How to forbid usage of web.config files?

Question

I have a Windows 2008 R2 server with IIS7.5 installed. I need to provide users with read-write access to some directory tree via WebDAV. The same users will also be able to reach the same directories by other means - FTP, SFTP, CIFS, etc.

My aim: I don't want someone to be able to upload / modify web.config files in the published folders, thus modifying behavior of IIS. If such file is created, IIS should simply treat it as any other file.

Is it possible to concentrate all settings for the site in the applicationHost.config or in any other file outside the published tree, and make IIS ignore any additional web.config files?

Thanks!

Answer 1

Found the relevant setting - it's called allowSubDirConfig. It can be specified either in virtualDirectoryDefaults element (for all sites) or in virtualDirectory element, in the applicationHost.config file.

Example:

<configuration>
    <system.applicationHost>
       <sites>
            <site name="Default Web Site" id="1" serverAutoStart="true">
                <application path="/">
                    <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
                    <virtualDirectory path="/Temp" physicalPath="C:\TempRoot" allowSubDirConfig="false" />
                </application>
            <applicationDefaults applicationPool="DefaultAppPool" />
            <virtualDirectoryDefaults allowSubDirConfig="true" />
        </sites>
    </system.applicationHost>
</configuration>

web.config files under /Temp virtual directory won't be checked.

There are some other ways as well: http://www.sourceinaction.com/blog/web.config-dependencies-for-multiple-asp.net-web-applications

Answer 2

An easy way to avoid users from using WebDav to modify web.config files, is by using WebDav Authoring Rules. Just create a rule on top of all others that gives All Users NO Permissions to the web.config files.

Further details: If you enabled and configured WebDav thru the GUI, you already should know that the [WebDav Authoring Rules] is accessed thru an icon on IIS GUI. First you entered that section at the Site level to enable WebDav, then you entered again into the [WebDav Authoring Rules] section at the WebDav folder level to add the rule to give the user/group access to [All files] on this folder. Before entering that rule, you add one that applies only to [web.config] files, [All Users], and you leave all permissions UNchecked. So, the rule is AT THE TOP, and has priority over the one that gives access, so no one can use WebDav to modify web.config files. You can also modify the order of the rules after creation, if needed.

In this page there is a description of how to configure a site for WebDav. I used the GUI method. If you follow that, it's obvious where the section is: https://www.server-world.info/en/note?os=Windows_Server_2019&p=iis&f=9

Answer 3

Have a look at the answer from Anil Ruia here: http://forums.iis.net/t/1161527.aspx?Disable+creating+web+configs+in+each+folder

If you go to applicationhost.config and lock all the sections (overrideModeDefault="Deny"), then IIS manager will write all IIS config settings to applicationhost.config (same for asp.net config setting and root web.config file). Note that this will completely prevent someone from being able to use web.config files to override IIS settings - and they may scream about it.