Microsoft KB Archive/837139

= How to disable Windows Integrated authentication for Web sites that require only Anonymous access =

Article ID: 837139

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 6.0

-



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



INTRODUCTION
This article describes how to disable Windows Integrated authentication on Microsoft Internet Information Services (IIS) servers for Web sites and applications that require only Anonymous access, such as Internet Web sites. Microsoft recommends that you disable Windows Integrated authentication when the server is not in use to reduce the attack surface of the server.



MORE INFORMATION
This section explains how to use IIS Manager and Adsutil.vbs to disable Integrated Windows authentication in IIS 4.0, 5.0, 5.1, and 6.0.

How to use the IIS MMC snap-in, Internet Services Manager, to disable Integrated Windows authentication in IIS 4.0 and 5.0

 * 1) Open Internet Services Manager.
 * 2) In the console tree, right-click the server name, virtual directory, or file that you want to configure authentication for, and then click Properties.
 * 3) Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
 * 4) Click to clear the Integrated Windows authentication check box, and then click OK.
 * 5) If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or the virtual directory that you selected.
 * 6) Click OK.

How to use the IIS MMC snap-in, IIS Manager, to disable Integrated Windows authentication in IIS 5.1 and 6.0

 * 1) Open IIS Manager or add the IIS MMC snap-in to an existing management console.
 * 2) Expand the server that contains the Web site, virtual directory, or file that you want to configure authentication for, and then expand Web Sites.
 * 3) In the console tree, right-click the Web site, virtual directory, or file that you want to configure authentication for, and then click Properties.
 * 4) Click the Directory Security tab or the File Security tab, and then click Edit under Anonymous access and authentication control.
 * 5) Click to clear the Integrated Windows authentication check box, and then click OK.
 * 6) If the Inheritance Overrides box opens, click Select all, and then click OK to enforce these changes on all subdirectories that belong to the site or virtual directory that you selected.
 * 7) Click OK, and then quit IIS Manager.

How to use Adsutil.vbs to disable Integrated Windows authentication in IIS
 At a command prompt (Cmd.exe), change to the C:\Inetpub\Adminscripts directory. If the location of the Inetpub directory has been changed, locate that path.

Note In IIS 4.0, the default location of Adsutil.vbs is the following:

%%\system32\inetsrv\adminsamples

  Use the following command to set Integrated Windows authentication to False at the root of w3svc: cscript adsutil.vbs set w3svc/authntlm false   Use the following command to verify that the setting has changed: cscript adsutil.vbs get w3svc/authntlm   Use the following command to determine if any additional metabase nodes that enable Integrated Windows authentication are present: cscript adsutil.vbs find w3svc/authntlm If additional nodes are present, repeat step 2 through step 4 for each node to make sure that Integrated Windows authentication is disabled. 

Additional query words: iis 5 iis 5.0 iis5 iis 6 iis 6.0 iis6 ntlm

Keywords: kbinfo KB837139

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.