Sitecore security hardening guide instructs to restrict access to /sitecore/admin folder by disabling anonymous access. However, after I do that, I get an IIS error when I try to visit pages like /sitecore/admin/cache.aspx.
HTTP Error 401.2 - Unauthorized. You are not authorized to view this page due to invalid authentication headers.
Should anonymous access only be disabled if I don't want to access admin pages?
My sitecore version is 6.6.0 (rev. 130404).
I think you should remove extranet/anonymous access, but make sure that sitecore/everybody (or other role) has access.
That way you can only access it while logged into Sitecore.
Use the Access Viewer to check that users have access to it.
And I think that those pages, have a Sitecore login now. I know /sitecore/admin/dbbrowser.aspx has one.
In addition to disabling anonymous access, you should make sure some sort of other authentication method is enabled. By default, IIS7+ doesn't have any other authentication methods available, so all traffic will get an "unauthorized" error. With another means of authentication enabled, IIS will let you access the /sitecore/admin path (at which point, Sitecore's authentication may kick in).
I've done this in the past by creating a local user on the machine and enabling basic auth. Keep in mind, basic auth is not too secure since credentials are passed over the wire as cleartext, but in this case we forced traffic over SSL.
Though not spelled out in the hardening guide, you could also look at limiting access to that directory by IP address. For example, on a production content delivery server, restrict access to only localhost, meaning you cannot browse that directory without being RDP'd to the server directly.
