Default IIS Settings

Out of the box, Internet Information Services comes configured for basic usage. It is not configured for scalability or security without a little user intervention. However, this configuration is quite simple and does not require recompilation of the entire server to see the changes in effect. As mentioned at the beginning of this chapter, IIS has five built-in ways of authenticating users. By default, when a new virtual Web is created, Anonymous Access and Integrated Windows Authentication are enabled. This means that, if not specified otherwise in the web.config file, .NET will execute under the ASP.NET account, unless a directory has been established that requires Integrated Windows Authentication to access resources.

How does one set up one of these Webs that has both kinds of access? Chapter 13, "Introduction to ASP.NET Security," lists the instructions for creating a new virtual directory through IIS. This directory is now established with the default settings. Because you want a secure application and a page that allows users to view public material, you will create a subdirectory for your Web from within the IIS MMC.

From Windows Explorer, or whatever your favorite method is, add a folder to the FormAuth directory created in Chapter 13. Name the folder WinAuth , and then complete the following steps to enable it for Integrated Windows Authentication while the parent folder of FormAuth still allows anonymous visitors .

1. From the IIS MMC, expand the Default Web Site folder as shown in Figure 14.3 to view all Web sites on the server.

   Figure 14.3. IIS Microsoft Management Console.

   

2. Click the FormAuth application icon to display its contents. If you have IIS MMC open when you make the directory, press F5 to refresh the page.

3. In the details pane, right-click the WinAuth folder icon and select Properties.

4. Select the Directory Security tab.

5. Select the Edit in the Anonymous Access and Authentication Control.

   1. Select the Directory Security tab.

   2. Select the Edit in the Anonymous Access and Authentication Control.

6. Deselect Allow Anonymous Access, as shown in Figure 14.4.

   Figure 14.4. Virtual Web Anonymous Access settings.

   

7. Click OK.

You have now configured your site to use Anonymous Access for one directory, while enforcing Integrated Windows Authentication on another.