Preventing requests from unauthenticated clients creates an initial hurdle that attackers must overcome for online attacks against the server. Whenever feasible, clients should be required to authenticate before they are allowed to issue requests.
If possible, use the
configuration property to prevent all clients from issuing unauthenticated requests. If
a small, well-defined set of requests should be allowed to unauthenticated clients, then
you can use the
allowed-unauthenticated-request-criteria property to
permit them while rejecting all other types of requests.
If it is not feasible to use the
reject-unauthenticated-requests property, then consider creating a
client connection policy that matches unauthenticated connections. Use it to restrict
what types of requests are allowed for unauthenticated clients and to impose significant
resource limits for those clients.