How does one protect the server while allowing visitors on the website?
eI am running IIS 5 on a Win2k server. I have a Web site (using the default
Web site.) I can't figure out how to secure the server while still allowing anonymous connections
to the site. I installed the latest service pack (2) and ran the MS personal security advisor,
which identified several hotfixes I should install. When I did so, the Internet user account was
locked out and visitors to my site were prompted to enter a password. Obviously, that isn't going
to work. The lockdown program failed to complete installation and uninstalled itself. How does one
protect the server while allowing visitors on the Web site?
That's a question that deserves a very long answer. Rather than trying to write pages and
pages in response, I'll refer you to Microsoft's Web site:
In general, follow these best practices:
1) Install all service packs
2) Install all hotfixes that may apply to your site
3) Install URLScan (once you understand how it works): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571
4) Restrict NTFS file permissions
5) Remove any unwanted application mappings
Regarding troubleshooting the problem you're having with authentication, first verify that
anonymous authentication is enabled. To do this, check the Security tab of your Website's
properties. If that's enabled, verify that the anonymous IIS user is enabled and has Read access to
the files your users are attempting to access.
This was first published in October 2001