The new configuration system in IIS 7.0 was designed
to provide rich support for feature delegation. This term has a special
meaning in IIS 7.0—the ability to designate features that Web site
administrators or application managers can control at the site or
application level—without making them administrators on the server. As
you will see, feature delegation works hand in hand with remote
administration and is built into the IIS Manager, which allows you to
configure delegation and at the same time respects delegation settings,
limiting access to locked or limited features.
Feature
delegation is implemented in two ways. First, the configuration
hierarchy itself allows configuration to be specified in distributed
web.config files, which are typically under control of the site
administrator or application developer who do not have to be server
administrators to set or change configuration therein. The server
administrator has control over what configuration can be set in the
delegated manner in web.config files, versus what configuration can only
be set by a server administrator in applicationHost.config. This
control is accomplished through configuration locking, which can be done
at the section level by locking the section in applicationHost.config
or at the granular level by locking specific configuration settings in a
particular configuration section.
The second way is
implemented by IIS Manager, which subsumes the configuration section
locking mechanism and provides a way to manage the delegation of the
underlying configuration and the corresponding IIS Manager UI features
for seamless integration with remote administration through the tool.
Managing feature delegation through the IIS Manager has the advantage of
ensuring correctly configured delegation. The IIS Manager will respect
delegation settings so that a remote user cannot see features that are
hidden (marked as Not Delegated in the IIS Manager), and cannot make
changes to features that are marked as Read Only in the IIS Manager.
Important
Any
user that can upload a web.config can overwrite IIS 7.0 and ASP.NET
settings in web.config. If you use the IIS Manager to write
configuration, these settings will be properly maintained and users will
only be allowed to change configuration for which they have access. If a
web.config file is created outside of using the IIS Manager and then
uploaded to the site, it may contain configuration settings that are not
permitted by the delegation settings. In this event, IIS 7.0 will
present a configuration locking error, and the previous, correct,
web.config details may be lost, since the original web.config has been
overwritten. |
When you delegate
control to others, there will be a strong incentive for them to control
their site or application configuration using the IIS Manager, as it
will show only features that the user has the right to see or control.
Delegation Settings in the IIS Manager
Let’s examine the various settings in the IIS Manager related to delegation. Figure 1 shows the results you’ll see if you select the server node in the tree view and then Feature Delegation from the features pane.
The
Delegation column lists the current delegation setting for each
feature. The names for these various states for delegation may not be as
clear as they might be to describe what’s going on, so you should not
try to infer a great deal from the terms:
Not Delegated
When a feature is marked as Not Delegated, the corresponding
configuration section will be locked in applicationHost.config by
placing it inside a <location> tag with the overrideMode
value set to Deny. When a feature is marked as Not Delegated, any
changes you make to this feature at server level (that is, with the
server icon selected in the tree view) will be recorded in
applicationHost.config. Changes at the site or application level can
only be made by the server administrator and will be recorded in
applicationHost.config using <location> tags to apply them to the
required path. When using the IIS Manager to connect to the site or
application, remote users will not be able to see the corresponding
feature icon or change its settings. If a web.config file is uploaded
that contains settings for a Not Delegated feature, a configuration
error occurs.
Read Only
This is the same as Not Delegated, except that remote users will be
able to see this feature; however, they cannot change any values. This
is a useful setting when you want users to know, for example, what
authentication methods are available to them, but you don’t want them to
be able to turn them on or off.
Read/Write
When a feature is marked as Read/Write, the configuration section will
be unlocked for distributed web.config files. This is accomplished by
placing the configuration section in a <location> tag with the
overrideMode value set to Allow. Any changes you make to this at feature
at server level will be recorded in applicationHost.config. Changes to
this feature at the site or application level will be recorded in the
appropriate web.config. (A reference to site level designates the
web.config in the site root. The application level refers to the
web.config file that resides in a folder within the site that has been
designated as an application.) When using the IIS Manager to connect to
the site or application, remote users will be able to see and change the
settings.
Additional delegation values may be provided by third-party extensions to the tool that have extension-specific meaning.
Default Settings for Delegated Configuration
As mentioned, certain settings in IIS 7.0 are delegated by default, whereas others are specifically locked down. Table 1 is from a prerelease version of the IIS 7.0 Hosting Deployment Guide,
which can be located on IIS.net. The information in the table details
which features are delegated and why. You may want to make different
decisions than the IIS team regarding these default settings, but a
great deal of thought has gone into these settings, so we would advise
not making changes to the global settings without good reason.
Table 1. Features and Delegated Settings
| Feature | Delegated Setting | Reason |
|---|
| .NET Compilation | Read Only
(changed from Read/Write) | Specifies settings for ASP.NET compilation processing directives like the temporary compilation directory.
Prevents users from setting the temporary compilation directory manually. |
| .NET Globalization | Read/Write | Specifies settings for default culture and globalization properties for Web requests. |
| .NET Profile | Read/Write | Specifies settings for user-selected options in ASP.NET applications. |
| .NET Roles | Read/Write | Specifies settings for groups for use with .NET users and forms authentication. |
| .NET Trust Levels | Read Only
(changed from Read/Write) | Specifies
the trust level. By locking down the trust level when you follow the
ASP.NET guidance in this document, you will be setting this to Read Only
and locking it for the server.
Prevents Web site owners from setting the trust level to a
higher level than set by the server administrator. For example, if a
custom trust level is set by the administrator, this setting should be
set to Read Only so it cannot be overridden. |
| .Net Users | Configuration Read/Write | Specifies settings for management of users who belong to roles and use forms authentication. |
| Application Settings | Read/Write | Specifies settings for storing data (name and value pairs) that managed code applications can use at run time. |
| ASP | Read Only | Specifies Classic ASP settings. |
| ASP.NET Impersonation | Read/Write | Specifies impersonation settings. Site owners can use this to run their site under a different security context. |
| Authentication—Anonymous | Read Only | Specifies anonymous authentication settings. |
| Authentication—Forms | Read/Write | Specifies forms authentication settings. |
| Authentication—Windows | Read Only | Specifies Windows authentication settings. |
| Authorization Rules | Read/Write | Specifies the list of Allow or Deny rules that control access to content. |
| CGI | Read Only | Specifies properties for CGI applications.
Should be left set to Read Only to prevent users from changing settings. |
| Compression | Read/Write | Specifies settings to configure compression. |
| Connection Strings | Read/Write | Specifies connection strings that applications can use. |
| Default Document | Read/Write | Specifies
default documents for the Web site.
By leaving this Read/Write, users will be able to specify a
custom default document for their site without contacting the server
administrator. |
| Directory Browsing | Read/Write | Specifies directory browsing settings. |
| Error Pages | Read Only | Specifies what HTTP error responses are returned. |
| Failed Request Tracing Rules | Read/Write | Specifies
settings for failed request tracing rules. Enables users to create
rules for tracing requests based on parameters like time taken or status
code and to diagnose problems with their site. |
| Feature Delegation | Remove Delegation
(changed from Read/Write) | Specifies settings for delegating features to applications.
It can be turned off unless server administrators want to enable this feature for site owners. |
| Handler Mappings | Read/Write | |
| HTTP Response Headers | Read/Write | Specifies HTTP headers that are added to responses from the Web server. |
| ISAPI Filters | Read Only | Specifies ISAPI filters that process requests made to the site or server, such as ASP.NET. |
| Logging | Remove Delegation | |
| Machine Key | Read/Write | Specifies
hashing and encryption settings for applications services, such as view
state, forms authentication, and membership and roles. |
| MIME Types | Read Only | Specifies what file types can be served as static files. |
| Modules | Read/Write | Specifies native and managed code modules that process requests made to the site or server. |
| Output Caching | Read/Write | Specifies rules for caching output. |
| Pages and Controls | Read/Write | Specifies page and control settings for applications. |
| Redirect Rules | Read/Write | Specifies settings for redirecting requests to another file or URL. |
| Session State | Read/Write | Specifies session state and forms authentication cookie settings. |
| SMTP E-mail | Read/Write | Specifies e-mail address and delivery options for e-mail sent from the site. |
| SSL Settings | Read Only | Specifies settings for SSL. |
