2.2 Ensure access to sensitive site features is restricted to authenticated principals only

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


IIS supports both challenge-based and login redirection-based authentication methods. Challenge-based authentication methods, such as Integrated Windows Authentication, require a client to respond correctly to a server-initiated challenge. A login redirection-based authentication method such as Forms Authentication relies on redirection to a login page to determine the identity of the principal. Challenge-based authentication and login redirection-based authentication methods cannot be used in conjunction with one another.
Public servers/sites are typically configured to use Anonymous Authentication. This method typically works, provided the content or services is intended for use by the public. When sites, applications, or specific content containers are not intended for anonymous public use, an appropriate authentication mechanism should be utilized. Authentication will help confirm the identity of clients who request access to sites, application, and content. IIS provides the following authentication modules by default:
* Anonymous Authentication - allows anonymous users to access sites, applications, and/or content
* Integrated Windows Authentication - authenticates users using the NTLM or Kerberos protocols; Kerberos v5 requires a connection to Active Directory
* ASP.NET Impersonation - allows ASP.NET applications to run under a security context different from the default security context for an application
* Forms Authentication - enables a user to login to the configured space with a valid user name and password which is then validated against a database or other credentials store
* Basic authentication - requires a valid user name and password to access content
* Client Certificate Mapping Authentication - allows automatic authentication of users who log on with client certificates that have been configured; requires SSL
* Digest Authentication - uses Windows domain controller to authenticate users who request access
Note that none of the challenge-based authentication modules can be used at the same time Forms Authentication is enabled for certain applications/content. Forms Authentication does not rely on IIS authentication, so anonymous access for the ASP.NET application can be configured if Forms Authentication will be used.
It is recommended that sites containing sensitive information, confidential data, or non-public web services be configured with a credentials-based authentication mechanism.
Configuring authentication will help mitigate the risk of unauthorized users accessing data and/or services, and in some cases reduce the potential harm that can be done to a system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


When configuring an authentication module for the first time, each mechanism must be completely configured before use.
Enabling authentication can be performed by using the user interface (UI), running AppCmd.exe commands in a command-line window, editing configuration files directly, or by writing WMI scripts. To verify an authentication mechanism is in place for sensitive content using the IIS Manager GUI:
1. Open IIS Manager and navigate to level with sensitive content
2. In Features View, double-click Authentication
3. On the Authentication page, make sure an authentication module is enabled, while anonymous authentication is enabled (Forms Authentication can have anonymous as well)
4. If necessary, select the desired authentication module, then in the Actions pane, click Enable
Enter the following command in AppCmd.exe to configure:
%systemroot%\system32\inetsrv\appcmd set config -section:system.web/authentication /mode:<Windows|Passport|Forms>
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website location>' -filter 'system.webServer/security/authentication/anonymousAuthentication' -name 'enabled' -value 'False'
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website location>' -filter 'system.webServer/security/authentication/windowsAuthentication' -name 'enabled' -value 'True'
Default Value:
The default installation of IIS supports Anonymous Authentication without further electing additional methods.

See Also