Machine. Config and Web. Config guidelines for ASP. NET applications and Web Services Security

Set Machine. config to the computer-level default value of the server application. If you want to force specific configurations for all applications on the server, you can use allowOverride = "false" on the <location> element, as described above. This is especially applicable to the resident scheme. In the Resident Scheme, security policies must be enforced for all applications on the server.

For those settings that can be configured based on a single application, the application usually provides the Web. config file. Although multiple <location> elements can be used to configure a single application from Machine. config, a separate Web. config file can provide deployment advantages and make the Machine. config file smaller.

The main problem to consider is what settings should be forced by computer policies. This depends on the specific solution. Some common solutions are as follows:

<Location path = "" allowOverride = "false">
<System. web>
<Authentication mode = "Windows"/>
</System. web>
</Location>
 
Companies that provide resident services in the resident solution need to restrict applications so that they cannot access each other's resources, thus limiting access to important system resources. To achieve this goal, you can configure all applications to run with partial trust level. For example, the intermediate trust level limits an application to only access files in its own virtual directory hierarchical structure, and restrict access to other types of resources. For more information, see Module 9 ASP. NET code access security. To apply an intermediate trust policy to all applications on the server, use the following Configuration:

<Location path = "" allowOverride = "false>
<System. web>
<Trust level = "Medium"/>
</System. web>
</Location>
 

ACL and permissions
The configuration file contains sensitive data. Therefore, you must use the configured ACL to restrict access.

Machine. config
By default, Machine. config is configured using the following ACL:

Administrators: full control
System: full control
Power Users: Modify
Users: read and execute
LocalMachineASPNET (process ID): read and execute

Note that on Windows Server 2003, The Local Service and Network Service account are also granted read permission.

By default, the Users Group members are granted read permission because all managed code running on the computer must be able to read Machine. config.

The default ACL on Machine. config is the default safe value. However, if only one Web application runs on the server or all Web applications use the same process ID, you can delete the user's access control item (ACE) to further restrict the ACL. If "users" is indeed deleted from DACL, You need to explicitly add the Web process identifier.

Web. config
. NET Framework does not install any Web. config file. If an application that provides its own Web. config is installed, it generally inherits the ACL from the inetpub directory. By default, this ACL grants read permission to members of the Everyone group. To lock the application-specific Web. config, use one of the following ACLs.

For. NET Framework 1.0:

Administrators: full control
System: full control
ASP. NET process identifier: Read
Unc id: Read
Simulated identity (fixed identity): Read
Analog ID (original caller): Read

For. NET Framework 1.1:

Administrators: full control
System: full control
ASP. NET process identifier: Read
Unc id: Read
Simulated identity (fixed identity): Read

If the application uses a simulated account (that is, if a fixed identity is simulated), such as <identity impersonate = "true" username = "WebUser" password = "Y0urStr0ngPassw0rd $"/>, the account (WebUser in this example) and process must have the read permission.

If the code benchmark is shared based on the Universal Naming Convention (UNC), you must grant the read permission to the UNC token ID provided by IIS.

If you are simulating but do not use clear creden。, such as <identity impersonate = "true"/>, and do not use UNC, only the process needs access permissions in. NET Framework 1.1. For. NET Framework 1.0, you must configure an additional ACL to grant read permission to any simulated identity (that is, you must grant read permission to the original caller ).

Constanding blog