How do I password protect a folder in IIS?

The following article explains how to create a password protected section of your website. The protected section will require users to login before they can view contents of the folders. This is a three step process; the first step creates a Windows user account with limited access to the machine, the second step removes Anonymous Access to the folder, and the third step assigns the user to the folder.

To password protect a folder, please follow these steps:

  1. Log into your server through Terminal Services or Remote Desktop Connection.
  2. Create the Windows User by following the steps in How do I create a new user on my Windows 2000 & 2003 Server?
  3. Click Start, select Programs, and then click Administrative Tools.
    • For IIS 5.0 click Internet Services Manager.
    • For IIS 6.0 click Internet Information Services.
  4. In the left column you will see the Server Name.
    • In IIS 5.0, expand the Server Name to find the domain name.
    • In IIS 6.0, expand the Server Name and then Web Sites to find the domain name
    • .
  5. Right-click on the domain name and select Properties.
  6. On the Directory Security Tab under Authentication and Access Control click Edit.
  7. Uncheck Enable Anonymous Access.
  8. Choose the level of Authenticated Access:
    • Integrated Windows Authentication: encrypts the password sent to the server (we recommend this method)
    • Digest Authentication: this level works only if Active Directory is configured
    • Basic Authentication: sends the password across the network in clear text (we do not recommend this method)
    • .Net Passport Authentication: a web authentication service
  9. Click Ok and then click Ok a second time.
  10. Navigate to the folder on your server containing the contents of your website.
  11. Right click the folder and select Properties.
  12. On the Security tab click Add.
  13. Enter the name of the user you created and click OK.
  14. If you wish to allow other users to login, repeat steps 12 and 13 with the additional user names.

Your website is now password protected. If you prefer to password protect only a folder, rather than your entire website, you can repeat the exact steps above on the individual folder, rather than your entire website.