IIS password protected website

Question

I have a website built upon windows IIS and to use password to protect the website and disable anonymous logon to that website, the ONLY way is to disable the anonymous logon in IIS and use a windows login account as website logon account.

However this will cause security leak because the there is no https connection so the windows logon password is transported on the network in "clear text". If anyone captured the password he/she can use it to logon the server. So can we use HTTPS in this case?

Or if we can use https, there is another concern which is that we don't want the website user to logon the server using that same windows account. We only want the user to access the website but not the windows server. Can we disable this particular windows account user to login the windows while allow this user to access the password protected website?

Answer 1

When doing any kind of web based authentication you always want to perform the action over an encrypted channel. So, yes. Get a cert and turn it on. You shouldn't have any problems.

Forbidding access to the server itself, when using machine accounts, is definitely doable but can sometimes be tricky depending on your exact use-cases. First, make sure the user accounts are in neither the Administrators nor Remote Users groups. This will prevent Terminal Services connections.

You will also want to forbid them from logging in locally. I don't have the necessary Windows expertise to explain how, unfortunately.

As an additional step, I would also make sure you firewall rules are appropriately restrictive. If the users can't hit port 3389, then they can't Remote Desktop even if they have an account.