Many .NET Framework features depend on initialization information stored in various configuration files. ASP.NET especially is heavily dependent on configuration sections for defining the behavior of many aspects of the ASP.NET runtime. As a result the configuration information frequently contains sensitive information (usernames, passwords, connections strings, and so on). Configuration information can also directly affect the security settings enforced by certain features. As a result, configuration security is an important aspect of ensuring that a web application works as expected.
This chapter covers the following aspects of securing configuration information:
Using the <location /> element.
Implementing granular inheritance control using the new "lock" attributes.
Setting access rights to read and modify configuration.
Managing IIS 7.0 configuration versus ASP.NET configuration.
IIS 7.0 Feature Delegation.
Implementing partial trust restrictions when using configuration.
Using the new protected configuration feature.