Securing internal IIS site

Posted on 2008-11-06
Medium Priority
Last Modified: 2013-12-04
Is there a way to secure an internal IIS so only a select few users have access to it? If I select Integrated Windows Authentication and set security to the home directory folder for the IIS site to only some people, everyone else can still access it. If I set it to Basic Authentication then users get prompted for the credentials but still everyone can get access to the site.

P.S. This is only for intranet, so using basic authentication is not a security threat.
Question by:misengineers
  • 2
  • 2
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22902064
I'm assuming you are setting folder permissions on the physical folders?  If yes, that doesn't control access to the site.

There are actually three aspects to security in a web application.  One is defining authentication to access the site, two is what you can do within the site and three is the permissions of the processes you trigger when you are executing server side code.

Windows or Basic authentication in IIS is all or nothing.  You can't control granular access.  In order to control access more precisely you have to use ASP.NET and use a web.config file with 'Windows' authentication configured to set access rights to specific folders or files.

Author Comment

ID: 22904623
The only thing I dont understand is when they talk about creating a directory in step 1. Where do I create it? In the sites directory? In the windows directory?

And as far as web.config file, do I just create it in the sites directory? I see the File Location within ASP.net is pointing to the site, but it's not created automatically.
LVL 51

Assisted Solution

by:Ted Bouskill
Ted Bouskill earned 360 total points
ID: 22911251
Folders in IIS are mapped to physical folders on your hard drive.  You can locate your physical web application files anywhere on the server and then assign the website root to that physical folder.  The root is where the web.config would be located.  However, .NET supports nested web.config files so you can actually add additional web.config files in sub-folders or even create alternate web applications in virtual sub-folders.
LVL 37

Accepted Solution

bbao earned 390 total points
ID: 22917027
> Where do I create it? In the sites directory? In the windows directory?

basically, under Sites directory, by using IIS management console.

i believe the following MSKB articles could answer your additional questions. they are suitable for IIS6 as well.

How To Create a Virtual Directory in Internet Information Services (IIS)

How To Create the Web.config File for an ASP.NET Application

hope it helps,

Author Closing Comment

ID: 31513978
Thanks guys! That's what I needed.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question