5.10. Summary
Configuration security in ASP.NET 2.0 included quite a number of improvements that ASP.NET 3.5 builds on top of them. While the original <location />-based locking approach is still supported (and is definitely still useful), ASP.NET 3.5's configuration system now gives you the ability to enforce more granular control over individual sections. The lockAttributes attribute restricts the ability of child configuration files to override selected attributes defined on the parent. The lockElements attribute prevents entire configuration elements from being redefined in child configuration files. Both of these attributes support an alternate syntax to make it easier to configure fine-grained security when many attributes or many nested configuration elements need to be controlled.
In addition, IIS 7.0 ships with the Feature Delegation feature that allows administrators to decide which configuration sections of the <system.webServer> configuration section group located in the ApplicationHost.config configuration file can be edited by developers through the application's web.config file. It is the IIS 7.0 way of protecting configuration settings in the ApplicationHost.config file.
Because configuration data exists within physical files, NTFS permissions come into play when reading or writing configuration data. Under normal conditions, configuration data only needs to be read; although it has to be read up the entire inheritance chain from the most derived web.config file ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
