Easiest way to get .htaccess like access control with IIS 6?
July 5, 2007 6:49 AM   Subscribe

a quick piece of googling gave me this

password protect IIS6
posted by moochoo at 7:02 AM on July 5, 2007

*cough* Apache for win32 :P
posted by delmoi at 7:29 AM on July 5, 2007

This is automatic in IIS, isn't it? Just right click on the directory in Explorer and change the permissions to disallow the IUSR_XXX account. Then you will get a login screen when you try to view the directory, and will have to enter a username that does have access to the directory. (You can create a enw user in windows for this.)
posted by Nothing at 7:40 AM on July 5, 2007

I'll second Apache for Win32, it's worth the effort to make the move. But take a look at ISAPI_Rewrite if you're sticking with IIS, it works well.
posted by pb at 7:42 AM on July 5, 2007

On reread, I concur with Nothing. You don't need .htaccess for simple access control. More: How To Configure IIS Web Site Authentication in Windows Server 2003.
posted by pb at 7:46 AM on July 5, 2007

Another option is IISPassword , a free module that will read htaccess and htpasswd files (for access control only). I've used it in the past (it integrates with HELM, which sadly, we also used), and it works fine. I imagine it's most useful in situations where you need to allow a third party to control access to their directories (on your server) without granting them any rights, so it may be overkill for your situation (if you want to avoid creating a windows user, however, it might be right up your alley).
posted by fishfucker at 8:08 AM on July 5, 2007

If it's just one user, then the "create a low-level windows user, disallow anonymous authentication, and make sure that account has access" is okay.

If you want more than one user, or don't have total control over that web server, you might just try rolling your own: if it's an option, asp.net via the web.config lets you specify a set of non-windows username and password combinations and grant them access to sections of your site, so that you don't have to create an actual Windows user just for authenticated browsing. It's also nice in that it's portable: if you move to a new webserver, your app will move the security with it, seamlessly.

This link has a good example: you pretty much just set up your web.config with authentication settings for that directory, and the list of usernames and passwords, and add a login.aspx page so that people can login (which they'll automatically get sent to if they try to access a resource in that directory without having logged in first).

The only changes are a login.aspx page (which you can copy/paste the code on that site pretty much verbatim) and a section added to the webconfig saying "This sub-section of the site (the path) is restricted, and here are the usernames and passwords that if given will let people into this section". Make those changes, and you're done- and your app security again will move with your app.
posted by hincandenza at 8:58 PM on July 5, 2007

« Older I am looking for the sort of f...   |   DC doctors - your personal rec... Newer »