When working with IIS 8 on Windows Server 2012, you may need to restrict access to certain directories while keeping other parts of your website publicly accessible. Basic authentication provides a straightforward way to achieve this.

Here's how to set up password protection for a specific directory:

1. Open IIS Manager
2. Navigate to your website in the Connections panel
3. Locate and select the directory you want to protect
4. In the Features View, double-click "Authentication"
5. Right-click "Basic Authentication" and select "Enable"
6. Right-click "Anonymous Authentication" and select "Disable"
7. Click "Basic Authentication" and choose "Edit"
8. Set the default domain and realm as needed

You'll need to create Windows user accounts for authentication:

# PowerShell command to create a new user
New-LocalUser -Name "WebUser1" -Description "IIS secured directory user" -NoPassword

After enabling authentication, set authorization rules:

1. In IIS Manager, select your secured directory
2. Double-click "Authorization Rules"
3. Remove any existing rules
4. Add a "Deny Rule" for all users
5. Add an "Allow Rule" for specific users or groups

Test your setup by:

• Accessing the public portion of your site (should work normally)
• Attempting to access the secured directory (should prompt for credentials)

If authentication fails:

1. Check Windows Event Viewer for detailed errors
2. Verify the user account has proper permissions
3. Ensure SSL is properly configured if using HTTPS
4. Check that the application pool identity has sufficient privileges

Basic authentication transmits credentials in base64-encoded (not encrypted) format:

• Always use HTTPS with basic authentication
• Consider implementing IP restrictions for additional security
• Regularly audit user accounts and permissions

To secure a specific folder like /secured while keeping the rest of your site accessible, follow these steps in IIS Manager:

1. Open IIS Manager and navigate to your website
2. Right-click the target directory (e.g., secured) and select Convert to Application
3. Double-click Authentication in the Features View
4. Disable Anonymous Authentication and enable Basic Authentication or Windows Authentication

After setting authentication, you'll need to define who can access the directory:

1. Select your secured directory in IIS Manager
2. Double-click Authorization Rules
3. Click Add Allow Rule and specify either:
   • All users (for domain-wide access)
   • Specific users or groups

For developers who prefer configuration files, create/edit web.config in the target directory:

<configuration>
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="false" />
        <basicAuthentication enabled="true" />
      </authentication>
      <authorization>
        <add accessType="Allow" users="DOMAIN\username" />
      </authorization>
    </security>
  </system.webServer>
</configuration>

• Use HTTPS when implementing Basic Authentication to prevent credential exposure
• For internet-facing sites, consider using Forms Authentication instead
• Regularly audit authorized users and their permissions
• Enable logging to monitor access attempts

If authentication fails:

1. Verify the application pool identity has proper permissions
2. Check Windows Event Viewer for detailed error messages
3. Ensure "Windows Authentication" feature is installed via Server Manager
4. Test with different browsers (some may cache credentials aggressively)