Difficulty: Easy
Correct Answer: Clear (disable) the Allow Anonymous Connection option
Explanation:
Introduction / Context:
In IIS on Windows 2000, a site can permit multiple authentication methods simultaneously. If Anonymous access remains enabled, IIS serves requests under the anonymous account (IUSR_machinename) without requiring credentials. Enabling Integrated Windows authentication alone will not prompt users if anonymous is still allowed.
Given Data / Assumptions:
Concept / Approach:
To enforce authentication, disable Anonymous access so IIS cannot fall back to the IUSR account. With Anonymous disabled and Integrated enabled, browsers within the domain automatically use Kerberos/NTLM single sign-on and will authenticate seamlessly (or prompt if needed). Selecting Basic is unnecessary unless you need non-Windows clients and are willing to transmit credentials in an encoded but reversible form (preferably over SSL). Disabling the IUSR account at the OS level is clumsier than unchecking “Allow anonymous” in IIS and may affect other sites.
Step-by-Step Solution:
1) Open IIS Manager → Site/Virtual Directory → Properties → Directory Security.2) Click “Edit” under Anonymous access and authentication control.3) Uncheck “Allow anonymous access.” Ensure “Integrated Windows authentication” is checked.4) Apply settings and test with a domain account.
Verification / Alternative check:
Access the site from a domain-joined workstation; the server logs should show authenticated requests (NTLM/Kerberos). Non-domain clients should be prompted for credentials.
Why Other Options Are Wrong:
Common Pitfalls:
Leaving both Anonymous and Integrated enabled and assuming Integrated will take precedence; forgetting to propagate settings to virtual directories.
Final Answer:
Clear (disable) the Allow Anonymous Connection option
Discussion & Comments