Anonymous Authentication

Setting Anonymous Authentication in IIS Manager means that IIS will not use any HTTP authentication mechanism to control access to resources on the computer. By default, when IIS is installed, it creates a user account called IUSR_<servername>, where <servername> is the name of the server on which IIS is running. This user account is added to the Guests group on the computer, which indicates that its access to resources is limited. When an HTTP request is received by IIS with Anonymous authentication being used, IIS will first impersonate the IUSR_<servername> account before executing any code or accessing any files that are involved in the request. This allows a level of security by limiting the accessibility to such things as system files by an unauthenticated user. IIS is able to impersonate the IUSR_<servername> account because the user name and password credentials for this account are known by IIS.

You can change the account that is used for anonymous authentication in Internet Service Manager, either at the Web server service level, or for individual virtual directories. You can also change the security privileges for the IUSR_<servername> account in Windows NT User Manager. Any changes to the IUSR_<servername> account will affect every anonymous HTTP request that is serviced by IIS.

Note  Because you can configure IIS to use an anonymous account that is different from the USR_<servername> account, wherever this article refers to the IUSR_<servername> account, you should think of it as a placeholder for the account name configured as the Anonymous Logon account in the Microsoft Management Console.

The anonymous account configured in Internet Manager must have the user right to log on locally. If the account does not have the Log On Locally permission (not given to guest accounts by default on domain controllers), IIS will not be able to service any anonymous requests. The IIS installation specifically grants the Log On Locally permission to the IUSR_<servername> account.

Most resources that allow Guest access do so by allowing access to the special group, Everyone. You can set permissions on files and other resources specifically to allow or disallow access by the IUSR_<servername> account, but most people end up managing access by controlling access to the groups Everyone or Guests.

Before IIS returns a requested page to a client, it first verifies that the client has permission to view the page. Although you can restrict permission to a page by turning off Read and Execute permissions on its virtual root in IIS, the preferred method of restricting access to individual pages is to use NTFS file permissions.

Before returning a page to the client, IIS checks the NTFS file permissions on the page to see if the current user is allowed access to the file. If the NTFS permissions on the file do not allow IUSR_<servername> access to the requested page, IIS returns an HTTP 401 Unauthorized status code to the browser.

At this point the browser attempts to authenticate the user using one of the other authentication methods. If Basic authentication is used, the user is prompted for his or her user name and password. If Windows NT Challenge/Response is used, the browser automatically returns the appropriate information to satisfy the authentication request. The user is not prompted for a user name and password unless the server does not recognize the user name provided by Windows NT Challenge/Response. IIS then checks the user's credentials against the access permissions on the requested page, and either returns the page to the browser or returns an Access Denied response.