.htpasswd for Windows Server?

Hi all,
I need to password protect a directory on my website. However, I’ve only ever had sites hosted on a linux/apache server and only used the .htaccess/.htpasswd method. Now that I’m on a windows server I’m lost. How do I go about doing this? Thanks!

You still can use .htpasswd and .htaccess files. The configuration is pretty much the same.
For generation of passwords you should be able to find htpasswd.exe utility somewhere in apache binaries directory.

Thanks very much. We are running a classic asp site that is getting killed with SQL injections of this ngg.js virus thing that I can’t keep up with. It’s on a shared host so I don’t have access to the apache binaries directory, but hopefully I will be able to figure things out. Thanks again so much.

You can access htpasswd.exe anywhere (ok on any system that has compatible Apache version) you like. You need that only if you need to make new or change existing passwords otherwise, you just copy .htaccess and .htpasswd files and that’s it. :slight_smile:

I’m using the utility http://tools.dynamicdrive.com/password/ and it appears that’s I’m entering everything correctly, but I still get no change once .htaccess and .htpasswd are uploaded. It still just lets me right in. Is there something that my host may have to enable to allow this to work? It’s the only thing I can think of.

It may or may not be problem, but I hope you do realize, that by submitting usernames and passwords to some online site they are sent in cleartext through network that you have no control over, and that you rely on galantness of that site maintainers that they are not collecting those passwords. Once again - this might not be an issue. :wink:

Hmm. Well, aside from pointing you to first results Google gave me on “how to enable .htaccess”:

http://httpd.apache.org/docs/1.3/howto/htaccess.html
http://www.tildemark.com/software/servers/enable-htaccess-on-apache.html

You should probably ask your hoster for comment. May be they have different configuration (are you sure they are running Apache??? :slight_smile: )

Thanks for your help. Unfortunately I will give them a call… Their support is dreadful, but I will see what they have to say. Thanks again!

If it is ASP, then you are probably running on IIS, which handles authentication through windows rather than through .htpasswd/.htaccess. You will need to get the host to help you out with this by turning off anonomous access and then creating an accout for you to use.

That said, the real issue is you should actually harden the application against SQL injection, not try and cover your tracks with a password.

Thank you. My hosting provider did finally get back to me and indicated that due to their configuration, they need to configure the passwords themselves.

Totally agree… unfortunately this was a custom thing done for us years ago in classic ASP, which I am utterly unfamiliar with. The people that did it for us are no longer supporting it for us, so until I complete a re-design of the site, this is the quickest and easiest way to hold them off for a while.

I feel ya. One other thing to check out–the new version of UrlScan. Not sure if your hosts will install or enable it, but it is primarly setup to take care of that big, nasty ASP/ASPX sql injection thing going around.

How much is password protecting a directory helpfull against hacker attacks ?

So, how would a linux server help here?