Disable Anonymous Access to default.aspx in Sitecore

In the Scaling Guide for Sitecore CMS 7.0 it is recommended to restrict access to the Sitecore CMS Admin on the Content Delivery Servers (Web Front Servers). This can be done either by a IP restriction rule or setting Anonymous Access restrictions to some of the Sitecore folders. I had som issues setting restrictions to the default.aspx file. It was easily solved just if you know how to do it the correct way. In chapter 4.7 of the Scaling Guide for Sitecore CMS 7.0 the recommendation is to restrict user access to the Sitecore CMS Admin interface on the Content Delivery servers. This can be done either by IP restrictions or disable Anonymous IIS access on the following folders:

• /sitecore/admin
• /sitecore/login
• /sitecore/shell

This is no problem. But when trying to disable anonymous access to the default.aspx file I had som issues. Selecting the file and disabled the setting the whole sitecore tree was affected. After a while I figured out it has to be done in a specific way. [gallery] What really happens is that the these settings are added to the configuration node in the applicationHost.config file in the C:\Windows\System32\inetsrv\config path: [code lang="xml"] <location path="SITE/sitecore/admin"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> <location path="SITE/sitecore/login"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> <location path="SITE/sitecore/shell"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> <location path="SITE/sitecore"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" /> </authentication> </security> </system.webServer> </location> <location path="SITE/sitecore/default.aspx"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> [/code]