An application is a grouping of files that delivers content or provides services over protocols, such as HTTP. By default, IIS 7 uses Anonymous authentication.
You must disable Anonymous authentication for any Web site, Web application, or Web service for which you want to enable other authentication methods such as Basic or Windows authentication.
In the Connections pane, expand the server name, expand Sites , and go to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.
Scroll to the Security section in the Home pane, and then double-click Authentication. In the Authentication pane, select Anonymous Authentication , and then click Disable in the Actions pane. In the Connections pane, expand the server name, expand Sites , and navigate to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.
In the Authentication pane, select Anonymous Authentication , and then click Edit In the Edit Anonymous Authentication Credentials dialog box, do one of the following:. Select Application pool identity to use the identity set for the application pool, and then click OK.
Click Set If you use this procedure, only grant the new account minimal privileges on the IIS server computer. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks. Disable the Network access: Let Everyone permissions apply to anonymous users setting.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. This reference topic for the IT professional describes the special identity groups which are sometimes referred to as security groups that are used in Windows access control.
Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:. Servers that are running the supported Windows Server operating systems designated in the Applies To list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed.
Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource. For information about security groups and group scope, see Active Directory Security Groups. Enterprise Domain Controllers.
Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system. A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
Any user or process that accesses the system as a batch job or through the batch queue has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files.
Windows NT networks that use multiple domains may require anonymous user logon to list account information. A brief example shows how anonymous connections are used. Consider two Windows NT domains, an account domain and a resource domain. The resource domain has a one-way trust relationship with the account domain. That is, the resource domain "trusts" the account domain, but the account domain does not trust the resource domain.
Users from the account domain can authenticate and access resources in the resource domain based on the one-way trust. Suppose an administrator in the resource domain wants to grant access to a file to a user from the account domain. Since the account domain does not trust the resource domain, the administrator request to obtain the list of users and groups from the resource domain cannot be authenticated.
The connection is made using a NULL session to obtain the list of account domain users. There are similar situations where obtaining account names using an anonymous connection allows the user interface tools, including Windows NT Explorer, User Manager, and ACL editor, to administer and manage access control information across multiple Windows NT domains.
Another example is using User Manager in the resource domain to add users from the trusted account domain to a local group.
0コメント