This article explains how to check if "Enable Anonymous Access" is set on IIS 6 sites.
It shows how to create an ESM template to check the changes in the IIS metabase that occur when enabling or disabling the check "Enable Anonymous Access" in the IIS configuration. It also provides an ESM policy and corresponding template to download and import if you like.
This is the setting we want to be reported on. When the checkbox is set check for "Enable anonymous access" we want it to flag a red message in ESM, when its not checked or another authentication method is selected (like Integrated Windows authentication or basic) it will not be flagged.
Fig 1. The setting in question.
What changes on the IIS server when changing this setting?
IIS 6 keeps most of it's settings in the Metabase.xml file. This file is located by default in C:\windows\system32\inetsrv\Metabase.xml on a Windows 2003, IIS 6 based server.
This is the entry in Metabase.xml for when the checkbox is unchecked (and thus anonymous access is disabled)
Fig. 2 anonymous access disabled
This is the entry in Metabase.xml for when the checkbox is checked (and thus anonymous access is enabled)
Fig. 3 anonymous access enabled.
Creating a ESM template to check upon this setting.
Within the ESM console there is a "branch" for templates, edit an existing or add a new "IIS Metabase - all" template. Once in the template editor, add the following row:
IIS Object Name: .*
IIS Object Type: IIsWebVirtualDir
Comment: Anonymous Access Enabled.
Attribute Name: AuthFlags
Attribute Value: AuthAnonymous
Bitmask Data: "checked"
Comment: Anonymous Access Enabled
Fig. 4 Template details.
If Anonymous access is enabled, on any site, it will show the following message within the ESM policy run results.
Fig. 5 The ESM message within the ESM console if Anonymous Access was enabled.
Download Sample policy.
Here is a link to download a sample ESM policy for this check, the check in this policy is enabled for the WIN2003 platform.
If you're reading this article, you might be interested in the following article: How to check if "Anonymous Authentication" is disabled on IIS 7 sites.
Imported Document Id