Picking the Most Appropriate IIS Auth entication

[malebolgia]

Long story short I'm needing to add somekind of a username & password prompt to a Windows 2008 IIS7 server. To be honest IIS isn't my cup of tea, especially when it comes to picking the authentication type. There are so many choices: basic authentication, digest authentication, windows authentication, form authentication, and so on. If anyone can provide any guidance on which on to use, please post.

FYI, the server is alone.. meaning it has doesn't have access to active directory or a database.

Edit: The server uses SSL.

 

[jpochedl]

If you haven't figured this out already.. There's good summaries of the different Authentication types on MSDN... For what you're trying to do, set the Authentication to Basic (glad you have SSL), then turn off Anon access.

After that, take a look at the Authorization Rules. Auth Rules are new in IIS7... With Auth Rules you can easily use Windows user accounts or groups to lock down a site or directory. Just setup the users you want with Windows user accounts... When you try to access the site, you'll get a pop-up dialog to enter a username and password...

The only other option in your situation is Form Authentication.. But that gets more complicated (and I don't remember ATM whether you need a DB back-end of some sort.. Too late, time for bed.) .

HTH

 

[malebolgia]

Thanks much for the advise. Now I just need to figure out what to do with brute force attacks. Thankfully I pick evil evil passwords (4 upper, 4 lower, 4 special, 4 numbers), and a username name that is really weird/not standard.