Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to disable Windows Integrated authentication for Web sites that require only Anonymous access


We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:

↑ Back to the top


INTRODUCTION

This article describes how to disable Windows Integrated authentication on Microsoft Internet Information Services (IIS) servers for Web sites and applications that require only Anonymous access, such as Internet Web sites. Microsoft recommends that you disable Windows Integrated authentication when the server is not in use to reduce the attack surface of the server.

↑ Back to the top


More Information

This section explains how to use IIS Manager and Adsutil.vbs to disable Integrated Windows authentication in IIS 4.0, 5.0, 5.1, and 6.0.

How to use the IIS MMC snap-in, Internet Services Manager, to disable Integrated Windows authentication in IIS 4.0 and 5.0

  1. Open Internet Services Manager.
  2. In the console tree, right-click the server name, virtual directory, or file that you want to configure authentication for, and then click Properties.
  3. Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
  4. Click to clear the Integrated Windows authentication check box, and then click OK.
  5. If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or the virtual directory that you selected.
  6. Click OK.

How to use the IIS MMC snap-in, IIS Manager, to disable Integrated Windows authentication in IIS 5.1 and 6.0

  1. Open IIS Manager or add the IIS MMC snap-in to an existing management console.
  2. Expand the server that contains the Web site, virtual directory, or file that you want to configure authentication for, and then expand Web Sites.
  3. In the console tree, right-click the Web site, virtual directory, or file that you want to configure authentication for, and then click Properties.
  4. Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
  5. Click to clear the Integrated Windows authentication check box, and then click OK.
  6. If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or virtual directory that you selected.
  7. Click OK, and then quit IIS Manager.

How to use Internet Services Manager to disable Integrated Windows authentication in IIS 7.0

  1. Start Internet Services Manager.
  2. Expand the server that contains the Web site, the virtual directory, or the file for which you want to configure authentication, and then expand Sites.
  3. In the console tree, click the Web site or the virtual directory for which you want to configure authentication.
  4. In the center window frame, double-click Authentication.
  5. In the list of authentication types, right-click Windows Authentication, and then click Disable
  6. Exit Internet Services Manager.

How to use Adsutil.vbs to disable Integrated Windows authentication in IIS

  1. At a command prompt (Cmd.exe), change to the C:\Inetpub\Adminscripts directory. If the location of the Inetpub directory has been changed, locate that path.

    Note In IIS 4.0, the default location of Adsutil.vbs is the following:
    %<SystemRoot>%\system32\inetsrv\adminsamples
  2. Use the following command to set Integrated Windows authentication to False at the root of w3svc:
    cscript adsutil.vbs set w3svc/authntlm false
  3. Use the following command to verify that the setting has changed:
    cscript adsutil.vbs get w3svc/authntlm
  4. Use the following command to determine if any additional metabase nodes that enable Integrated Windows authentication are present:
    cscript adsutil.vbs find w3svc/authntlm
    If additional nodes are present, repeat step 2 through step 4 for each node to make sure that Integrated Windows authentication is disabled.

How to use Appcmd.exe to disable Windows authentication in IIS 7.0

  1. At a command prompt (Cmd.exe), change to the %SystemRoot%\System32\inetsrv directory.

  2. Use the following command to set Integrated Windows authentication to False at the root of w3svc:

    appcmd.exe set config /section:windowsAuthentication /enabled:false
  3. Use the following command to verify that the setting has changed:

    appcmd list config /section:windowsAuthentication

↑ Back to the top


Keywords: kbiis2007swept, kbscrapkeep, kbinfo, kb

↑ Back to the top

Article Info
Article ID : 837139
Revision : 4
Created on : 6/10/2019
Published on : 6/10/2019
Exists online : False
Views : 906