Symantec Enterprise Security Manager - How to check if "Anonymous Authentication" is disabled on IIS 7 sites.


Article ID: 181369


Updated On:


Control Compliance Suite Windows




This article explains how to check if "Anonymous Authentication" is disabled on IIS 7 sites.

It shows how to create an ESM template to check the changes in the applicationHost.config file that occur when enabling or disabling the Authentication settings in the IIS configuration. It also provides an ESM policy and corresponding template to download and import if you like (for Windows 2008 type targets). Please be aware that this was tested and documented with an ESM agent on SU42 (2011.09.01) and is known not to work as outlined below with SU39 (2010.03.01).

The Goal:

This is the setting we want to be reported on. When "Anonymous Authentication" is enabled and "Windows Authentication" is disabled we want it to flag a red message in ESM. This example only looks at these two settings i.e. it does not report on for instance "Basic Authentication".

click to enlarge
Fig 1: Default IIS settings for "Default Web Site"

click to enlarge
Fig 2: Custom IIS settings for "SomeSite"

What changes on the IIS server when changing these settinging?

IIS 7 keeps most of it's settings in the applicationHost.config file. This file is located by default in C:Windows\System32\inetsrv\configapplicationHost.config on a Windows 2008, IIS 7 based server.

This is the entry in applicationHost.config for the changes from the default - in the case for the Web Site "SomeSite" (and thus anonymous access is disabled and Windows Authentication is enabled.)

click to enlarge

Fig 3: applicationHost.config entries

Creating a ESM template to check upon these settinging.

Within the ESM console there is a "branch" for templates, edit an existing or add a new "IIS 7.0 Settings - all" template. Once in the template editor, add the following row:


IIS Object Name: *

IIS Object Type: IIsWebServer

Required: Mandatory

Comment: Authentication Settings.


Data Existence 1:

Attribute Name: anonymousAuthentication::enabled

Attribute Value: False

Required: Mandatory

Comment: Anonymous Authentication must be set to False.


Data Existence 2:

Attribute Name: windowsAuthentication::enabled

Attribute Value: True

Required: Mandatory

         Comment: Windows Authentication must be set to True.


click to enlarge

Fig 4: IIS7 template


The result. 

If Anonymous Authentication is and WindowsAuthentication is not enabled, on any site (seen a we used *), it will show the following message within the ESM policy run results.

click to enlarge

Fig 5: The ESM message within the ESM console seen as Anonymous Authentication is enabled for the "Default Web Site" but not for the "SomeSite" website.


Download Sample policy.

Here is a link to download a sample ESM policy for this check as shown in this article, the check in this policy is enabled for the WIN2008 platform.


If you're reading this article, you might be interested in the following article: How to check if "Enable Anonymous Access" is set on IIS 6 sites.