How to deny anonymous users access as a step of Windows Authentication in ASP.NET

When you want to deny access to all unauthenticated users you have to use the <authorization> element of the web.config file to add a new authorization rule, as follows:



<!– Other settings omitted. –>


<deny users=”?” />




The question mark (?) is a wildcard character that matches all anonymous users and by including this rule in your web.config file, you specify that anonymous users are not allowed. Every user must be authenticated using one of the configured Windows authentication protocols.

The next picture shows how you can configure authorization rules directly from within the IIS management console when you are using IIS 7.x:


IIS authorization configuration for Windows authentication

IIS authorization configuration for Windows authentication

By default, the feature delegation configuration of IIS 7.x is configured so that authorization rules are added to the central applicationHost.config configuration of the web server. If you configure these rules with the IIS management console, they will not be reflected in your web.config file. On the other hand, you can configure them manually in the <authorization> element of the <system.web> section of your web.config, and the resulting behavior will be exactly the same as when configuring them through the IIS management console—at least from the user’s perspective.

When you are configuring authorization rules through the IIS 7.x management console, they will be configured in the <system.webServer> section, which is evaluated by the web server’s native authorization module. That means the web server itself rejects the request. On the other hand, when you are configuring the settings in the <system.web> section, ASP.NET will reject the request (which is at a later point in time in the processing pipeline).

Furthermore, when you disable the Anonymous Authentication module in IIS 7.x, you don’t even need to configure any authorization rules, as the web server itself rejects the request before it even comes to evaluating authorization rules. Nevertheless, according to “defense in-depth” and “secure-bydefault,” it is recommended to configure authorization rules either through the management console or your web.config file.