Chapter 20. Administering an IIS Machine Using ASP.NET
By Kevin Price
IN THIS CHAPTER
By now, you should be aware that IIS and ASP.NET provide multiple ways to manage certain aspects of security with configuration files. While this practice may seem to hearken back to the days of .ini files, the means and scale of what can be accomplished has grown exponentially. Using configuration files takes a level of fear out of site configuration, because everything is stored in a flat text file as opposed to the Windows registry. This also has the added bonus of not requiring the server to be rebooted or restarted when a change is made; .NET automatically polls for changes and applies them as they are made to the file. Currently, the only GUI tool for editing these files is an XML editor, because that's exactly what these files are. Through the use of the intrinsic hierarchical nature of XML, configuration files can hide and/or expose functionality based on the file's contents. The main file discussed in this chapter will be the web.config file. This file is generated by default whenever a Web project is created within the Visual Studio.NET development environment. It is parsed by the CLR and can be used to determine such items as user permissions, actions, or verbs allowed on the Web server and remoting. By the end of this chapter, you will be able to
Modify the web.config file to force user authentication, regardless of IIS settings
Know the security hierarchy in relation to web.config, child directory configuration, and machine.config files
Establish security using XML-based configuration files