With IIS 7 it is now easier than ever to customize the inner workings of ASP.NET applications using only the web.config. It is possible to remove all the features but the ones the specific application uses. In other words, we are able to lock down our applications and only turn on the features we need. The reason to do this is to reduce the attack surface of the application as well as stay in total control all the way from the IIS and into the ASP.NET application.
The attack surface will be reduced when we turn off unneeded features, since there are less ways to access your application. From a security perspective this is desirable. Since we turn off features, we also know exactly what our application can and cannot do. This gives us control and also reduces the overhead of those unneeded features.
The features we can control in the web.config come in the form of modules and handlers. In the <system.webServer> config section below, you’ll see a totally locked down application. All default managed modules have been removed and only two handlers remain. The two handlers let’s you serve .aspx pages and static files such as images and stylesheets.
<remove name="Profile" />
<remove name="Session" />
<remove name="RoleManager" />
<remove name="FormsAuthentication" />
<remove name="WindowsAuthentication" />
<remove name="DefaultAuthentication" />
<remove name="AnonymousIdentification" />
<remove name="OutputCache" />
<remove name="UrlAuthorization" />
<remove name="FileAuthorization" />
<remove name="UrlMappingsModule" />
<add name="PageHandlerFactory" path="*.aspx" verb="*" type="System.Web.UI.PageHandlerFactory" />
<!-- Add custom handlers here -->
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
If you want to register your own handlers, remember to add them above the StaticFile handler. To allow some modules such as the Session module, just delete the line <remove name="Session" /> and it will automatically be added. Use the IIS Manager to see all the handlers and modules that are available.