Link to home
Create AccountLog in
Avatar of jonburk

asked on

How do I know if Basic or NTLM authentication is enabled?

We have to run these scans for audits and a couple of my IIS servers, but not all, got back this:
"Find if IIS server allows BASIC and/or NTLM authentication"

How do I know if this is enabled?
Is it just the anonymous authentication box under Directory Security? If I uncheck that, my sites ask for a username/password.

Thank you.
Avatar of RubalJ
Flag of India image

Check the Attached Image. Screenshot of IIS - Directory Security properties tab.

Windows Auth is NTLM Auth.

Avatar of kwikstix
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jonburk


So is the top anonymous box NTLM enabled, or is the bottom integrated Window authentication checked, turning on NTLM authentication?

Like if I unchecked the top anonymous box, but left the integrated Win authentication checked, is that NTLM on? Or do I need to uncheck both?

Thank you!
The top "anonymous" box has nothing to do with NTLM.  That should remain enabled in your situation (to allow unauthenticated, anonymous access to your website).  Near the bottom, "Integrated Windows Authentication" is what your scanner is referring to as NTLM, and should be turned off if you don't need it.  NTLM authentication is typically only used in an Intranet environment where website users are on the same Local Area Network as the web server, and authentication happens through Active Directory.  In the case of a publicly accessible Internet website, NTLM isn't needed, and can pose a security risk.