Securing Anonymous Accounts
Anonymous authentication gives users access to the public areas of your Web site, without prompting them for a user name or password. When a user attempts to connect to your public Web site, your Web server assigns the user to the Windows user account called IUSR_computername, where computername is the name of the server on which IIS is running.
- If your site is based on ASP.NET, the anonymous account is ASPNET.
By default, the IUSR_computername account is included in the Windows user group Guests. This group has security restrictions, imposed by NTFS permissions, that designate the level of access and the type of content available to public users.
If you have multiple sites on your server, or if you have areas of your site that require different access privileges, you can create multiple anonymous accounts, one for each Web site, directory, or file. By giving these accounts differing access permissions, or by assigning these accounts to different Windows user groups, you can grant users anonymous access to different areas of your public Web content.
- If you create custom Commerce Server components that need permissions to a database in the global.asa file, the IWAM_<machinename> account must have run-time permissions.
Using Anonymous Accounts and Windows Authentication
It is strongly recommended that you configure your Commerce Server installation to use Windows Authentication.
To use Windows Authentication, you must do the following:
- Create a user account on the Active Directory domain so anonymous users can access SQL Server. This is the run-time user account.
- Change the IUSR_<computer> account in IIS to the run-time user account created in Step 1.
- Assign the run-time user account permissions to SQL Server. For a detailed list of the permissions that must be granted to the run-time user account, see Securing Your Databases.