eI am running IIS 5 on a Win2k server. I have a Web site (using the default Web site.) I can't figure out how to secure the server while still allowing anonymous connections to the site. I installed the latest service pack (2) and ran the MS personal security advisor, which identified several hotfixes I should install. When I did so, the Internet user account was locked out and visitors to my site were prompted to enter a password. Obviously, that isn't going to work. The lockdown program failed to complete installation and uninstalled itself. How does one protect the server while allowing visitors on the Web site?
That's a question that deserves a very long answer. Rather than trying to write pages and pages in response, I'll refer you to Microsoft's Web site:
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
In general, follow these best practices:
1) Install all service packs
2) Install all hotfixes that may apply to your site
3) Install URLScan (once you understand how it works): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571
4) Restrict NTFS file permissions
5) Remove any unwanted application mappings
Regarding troubleshooting the problem you're having with authentication, first verify that anonymous authentication is enabled. To do this, check the Security tab of your Website's properties. If that's enabled, verify that the anonymous IIS user is enabled and has Read access to the files your users are attempting to access.