ARCHIVED: In IIS, how do I set up password protection for a web site?

There are two steps in setting up password protection for your Internet Information Services (IIS) web site. First, you must disable anonymous access to the web site. Then you must specify which users are allowed to view the web pages. The Windows NT, 2000, and XP operating systems include the NTFS file system, which allows you to specify exactly which user accounts have access to folders and files on your hard drive.

To disable anonymous access to your web site:

1. Start the Internet Service Manager and right-click Internet Information Server.
2. Click Connect, and in the "Connect to Computer" field, type the name of the computer running IIS.
3. Click OK, and in the left side of the window, click the name of your server.
4. Right-click the name of your web site and click Properties.
5. Select the Directory Security tab, and under "Anonymous Access and Authentication Control", click the Edit... button.
6. Uncheck the box next to Allow Anonymous Access.
7. To enable web browsers other than Microsoft Internet Explorer, check the box next to Basic Authentication.
8. Click OK twice.

You may need to stop and restart your web site, or reboot the computer, for the change to take effect.

At Indiana University, you can restrict access to files, and therefore web sites, based on ADS domain user accounts. To do so:

1. Through My Computer or Windows Explorer, find the directory that contains the web site to which you want to restrict access.
2. Right-click the folder, select Properties, and then click the Security tab.
3. Add and remove names until only the appropriate people are listed as having access. Click OK.

Your web site will now require authentication based on the information you just specified.

For more information about protecting your IIS server, see the University Information Security Office's Protecting IIS page.