Next, you need to set the IIS permissions for Web access. Open MMC, then expand Services and Applications, Internet Information Services, and the Web site to which you're applying password protection. Right-click the directory or file to which you want to apply password protection, then select Properties. If you're disabling Anonymous access for all files in a directory, right-click that directory in MMC's left pane, then select Properties. Click File Security, then click Edit. To force IIS to present a password dialog box to the user, clear the Anonymous access check box in the Authentication Methods dialog box, then select the Basic authentication (password is sent in clear text) check box. By making these two modifications, browsing users are no longer masquerading as the IUSR_computername user to gain access; users will have to authenticate to open the file or directory.
If your users are logging on to a domain and running Microsoft Internet Explorer (IE), you also have the option of selecting both Basic authentication and Integrated Windows authentication. Doing so lets authenticated IE users pass an encrypted username and password to gain access without a dialog box appearing. (The system still prompts Netscape users for a username and password.) However, if the protected page is the entrance to a database update form or secure application, having a dialog box appear to the user is a nice visual queue that he or she is entering a controlled area. The dialog box also prevents another user from using someone else's authenticated station to access the page or program.
To complete the password-protection setup process, open the Control Panel Local Security Policy applet. Expand Local Policies, then expand User Rights Assignment, as Figure 3, page 16, shows. Double-click Log on locally. Make sure that the user or group to whom you've granted access to the password-protected files has the Log on locally right. If the user or group isn't displayed, click Add, then select the user or group. The user or group will appear in the Assigned To window with the Local Policy Setting selected.
The password-protection setup procedure is now complete, and you can test the access security for a password dialog box. Be certain that all sensitive pages--not just the menu page that requests a password--are protected from viewing by an unprivileged user. If this menu page links to a database form page and a user knows the URL, that user might be able to skip directly to the form page with no authentication.
To ease the administration of protected-page security, use a group and add all authorized users to this group. You also have the option of granting access to only one user account, then supplying this username and password to a team or department of users. In addition, consider disabling IE's password-caching feature so that users can't select the Save this password in your password list check box. For information about this procedure, see the Microsoft article "How to Disable Internet Explorer Password Caching" (http://support.microsoft.com/support/kb/articles/q229/9/40.asp).
The IIS Advantage
Using integrated IIS security has advantages over both programmatic methods for securing Web pages. With integrated security, page execution order isn't important as long as all sensitive pages are protected. In addition, users need to enter their passwords only once, and you don't need to use session cookies or monitor a session variable. Finally, you can easily control user access by using individual accounts, groups, and NTFS security, and you don't have to add code or include files to secure pages.
Note: The steps for password-protecting files or applications are for a Win2K Server or Win2K Advanced Server installation. The dialog boxes and check boxes are slightly different for Windows NT 4.0 and IIS 4.0. For example, in IIS 4.0, when you right-click the file or directory you want to protect, you'll select Properties, Security, then click the Permissions tab. On this tab, verify that the Administrator group has Full Control, then remove the Everyone and IUSR_computername groups as in the IIS 5.0 process. Then, add the users or groups that you want to have access to the protected file, directory, or application. If this directory is the one that you're protecting, select the appropriate check boxes that control the propagation of the permissions to the files and subdirectories.
Note: You select Basic authentication with clear text so that the authentication prompt dialog box will appear to Netscape users and they can authenticate successfully. Of course, a security risk exists in selecting Basic authentication because the password is passed as clear text. If the server in question is on a public network, I discourage this configuration.