best way to secure asp 3.0 site's folder

I have requested to fix login problem on the classic asp site. Configuration is 2008 server and IIS 7开发者_如何转开发.0 I've found that admin directory of the site has basic authentication, however there is no any NT Accounts for requested loginName. I don't want to create any Windows account for this site and I know that basic auth is insecure (Site doesn't use ssl). What is the best way to solve this problem? Is it possible to use asp.net security for asp 3.0 site?

You should use SSL.

Without SSL, ASP.Net WebForms auth is no better than Basic HTTP Auth.

To answer the question, yes; you can set it up in IIS admin.

I think that it is better to use WebForms auth in any case. It is easier then I thought. I just added login.aspx page and config file to classic asp site and authentication is working. Just one notice that by default htm and asp pages don't process by asp.net. It is required to add following node in config.

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
</system.webServer>

And I've found that authorization nodes must be in webserver node in IIS7.

Here is full config in case it will be useful for someone.

<configuration>
    <location path="admin">
        <system.webServer>
            <security>
                <authorization>
                    <add accessType="Deny" users="?" />
                </authorization>
            </security>
        </system.webServer>
    </location>
    <system.web>
        <authentication mode="Forms">
            <forms loginUrl="login.aspx">
            </forms>
        </authentication>
    </system.web>
    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" />
    </system.webServer>
</configuration>