IIS 7.0 : Managing Configuration - Delegating Configuration (part 2)

4/21/2011 4:21:07 PM

Directly Configuring Delegation

Although you can manage the delegation of many IIS features in the IIS Manager, it only allows you to manage the underlying configuration delegation for features that have corresponding UI pages in the IIS Manager. For those features, selecting the IIS Manager delegation state also generates the required configuration delegation settings to control whether the corresponding configuration sections can be used at the site or application level.

However, there are times when you will need to manage configuration delegation directly. One such case is when the configuration section does not have a corresponding IIS Manager feature. For example, IIS 7.0’s URL Filtering feature does not, at the time of this writing, have a UI component. In these cases, you can work with the configuration system directly or the Appcmd command line tool to configure the desired configuration delegation.

The initial ability to delegate a specific configuration section is controlled by the overrideModeDefault attribute on its declaration. Some of the built-in IIS 7.0 configuration sections like <defaultDocument> allow delegation by default by specifying Allow for this attribute in their declarations, and others like <serverRuntime> do not by specifying Deny. This decision is typically made by the developer of the feature that reads this configuration section, based on whether or not the feature configuration should be by default delegated to users who are not server administrators.


Do not change the overrideModeDefault setting on section declarations to unlock them. The IIS team recommendations for default delegation settings are well reasoned. If you need to override the default setting globally, use Location tags referencing the “*” path (or a null path, “”).

The overrideModeDefault setting on the section declarations in applicationHost.config sets the default value for delegation. You can modify the delegation status of each configuration section by locking or unlocking it. Unlocking sections is often needed in order to be able to specify configuration for certain sections in web.config files of your Web site. Likewise, you may want to lock certain other sections if you do not want the Web sites on your server to be able to override the settings set in applicationHost.config.

To unlock a section, you can use the Appcmd.exe command line tool as follows.

%windir%\system32\inetsrv\AppCmd Unlock Config /section:<SectionName>

Where <SectionName> is the name of the section, for example, “system.webServer/serverRuntime”.

To lock a section that is currently unlocked, you can use the following command.

%windir%\system32\inetsrv\AppCmd Lock Config /section:<SectionName>

Locking or unlocking a section produces a location tag in applicationHost.config that sets the delegation state of the configuration section by setting the overrideMode attribute to Allow or Deny. For example, if we use the unlock command shown previously to unlock the <serverRuntime> section, we will generate the following in applicationHost.config.

    <location path="" overrideMode="Allow">
<serverRuntime />

Likewise, you can lock or unlock configuration sections for a particular configuration path only, by specifying this path in the command. This can allow you, for example, to keep the configuration section locked for the entire server but allow a specific site to override its settings.

%windir%\system32\inetsrv\AppCmd Unlock Config "Default Web Site/"
/section:system.webServer/serverRuntime /commit:apphost

In this example, we unlock the <serverRuntime> section for the “Default Web Site” only and commit these changes to applicationHost.config (this is required). This produces a location tag in applicationHost.config that uses the path attribute to apply itself only to “Default Web Site/”.

This enables you to quickly manage the configuration delegation on a section level. However, sometimes it is necessary to allow the delegation of the section but keep control over a specific setting inside that section.

Additional Configuration for Remote Administration

For a user to manage a site or application remotely using the IIS Manager, it is necessary to assign specific permissions to the content. The service account for the Web Management Service (WMSvc) must have read and write permissions to web.config in order to successfully connect remotely.

Granular Configuration Locking

You have explored the configuration’s ability to lock and unlock sections for delegation and used the location tag for creating settings for a site or directory that override the inherited defaults. Feature delegation controls whether or not the entire section can be used in a configuration file at a certain level. However, there are some cases in which the configuration section contains some configuration that should be delegated and some configuration that should be locked.

To support these scenarios, the configuration system allows you to exercise more fine-grained control over what specific configuration settings should be delegated through granular locking. Granular locking is achieved through the use of special locking directives supported by the configuration system.

To use granular configuration locking, you have to edit the configuration through some means other than the IIS Manager. At this time, the IIS Manager does not support configuring granular locking.


The semantics for granular locking are based on the configuration system for ASP.NET, so if you are familiar with that, you will be ahead of the game.

Granular configuration locking is accomplished by using one of the special attributes listed in Table 2.

Table 2. Granular Configuration Locking
Locking DirectiveUsed To
lockAttributesLock specific attributes to prevent them from being specified.
lockAllAttributesExceptLock all attributes on the element other than the specified attributes.
lockElementsLock the specified elements to prevent them from being specified (and therefore lock all other attributes and child elements of the specified elements)
lockAllElementsExceptLock all elements on the current element except the specified elements.
lockItemLock the current collection element to prevent it from being removed.

lockAttributes, lockAllAttributesExcept

The lockAttributes configuration directive can be specified on a configuration element in order to lock specific attributes on the element and prevent them from being specified at lower configuration levels. The lockAttributes directive specifies a comma-separated list of attribute names that are valid for the current element.

For example, in order to allow the <defaultDocument> section to be delegated but make sure that the feature itself cannot be disabled, we can set the enabled attribute to “true” and then lock it using the lockAttributes directive as follows:

<defaultDocument enabled="true" lockAttributes="enabled">
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" />

In this example, lockAttributes instructs IIS 7.0 to disallow any change to the enabled attribute. As a result, if the Web administrator attempts to turn off the default document feature (enabled=“false”) the error message shown in Figure 2 occurs.

Figure 2. Error message due to configuration locking.

As you can see in Figure 4-6, the lock violation is called out and the offending line in web.config is clearly displayed. Removing this line, in this case, clears the error.

The lockAllAttributesExcept form of the attribute lock provides a convenient mechanism for cases in which you want to lock all attributes on the element except for one or two attributes that should be unlocked. In that case, you can use it instead of the lockAttributes element and specify the attributes that you want to keep unlocked.

lockElements, lockAllElementsExcept

The lockElements locking directive allows you to lock a particular child element of the current element (as opposed to an attribute). This prevents this element from being specified at lower configuration levels. The lockElements directive specifies a comma-separated list of element names to lock.

For example, we can use the lockElements directive to prevent the <files> collection of the <defaultDocument> section from being specified, therefore effectively preventing lower configuration levels from changing the contents of the default document list.

<defaultDocument enabled="true" lockElements="files" >
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" />

This setup prevents a Web administrator from changing the files in the default document list, but it does permit turning the feature on and off (via the enabled attribute).

The lockElements directive can also be used to do collection locking. By locking the ability to use certain collection elements (such as <add>, <remove>, and <clear>) it is possible to prevent the collection from being changed or prevent elements from being removed while still allowing new elements to be added.

For example, if you lock the <add> element (or the corresponding element that acts as the <add> element for the collection), lower configuration levels will not be able to add new elements to the collection. Likewise, if you lock the <remove> and <clear> elements, lower levels will not be able to remove elements from the collection but will be able to add new ones.

The lockAllElementsExcept directive can be used with configuration elements that have multiple subelements, when you want to lock all of them but one. In practice, we don’t expect that this will be widely used, but it is a possibility to keep in mind should you encounter a situation in which it is applicable.


The lockItem directive can be used to lock specific collection elements from being removed or modified, as opposed to preventing all elements in the collection from being removed by locking the <remove> element using lockElements. The lockItem directive is specified on each collection element that is to be locked and accepts Boolean values.

Returning to our example, we want to allow a Web site administrator to be able to add new entries to the list of default pages but not remove Default.aspx from the list. In applicationHost.config, you can lock in the Default.aspx page by finding the configuration section in applicationHost.config as follows.

<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" lockItem="true" />

This will prevent lower configuration levels from being able to explicitly remove the Default.aspx entry, as well as using <clear/> to remove all items from the collection. They will still be able to add new entries to the collection.

An important use of lockItem is implemented in applicationHost.config. If you examine the <modules> section, you’ll notice that modules are added with lockItem set to “true.” This means that if IIS 7.0 encounters a <clear> or <remove> in a web.config or location tag that references the locked module, you will get a locking error. These locks are enabled by default since delegation is enabled for modules in order to permit .NET applications to add modules, a feature that is quite common. However, by delegating the modules section, it is also possible to remove modules in web.config. This could allow a user to inadvertently create an insecure or nonfunctional configuration. To prevent this from occurring, while at the same time ensuring maximum compatibility with .NET, modules are declared with lockItem specified as true.

Video tutorials
- How To Install Windows 8

- How To Install Windows Server 2012

- How To Install Windows Server 2012 On VirtualBox

- How To Disable Windows 8 Metro UI

- How To Install Windows Store Apps From Windows 8 Classic Desktop

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
programming4us programming4us