Jul 23 2007

The forgotten config files

Category: Tips and TricksJoeGeeky @ 01:51

One of the really great capabilities brought to us by .NET is its configuration architecture.  More then ever before, it is really easy to establish and use application, assembly, and web configuration files.  Unfortunately, people often forget that .NET uses a Cascading configuration architecture.  This means there are many levels of configuration that are combined at runtime to define a resulting configuration for your .NET application.  Configurations are usually a combination of your applications configuration file (Ex. App.Config/Web.Config), a central machine-level configuration file (Ex. %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\Machine.Config), and an enterprise configuration file which may be distributed via Active Directory.  Understanding the relationships between the different configuration files is important since they all have the potential to affect your products behavior.  In some cases you receive the Union of configuration elements while in others you receive the Intersection of configuration elements.

Web Applications are affected by another configuration file (Ex. %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.Config) that defines the default behavior of ASP.NET Applications.  This is a great example of a configuration file that affects your applications security and performance.  Consider the following example...

<?xml version="1.0" encoding="utf-8"?>
<!-- the root web configuration file -->
<configuration>
  <system.web>
   <httpModules>
    <add name="OutputCache" .../>
    <add name="Session" .../>
    <add name="WindowsAuthentication" .../>
    <add name="FormsAuthentication" .../>
    <add name="PassportAuthentication" .../>
    <add name="RoleManager" .../>
    <add name="UrlAuthorization" .../>
    <add name="FileAuthorization" .../>
    <add name="AnonymousIdentification" .../>
    <add name="Profile" .../>
    <add name="ErrorHandlerModule" .../>
    <add name="ServiceModel" .../>
   </httpModules>
  </system.web>
</configuration>

In the extract above you can see there are a number of modules that are running agaist your application(s) that you may not need.  Generally speaking, if you have components enabled then they increase your attack surface and hamper security.

  • If you are hosting an Internet solution using Forms authentication then you probably don't need the Passport or Integrated Security modules.  Conversely, if you are hosting an Intranet application using integrated security such as Active Directory then you probably don't need the Passport or Forms Authentication modules.
  • If you are not developing Web Parts or using any user profiling support then you can disable the Profile Module.
  • If you have developed custom modules to manage authentication cookies or hydrate user principle objects (Ex. HttpContext.Current.User) then you probably don't need the RoleManager module.  This is common when you are developing custom authentication/authorization providers and/or creating cross-domain or intra-domain SSO solutions.

If you review these files you will find there are a number of configuration elements that any applications don't need (Ex. Mobile application support, web parts files, handlers, etc...).  If you are concerned about application performance or security, make sure you take the time to review these files and make sure you have a good understanding of what is present.  Enjoy...

Note: There is an edge-case for configuration cascading.  In some solutions; like pluggable thick clients; A configuration can be constructed and passed to AppDomains and Processes created by your application at runtime. 

Tags:

Comments

1.
Spencer Spencer United States says:

Its good to see you posting on this topic, I should book mark this site. Keep up the good work.

2.
Logan Brookshier Logan Brookshier United Kingdom says:

I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

3.
Andreas Ebberts Andreas Ebberts United Kingdom says:

This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work.

4.
Joseph Kolassa Joseph Kolassa United Kingdom says:

I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your site to check out the latest stuff you post.

5.
Terry Terry United States says:

I admire the valuable information you offer in your articles. I will bookmark your blog and have my children check up here often. I am quite sure they will learn lots of new stuff here than anybody else!

6.
kreditt kort kreditt kort United States says:

Resources like the one you mentioned here will be very useful to me! I will post a link to this page on my blog. I am sure my visitors will find that very useful.

Comments are closed