How to Password Protect Folders in IIS and Plesk

Reading Time: 5 minutes


When reviewing your servers security, it is critical for businesses to ensure that while building new sections of your website, that we do not leave it unsecured or visible to users while it is being built. With this in mind, there are several ways for you to “lock” a folder or domain while it is being developed. This will safeguard a folder or an entire site using the security feature built into IIS and Plesk called password protection. In today’s article we will see how easy it is to restrict access to a site or a folder.

What is IIS?

IIS stands for “Internet Information Services”. This is the default web server that is integrated with the Windows server software packages. It has a graphical interface, used for managing the Microsoft Windows server.

Global Password Protection

One of the many features that IIS has implemented, is called .Net Authorization. These rules allow us to make custom rules sets which will delineate who has access to a folder or website. There are multiple options we have available to select when adding these custom, allow or deny rules. Some of these rules include the following options.

  • All users – This rule will deny access to a folder for any user which attempt to access it. If you would like to block content for everyone, make sure that this rule is on top of the list of all other rules.
  • All anonymous users – This rule will block access to all users that are not authenticated. In other words, any user attempting to access the folder or site must have specific access granted. Any user needing access must be added to the users and groups section, otherwise they will be blocked.
  • Specified roles or user groups – This rule will block access to all users that do not have basic or custom user account and password set up.

If you would like to block access to everyone, we can follow the instructions noted here.

  1. First, open your IIS Manager from the Windows Start button.
  2. Next, select the site that you want to edit from the left side menu,
  3. Then, open the ‘.Net Authorization‘ rules and Click on “add rule” and select the type of rule you would like to add. Now, we should specify the users it will apply to.
  5. Finally, click “OK”. Our site now has a custom rule in place.

You can add as many custom rules as you would like depending on your situation.

Custom Folder Protection

The other mechanism used for authentication and protection is called “Authentication”. In that area, we have multiple options that are available to modify. These choices are described in detail below.

  • Active Directory Client Certificate Authentication
  • Anonymous Authentication
  • ASP. NET Impersonation
  • Basic Authentication
  • Digest Authentication
  • Forms Authentication
  • Windows Authentication

Active Directory Client Certificate Authentication – This is a form of authentication that requires the IIS 7 server to be a member of the Active Directory domain as well as the user accounts that are stored in active directory.

Anonymous Authentication – This is a feature that provides access to the public areas of your website. If FTP is enabled, by default it will allow users to access contents of the site.

ASP. NET Impersonation – This is a security feature that allows specific users to execute code. This feature is used for anonymous users who do not have credentials, but we want to allow them to have access.

Basic Authentication – This option provides access to users that have accounts on the server’s domain. In order to access the public facing content, basic authentication should be enabled to allow the user to set a password in “Local users and Groups”. The important thing to note here is that when accessing content, passwords are sent via a clear text format and as such, considered insecure.

Digest Authentication – This option is similar to “Basic Authentication”, but credentials are sent in a more secure manner using hashing instead of plain text. This method provides more security, and also requires a user’s password to be set.

Forms Authentication – This option works by authenticating the user by reviewing the forms’ authentication ticket (which is the container for the forms’ authentication cookie), which is usually included within the user’s collection of cookies. In the event no forms’ authentication ticket is seen, the user is deemed as being anonymous.

Windows Authentication – This option is used in a more corporate setting or environment, or when numerous users are present within a network. This certification uses Windows-based authentication between a client and the Windows IIS server to verify the user who is attempting access must have a Windows account.

In all the options we have seen for protecting folders, we find it is best to use Basic Authentication or Digest authentication. Both options require a username and password. Let’s review how to set this up.

First, we will start by opening the Server Manager dashboard. Then, on the right side under “Tools” select “Computer Management”.


When the Computer Manager opens, navigate to the “Local Users and Groups” section. Click on the “Users” and on the right side select “More Actions >> New User”. Here we can set up a new username and password for a user, and once complete, save it to provide access.


Now that we have the user set up, we can enable protection on any folders needed. To select a folder, let’s open our “IIS Manager” and select the site or folder that you want to limit access to.

Be sure that you have selected the website or folder underneath it if you remain on the tree or on the “Sites” folder access to everything inside will be restricted.

Next, the types of authentication section will open. Disable “Anonymous Authentication” and enable “Basic” or “Digest” authentication for a site or folder. That’s it. We have allowed access to that specific new user.

How to Password Protect Sites in Plesk

In this segment. we will review how to protect folders and domains on a Windows server using Plesk. Plesk’s protection features will add an extra layer of security to your sites and content, and it is easier to set up than just using the Windows IIS service manager.

What is Plesk?

Plesk is a hosting platform used for server administration. It will allow you to manage your websites, DNS zones, plugins, databases, email accounts, reseller accounts, etc. via a web-based interface.

Setting Up Password Protection

  1. Open Plesk
  2. Navigate to Domains > Domain name that you want to edit > Password-Protected Directories.
  3. Click “Add Protected Directory”.
  4. Type a path to the directory that you want to restrict, and a title that will be visible to the visitors.
  5. Click “OK”

Adding A User to the Password Protected Directory

Next, we have to allow a user or users access to the password protected directory. To accomplish this, use the following directions.

  1. Navigate to your Domains > Domain name that you want to edit > Password-Protected Directories.
  2. Click on the directory that you want to add user to.
  3. Set the username and password.
  4. Click “OK”.

That’s it! Securing access to your domains and folders can be as easy as one, two, three. Here at Liquid Web we value your security and offer multiple options to increase your Servers protection level.


Now that we have set up our domain and folder security, we can work on our website without external users having access to it until we are completed. Would you like to add additional security measures? Have no fear! At Liquid Web, we understand your concerns and can provide complete protection to meet all of your security needs. Check out our Security addons for Windows servers and stay protected with Liquid Web.

Should you have more questions related to this information, give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable Windows technicians or Experienced Hosting advisors to learn how you can take advantage of these techniques today!

How to Install and Configure Samba on Ubuntu 18

Reading Time: 9 minutes

What is Samba?

Samba is an open-source software package that is released under a GPL (General Public License). It allows us to access a shared network drive and printers across various operating systems using the SMB/CIFS protocol. Samba has both client and server components. Samba uses the SMB protocol, which is necessary when accessing assets on a file server from a Microsoft computer. Samba can also work as a domain controller that is compatible with Microsoft Active Directory. 

Continue reading “How to Install and Configure Samba on Ubuntu 18”

Installing Microsoft Powershell on Ubuntu 18.04

Reading Time: 5 minutes

If you are a Windows administrator who has recently been tasked with administering a Linux-based Ubuntu server, you may find that utilizing Microsoft Powershell may help ease the transition into Linux, and allow you to be more productive. If you are a Linux administrator who is interested in exploring the options that Powershell provides, then this tutorial is for you as well.

Continue reading “Installing Microsoft Powershell on Ubuntu 18.04”

What are Windows Roles?

Reading Time: 5 minutes

Windows roles provide a method to define the utilization types a server has available. These roles are necessary to properly utilize a server for the desired use cases, whether it is to be simply a file server, a print server, or a web server. Typically to act in a specific type of role, a server may require additional features that need to be installed in order to best perform that role. The number of roles available on a Windows Server has grown to the point where the Microsoft Windows’ help pages have gone from reporting what limited roles are deployable, to listing only non-incorporated roles

Continue reading “What are Windows Roles?”

How to Setup OpenVPN On Windows Server 2019

Reading Time: 8 minutes

What is OpenVPN?

As noted previously in our OpenVPN article, OpenVPN is an open-source Windows software package used to create a secure, site-to-site VPN connection that provides remote access between two locations. OpenVPN consists of three parts:

  • The OpenVPN-AS Server
  • The Admin Web Interface/Admin GUI
  • The Connection Clients
Continue reading “How to Setup OpenVPN On Windows Server 2019”

How To Setup A Python Virtual Environment On Windows 10

Reading Time: 4 minutes

A Virtual Environment or a “venv” is a Python module that creates a unique environment for each task or project. It installs the packages we need that are unique to that setting while keeping your projects neatly organized. Additionally, venv never actually modifies the system’s default Python versions or modules that are installed on the system. Using venv essentially allows for a unique working environment while avoiding any disruptions to other variants of Python that are used, but not related to our project.

Continue reading “How To Setup A Python Virtual Environment On Windows 10”

Where Are The Windows Logs Stored?

Reading Time: 3 minutes

In this article, we will discuss Windows logging, using the event viewer and denoting where the windows logs are stored.

Windows server options include a robust logging and management system for logs. These logs record events as they happen on your server via a user process, or a running process. This information is very helpful in troubleshooting services and other issues, or to investigate a security problem. 

Continue reading “Where Are The Windows Logs Stored?”

Finding Resource Usage Details in MSSQL

Reading Time: 7 minutes

When running MSSQL or Microsoft SQL Server, we need to determine whether it is optimized or will it need more resources to achieve better performance. This article reviews what behaviors to look for,  where to find them, and how to view signs of distress.

Continue reading “Finding Resource Usage Details in MSSQL”

Installing Tomcat 9 on Windows

Reading Time: 3 minutes
apache tomcat image
Apache Tomcat

What is Tomcat?

Apache Tomcat installs several Java Enterprise Edition specs including Java Servlet, JavaServer Pages, Java EL, and WebSocket. It provides for a “pure Java” HTTP web server environment in which Java code can run.

Tomcat 9 is the latest version of Apache’s Tomcat service and can easily be installed on Windows to serve as a convenient way to run Java.

There are many features and tools that Tomcat 9 has to offer that can make the deployment of web pages more manageable, including the use of JavaServer Pages.

Continue reading “Installing Tomcat 9 on Windows”