Submit Your Article
Home Articles News Tutorials Videos Add An Article
Topics: Design Photoshop Programming PHP CSS Java Database Web Development Javascript Ajax
– Close + Open

Find Out More About DevWebPro!

Sign up for the newsletter


» Terms & Conditions

Welcome to the New DevWebPro!

DevWebPro Includes:
  Hundreds Of Tutorials   Developer News
  Unique Gadget Videos   Tons of Topics to Discuss
  Expert Advice   We Will Publish Your Articles

Customizing The Inner Workings Of ASP.NET With IIS 7

By: Mads Kristensen
Friday, January 30th, 2009
Text: Decrease Font Size Increase Font Size | Print Print Article | Share: Delicious Digg StumbleUpon Post to Twitter Post to Facebook

With IIS 7 it is now easier than ever to customize the inner workings of ASP.NET applications using only the web.config. It is possible to remove all the features but the ones the specific application uses. In other words, we are able to lock down our applications and only turn on the features we need. The reason to do this is to reduce the attack surface of the application as well as stay in total control all the way from the IIS and into the ASP.NET application.

The attack surface will be reduced when we turn off unneeded features, since there are less ways to access your application. From a security perspective this is desirable. Since we turn off features, we also know exactly what our application can and cannot do. This gives us control and also reduces the overhead of those unneeded features.

The features we can control in the web.config come in the form of modules and handlers. In the <system.webServer> config section below, you’ll see a totally locked down application. All default managed modules have been removed and only two handlers remain. The two handlers let’s you serve .aspx pages and static files such as images and stylesheets.

<system.webServer>
 <modules runAllManagedModulesForAllRequests=”true”>
  <remove name=”Profile” />
  <remove name=”Session” />
  <remove name=”RoleManager” />
  <remove name=”FormsAuthentication” />
  <remove name=”WindowsAuthentication” />
  <remove name=”DefaultAuthentication” />
  <remove name=”AnonymousIdentification” />
  <remove name=”OutputCache” />
  <remove name=”UrlAuthorization” />
  <remove name=”FileAuthorization” />
  <remove name=”UrlMappingsModule” />
 </modules>
 
 <handlers>
  <clear />
  <add name=”PageHandlerFactory” path=”*.aspx” verb=”*” type=”System.Web.UI.PageHandlerFactory” />
  <!– Add custom handlers here –>
  <add name=”StaticFile” path=”*” verb=”*” modules=”StaticFileModule,DefaultDocumentModule,DirectoryListingModule” resourceType=”Either” requireAccess=”Read” />
 </handlers>
</system.webServer>

If you want to register your own handlers, remember to add them above the StaticFile handler. To allow some modules such as the Session module, just delete the line <remove name=”Session” /> and it will automatically be added. Use the IIS Manager to see all the handlers and modules that are available.

Comments

Topics: , ,

About the Author:
Mads Kristensen currently works as a Senior Developer at Traceworks located in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in 2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and web services in his daily work as well. A true .NET developer with great passion for the simple solution. http://www.madskristensen.dk/
DevWebPro » WebMasterFree.com CSSJuice.com Code-Sucks.com MySpaceAntics.com FreeMacWare.com FreeMacBlog.com
Small Business
Videos | Top News | Blog Talk
Expert Articles | Directories
E-Business
Videos | Top News | Blog Talk
Expert Articles | Directories | WebProWorld
Information Technology
IT Directory | IT Resources | SecurityProNews
Videos | Advertise | About Us | Newsletter
2549 Richmond Road Second Floor Lexington, KY 40509 | Phone: (859) 514-2720 | Fax: (859) 219-9065
Newsletter Archive | RSS Feeds | Terms & Conditions
DevWebPro is an iEntry Network ® publication - © 1998-2010 All Rights Reserved