Prevent unauthenticated requests

Preventing requests from unauthenticated clients creates an initial hurdle that attackers must overcome for online attacks against the server. Whenever feasible, clients should be required to authenticate before they are allowed to issue requests.

If possible, use the reject-unauthenticated-requests global configuration property to prevent all clients from issuing unauthenticated requests. If a small, well-defined set of requests should be allowed to unauthenticated clients, then you can use the allowed-unauthenticated-request-criteria property to permit them while rejecting all other types of requests.

If it is not feasible to use the reject-unauthenticated-requests property, then consider creating a client connection policy that matches unauthenticated connections. Use it to restrict what types of requests are allowed for unauthenticated clients and to impose significant resource limits for those clients.