A folder configured as "protected" on a domain can be accessed without any authorization.
The Plesk ISAPI filter for protected directories is not configured on the website.
The website server ID is not the same as the server ID stored in the Plesk database.
There is a misconfiguration in the Plesk database.
Check whether the urlprotect.dll ISAPI filter is enabled on the website in IIS:
IIS, Web sites, domain.com, Right Click, Properties, ISAPI Filters, urlprotect.dll
Check the website ID in IIS.
IIS, Web sites, Find problem web site in list, Identifier is to the right of the site name. Alternatively, use this command line utility:
"%plesk_bin%\websrvmng" --get-server-id --vhost-name=domain.com
You then need to check the server ID in the Plesk DB.
select server_id from hosting h, domains d where h.dom_id=d.id and d.name='domain.com';
If you receive two different values, you need to synchronize them:
Then restart Plesk Management Service.
If the two previous steps did not resolve the problem, check the table protected_dirs in the Plesk DB. There should be no records with an empty value in the field path.
select * from protected_dirs where path='';
If any rows were returned, they should be removed.
delete from protected_dirs where path='';