IISUnderground - A help website for setting up Microsoft IIS

Password Protect File/Directory

padlockThis tutorial will guide you through setting up a password protected file or directory on IIS 7.5.

Time to complete: ~10 minutes


The procedure to add a password protected file/directory to IIS 7.5 differs slightly between Windows 7 and Windows Server 2008 (inc. R2).


1. Install the Basic Authentication feature

Windows 7

– Go to Start > Control Panel > Programs and Features.

– On the left bar, click Turn Windows features on or off.

– On the pop-up box, follow the path Internet Information Services > Security and tick Basic Authentication.

– Click OK and wait for the feature to install.


Windows Server 2008 (inc. R2)

– Go to Start > Control Panel > Administrative Tools > Server Manager.

– From the left bar, select Roles.

– Scroll down to find the section labelled Web Server (IIS).

– Under Role Services click the Add Role Services link.

– On the pop-up box, follow the path Web Server > Security and tick Basic Authentication.

– Click Install and wait for the feature to install.


2. Create a username and password

– Open the computer management console from Start > Control Panel > Administrative Tools > Computer Management.

– On the left side of the console, expand Computer Management (Local) > System Tools > Local Users and Groups > Users.

– On the right window you will see existing system users. Right click in the user’s area and select New User…

– Enter a username and password.

Untick ‘User must change password at next logon’.

– Tick ‘Password never expires’.

– Click Create.

– (Optional) For added security you may want to prevent this user from logging into the server via remote desktop services. To do this, right click the user, on the pop-up window select the Remote Desktop Services Profile tab and tick ‘Deny this user permissions to log on to Remote Desktop Session Host server’.



3. Open the IIS Manager

– Open the IIS Manager from Start > Control Panel > Administrative Tools > IIS Manager.

Select your server from the list on the left and expand the sites list.

Find the site you want to add protection to and select it.

– At the bottom of the window, select Content View next to the already highlighted features view button.

– You can now see a directory and file listing of the website. Navigate and find the file or folder you want to protect.

– Right click and select Switch to Features View. The file or folder is now selected.

– Under the IIS heading double click Authentication.

– Click Anonymous Authentication and then on the right hand side click Disable.

– Now click Basic Authentication and then on the right hand side click Enable.


4. Test the Authentication

The password protection should now be added. To test it, go to the web facing URL of the file or directory that you just protected. You should be presented with a pop-up authentication box like this:


Enter your username and password that we created earlier and click Log In. If the file or directory is displayed successfully then your authentication works!

If you do not get the prompt or your login doesn’t work, you should revisit this tutorial from the beginning in case you missed something out.