IIS7 "Lock" and "Unlock" configuration

One of the nice new features in IIS7 is the ability for administrators to lock and unlock configuration settings - both at a global level and also at a site specific level. This allows you to have scenarios like this:

  1. Administrator locks a configuration section - say Authentication - Basic - at the global level. This means that none of the sites on that server can override this setting and change the authentication type.
  2. Administrator locks a configuration section - say Default Document - for a particular site. Therefore that particular site will be unable to modify the default document
  3. Administrator unlocks a configuration section - say the same as in (1) - for a particular site. That site therefore will be able to modify the setting and change the type of authentication

All this is done inside the main configuration files. The new IIS7 config file is found in \windows\system32\inetsrv\config\applicationHost.config. The global ASP.NET configuration file is found in \windows\Microsoft.net\Framework\v2.0.52707\config\Web.config.If you open these two files you will be able to find out what sections are locked or unlocked.

For instance, take a look at the following examples:

<location path="" overrideMode="Deny">
    <system.web>
        <membership>
            <providers />
        </membership>
    </system.web>
    <system.net>
        <mailSettings>
        </mailSettings>
    </system.net>
</location>

The overrideMode set to Deny ensures that no sites can override the membership and mailSettings sections in their own web.config files. The path attribute on line 1 can be set to "" (blank) or "." (period) to refer to the entire server.

 

<location path="MySite" overrideMode="Allow">
    <system.web>
        <membership>
            <providers />
        </membership>
    </system.web>
 </location>

In this section, the MySite site Allows the membership section to be overridden. 

<location path="Site" overrideMode="Deny">
    <system.web>
        <machineKey />
    </system.web>
</location>
And finally I can also deny overriding any other specific setting for a site as well.

So how do you go about doing this? Well, simple actually. You can use the new appcmd tool to perform all of these. For instance:

appcmd lock config -section:system.web/membership

will lock the membership section of the configuration

appcmd unlock config -section:system.web/membership "MySite"

will unlock the membership section for only the MySite site

appcmd lock config -section:system.web/machinekey "MySite"

will lock the machinekey section for only the Mysite site

So how do you find out what are these section names? Well, you can open up the two config files mentioned above and browse through them. Or alternatively, you can get a full list of the section names using the following command:

appcmd lock config -section:?

This gives you list of all the section names/keys that you can use in the above commands.


Tags:
Categories: IIS | Windows Server 2008

Posted by vinod on February 11, 2008 18:43 5 Comments
Actions: E-mail | Permalink | Comment RSSRSS comment feed

Comments

good. Learn something from these two articles.

May 11. 2009 21:53 | ricky United States |

Interesting post, this was really useful. thanks!

June 17. 2009 06:10 | mark United States |

'm not sure if you mean the compilation of aspx files in temporary assemblies. We are using ASP.NET deployment projects, which precompile all aspx/ascx files beforehand.While copying the binary files from the "publish" to the "bin" folder, we temporary enable a app_offline.htm file which is removed after all assemblies are copied (just a few seconds). This way I never experienced file locks.

June 19. 2009 13:41 | gambling casino reports India |

I opened the two files Web.config and applicationHost.config and found lot of sections being locked. Thanks. Atleast now I knew where to look for

July 10. 2009 15:16 | Online Poker |

nice report friend

July 13. 2009 00:34 | rusli Zainal Sang Visioner United States |

Comments are closed