Preventing requests from unauthenticated clients creates an initial hurdle that attackers must overcome for online attacks against the server. Whenever feasible, clients should be required to authenticate before they are allowed to issue requests.
If possible, use the
configuration property to prevent all clients from issuing unauthenticated requests. If
a small, well-defined set of requests should be allowed to unauthenticated clients, then
you can use the
allowed-unauthenticated-request-criteria property to
permit them while rejecting all other types of requests.
If it is not feasible to use the
property, then consider creating a client connection policy that matches unauthenticated
connections. Use it to restrict what types of requests are allowed for unauthenticated
clients and to impose significant resource limits for those clients.