed.
Set up the IIS site
- Open Internet Information Services (IIS) Manager – Start->Administrative Tools->Internet Information Services (IIS) Manager.
- Expand the Sites tab and select your domain name
- Click Authentication
- Right-click Anonymous Authentication, click Disable
- Right-click Windows Authentication, click Enable
That’s put IIS out of pass-through anonymous authentication mode using the IUSR and has set it to require a Windows authentication pop-up box. That’s half the battle – now to make sure the site only loads when our specific user inputs their username and password.
- Go back to the domain name in IIS and click Authorization Rules.
- Right-click on the default rule and click Edit.
- Click the radio next to Specified Users and type your username into the box