With IIS 7 it is now easier than ever to customize the inner workings of ASP.NET applications using only the web.config. It is possible to remove all the features but the ones the specific application uses. In other words, we are able to lock down our applications and only turn on the features we need. The reason to do this is to reduce the attack surface of the application as well as stay in total control all the way from the IIS and into the ASP.NET application.

The attack surface will be reduced when we turn off unneeded features, since there are less ways to access your application. From a security perspective this is desirable. Since we turn off features, we also know exactly what our application can and cannot do. This gives us control and also reduces the overhead of those unneeded features.

The features we can control in the web.config come in the form of modules and handlers. In the <system.webServer> config section below, you’ll see a totally locked down application. All default managed modules have been removed and only two handlers remain. The two handlers let’s you serve .aspx pages and static files such as images and stylesheets.

 <modules runAllManagedModulesForAllRequests="true">
  <remove name="Profile" />
  <remove name="Session" />
  <remove name="RoleManager" />
  <remove name="FormsAuthentication" />
  <remove name="WindowsAuthentication" />
  <remove name="DefaultAuthentication" />
  <remove name="AnonymousIdentification" />
  <remove name="OutputCache" />
  <remove name="UrlAuthorization" />
  <remove name="FileAuthorization" />
  <remove name="UrlMappingsModule" />
  <clear />
  <add name="PageHandlerFactory" path="*.aspx" verb="*" type="System.Web.UI.PageHandlerFactory" />
  <!-- Add custom handlers here -->
  <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />

If you want to register your own handlers, remember to add them above the StaticFile handler. To allow some modules such as the Session module, just delete the line <remove name="Session" /> and it will automatically be added. Use the IIS Manager to see all the handlers and modules that are available.



Pingback from alvinashcraft.com Dew Drop - January 23, 2009 | Alvin Ashcraft's Morning Dew


I've just yesterday ran into issues deploying latest build to IIS7 and had to mess with system.webServer to make it work. Probably, need to look over it again - my solution was far from optimal... Thanks!


ASP.NET application lockdown on IIS 7 You've been kicked (a good thing) - Trackback from DotNetKicks.com


ASP.NET application lockdown on IIS 7 Thank you for submitting this cool story - Trackback from DotNetShoutout


Pingback from patrickverbruggen.com Newly Noted #10 | Patrick Verbruggen's Blog


Pingback from pimp.webproasp.com Web Pro ASP - Active Server Page Development News


Comments are closed