How to Lock/unlock IIS Configuration? Options

codeling Posts: 1153 Points: 4845
Posted: Wednesday, August 7, 2019 12:34:48 AM

IIS 7.0 and above allows locking and unlocking configuration settings in various levels and scopes. Locking down configuration means that it cannot be overridden (or set at all) at lower levels in the hierarchy. Unlocking configuration can only be done at the level where it was locked. This is useful, for example, when creating different configuration for different sites or paths, and only some of sites and paths are allowed to override it. Locking can be done at the section level or for specific elements, attributes, collection elements and collection directives within sections.

Locking a Section Using a <location> Tag

You can use the <location> tag to lock (or unlock) entire configuration sections at the global level so that they cannot be overridden at application levels of the configuration hierarchy.

Note

By default, most IIS sections in applicationHost.config are locked down, and none of the .NET framework are locked (including the ASP.NET sections in the <system.web> section group in machine.config and root web.config).

Using a text editor such as Notepad, open the applicationHost.config file in the following location:

%windir%\system32\inetsrv\config\applicationHost.config

Review the <configSections> section at the very top of the file: it has metadata about the configuration sections in this file, like names for sections, containing section groups, and whether or not they are locked.

Locked sections are specified by the "overrideModeDefault" attribute, which is either "Allow" or "Deny". Very few sections are not locked by default, as specified by this line for example:

<section name="defaultDocument" overrideModeDefault="Allow" />

Here, we deal with the <windowsAuthentication> section. It is locked by default.

To unlock the entire section for all applications on the server, move its content from its current location in the file to the bottom of the file and put it inside a <location overrideMode="Allow"> element. Remember also to have the section groups surrounding it: <system.webServer>, then <security> and then <authentication>. The end result should look like this:

<location overrideMode="Allow">
  <system.webServer>
     <security>
        <authentication>
          <!-- the content of windowsAuthentication section is here -->
        </authentication>
     </security>
  </system.webServer>
</location>

The section is now unlocked for all applications. You can specify a path on the location tag, so that the section will be unlocked only for this path. The default path, if not specified (as in the previous step), is path="." (or path="", the same thing), which means "this current level". In this case, since this is applicationHost.config, the current level means the global level. You can also use location tags anywhere in the namespace hierarchy, e.g. in a web.config at the vdir level, to lock configuration from this point downwards.

Here is an example of how to unlock this section only for the "AdminSuperTrusted" site. That means that web.config files at that site can override the settings in this section; but, for all other sites on the box, it is locked at the global level and cannot be overridden.

In this example, you must leave the contents of the section in their original place in applicationHost.config, and then specify the section in the location tag with a specific path:

<location path="AdminSuperTrustedSite" overrideMode="Allow">
  <system.webServer>
    <security>
      <authentication>
        <!-- note: this is different than previous example, in that  -->
        <!-- the content of the section is in the original place and -->
        <!-- was not moved here; in addition, the section is also    -->
        <!-- specified here, just by its name, so that it gets       -->
        <!-- unlocked only for the site specified in the location.   -->
        <windowsAuthentication/>
      </authentication>
    </security>
  </system.webServer>
</location>

Returning to the third example above, the section is unlocked for all applications in all sites (location path="."). Check that the primary <authentication> section group (the one outside of the <location> element, above in the file) does not contain a <windowsAuthenitcation> section. A section cannot appear in the same file both outside a location tag and inside a <location path="."> tag; this is considered invalid configuration.

If the section is locked, the browser displays an error because the web.config file at the application level has the <windowsAuthentication> section in it. This means the web.config tries to override <windowsAuthentication> for its level. However, because that section is now locked at the global level, the configuration in the web.config file is not valid.

Change the location tag to have overrideMode="Deny". This locks down the section again. Experiment with other sections, such as the ASP.NET sections in machine.config or root web.config. Try to lock them down at the global level, and override them at the web.config level.

 
Users browsing this topic
Guest