Password protecting directories in IIS

In IIS, password protection is achieved by removing anonymous user access to a directory or file. This can be achieved in two ways. You can add the Deny rule to the Anonymous User directly to your applications web.config file, or go through the steps in IIS Manager.

To manually add the rules in your applications web.config file, add this line under the <system.webServer> section:

        <security>
            <authorization>
                <add accessType="Deny" users="?" />
            </authorization>
        </security>

To password protect a specific file, add the 'location path' element within your security rules:

    <location path="index.htm">
        <system.webServer>
            <security>
                <authorization>
                    <add accessType="Deny" users="?" />
                </authorization>
            </security>
        </system.webServer>
    </location>

The alternative to hard coding your web.config file is to use IIS Manager. Refer to Using the Microsoft IIS Manager for instructions on configuring IIS Manager to connect to Winhost web servers. We recommended that the IIS Manager only be used only by experienced developers.

Connect to your site
Go to the directory you want to password protect in the left pane
Double click the Authorization Rules icon in the main window
Click Add Deny Rule
In the pop up dialogue box, select All anonymous users
Click OK
This action will add some entries into your web.config file

Note: Since the rule is written to your application's web.config file, if you upload a new web.config file, the rules may be overwritten.

Article ID: 671, Created: 8/17/2009 at 6:32 PM, Modified: 3/11/2016 at 3:34 PM

Password protecting directories in IIS

Was this article helpful?

Share this article