Return to
HomePageASPNET2SecurityFAQs
Question: How do I lock configuration settings?
Answer:
To lock the configuration settings for all the Web applications on a Web server to prevent an individual application from overriding them, place the configuration settings inside a
<system.web> element nested within a
<location> element in the machine-level Web.config file, and then set the
allowOverride attribute to
false.
The following example enforces the use of Windows authentication for all Web applications on the server.
<location allowOverride="false">
<system.web>
<authentication mode="Windows"/>
</system.web>
</location>
If you need to apply and lock settings for a specific Web application, use the
path attribute on the
<location> element to identify the Web application as shown here.
<location path="Default Web Site/VDirName">
<system.web>
<authentication mode="Windows"/>
<identity impersonate="false"/>
</system.web>
</location>
If you specify the path, it must be fully qualified and include the Web site name and virtual directory name.
Important: If it is critical that there are no cross-application breaches, then it better to configure the web.config file in the
/VDirName for locking the configuration instead of using path attribute to lock the specific web application.
Return to
HomePageASPNET2SecurityFAQs
WindowsClient: Concluding "New WPF Features" Series
TechNet Edge: Windows Server 2008 R2 : New Power Management Features
Channel 9: Sharepoint 2010 and Claims-Based Identity
