Anonymous Authentication

If the Allow Anonymous option is set, IIS will choose to use Anonymous Access wherever the headers of the HTTP request being served doesn't contain user ID and password information.

Under Anonymous Access, all access to web pages and resources are done under impersonation of the default anonymous user account. This account is created and setup during IIS installation.

The account, by default, is named after the server machine as follows:

IUSR_
<machinename>

It's given a random password and permissions to 'log on locally'. This allows the IIS threads executing requests of an anonymous user to access resources on the local server machine, but not venture out into the local network. This user will also be made a member of the local Guest group. This setting allows the anonymous account to access most of the 'public' contents on a server machine.

Note that, if IIS is installed on a primary domain controller, then the anonymous user account is added to the domain account database. You can use this technique to extend the visibility of the anonymous account. For example, all other servers in the Windows NT domain can now 'publish' information which can be accessed by the IIS anonymous user.

If you have a very large domain with multiple IISs installed on several domain controllers, it's often more convenient to change all the anonymous access accounts to use the same user ID and passwords. This makes it simple to set the ACLs for anonymous serving of 'public' contents throughout the entire enterprise. One can change the anonymous access account information on the Internet Service Manager configuration utility at each IIS installation.

© 1997 by Wrox Press. All rights reserved.