Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-470-04994-5
11121314151617181920
Management Delegation
Management of IIS in previous versions meant either granting local administrator privileges to the user
or working through WMI and ADSI options to directly manage the site configurations. The only other
option was for developers to work through the IIS administrators to change configurations — an option
that could often be frustrating for both administrators and programmers. IIS 7.0 changes this through
delegation of administration permissions at the server, site, and application levels.
In IIS 7.0, configuration options can be delegated in a very granular fashion. By default, most IIS settings
are locked down and cannot be configured below the
applicationHost.config file. You will see set-
tings similar to this in the default file:
<sectionGroup name=”system.applicationHost” type=”…”>
<section name=”applicationPools” overrideModeDefault=”Deny” />
</sectionGroup>
To allow configuration delegation for a specific site, you would add a <location> element for that site,
allowing the configuration files for the site to override the default settings in the
applicationHost.config file. The code would be similar to
<location path=”MyWebSite” overrideMode=”Allow”>
<system.webServer>
<asp />
</system.webServer>
</location>
In a default installation, all IIS features are locked down except for HTTP, HTTP redirects, default docu-
ments, and directory browsing. All ASP.NET configurations are unlocked by default. In addition to dele-
gations allowed within the configuration files, the configuration files themselves can be controlled
through NTFS permissions. By setting ACLs on the files, an administrator can prevent unauthorized
access to the files.
For an even more granular locking of specific elements in IIS, you can use attribute locking. Using
overrideMode, an administrator can allow specific sites to be managed through configuration files by a
developer. Attribute locking can be used to lock a specific attribute or element of the configuration while
using
overrideMode=”Allow” on a web site. Developers can still override configurations at a local
level, but the administrator maintains control of attributes they don’t want changed. For example, to
allow a developer to configure IIS options except for Windows authentication for the site MySite, you
could use the following code in your
applicationHost.config file to force the values required for
Windows authentication:
<location path=”MySite” overrideMode=”Allow”>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled=”true” lockAttributes=”enabled”>
<providers>
<add value=”Negotiate” />
<add value=”NTLM” />
</providers>
</windowsAuthentication>
</authentication>
16
Part 1: Introduction and Deployment
97823c01.qxd:WroxPro 2/4/08 6:47 PM Page 16