first_page
space people space time space visitors

ASP.NET MVC and IIS7 Security

Right now the experimental goal is to keep IIS7 in a ‘default state’ as much as possible. This means that:

  • Anonymous authentication is enabled

  • ASP.NET Impersonation is disabled

  • Windows Authentication is disabledIt should then be possible to have the ASP.NET MVC application control security levels by:

  • Tuning on Windows (NTLM) Authentication by setting <authentication mode="Windows" />`` under <system.web>—and applying the [Authorize] attribute on Controller definitions. This appears to be working.

  • Turning on ASP.NET Impersonation by setting &lt;identity impersonate="true" /&gt; under &lt;system.web&gt;. This also appears to be working. <

table id="CleanXhtmlTable_ID0ELRDM8">

“[[Authorize] and NTLM in ASP.Net MVC](http://stackoverflow.com/questions/853572/authorize-and-ntlm-in-asp-net-mvc)” Johannes Setiabudi: “`[Authorize]` by default will only look for `IsAuthenticated` flag. So yes, applying `[Authorize]` without additional [parameters] will allow all logged in users.” “[An Overview of Authentication and Authorization Options in ASP.NET](http://aspnet.4guysfromrolla.com/articles/031204-1.aspx)” Nandini Venugopalan: “IIS allows anonymous access by default and hence requests are automatically authenticated. However, this can be overridden for each application within IIS.” “[ASP.NET Impersonation](http://msdn.microsoft.com/en-us/library/xh507fc5%28VS.71%29.aspx)” “Impersonation is disabled by default. For ASP compatibility, the user must explicitly enable impersonation. If impersonation is enabled for a given application, ASP.NET always impersonates the access token that IIS provides to ISAPI extensions. That token can be either an authenticated user token, or the token for the anonymous user (such as `IUSR_MACHINENAME`). The impersonation occurs regardless of the type of authentication being used in the application.”

“Only application code is impersonated; compilation and configuration are read as the process token. The result of the compilation is put in the ‘Temporary ASP.NET files’ directory. The account that is being impersonated needs to have read/write access to this directory.”

“[ASP.NET MVC and two Web.config files](http://stackoverflow.com/questions/517086/asp-net-mvc-and-two-web-config-files)” David Tischler: “…settings should go into the `web.config` at the application root. The `web.config` in the views folder is there to block direct access to the view `aspx` pages which should only get served through controllers.” “[IPrincipal (User) ModelBinder in ASP.NET MVC for easier testing](http://www.hanselman.com/blog/IPrincipalUserModelBinderInASPNETMVCForEasierTesting.aspx)” This one jumps off topic a bit—but I still got great legs! “[IModelBinder or IOC in ASP.NET MVC?](http://stackoverflow.com/questions/1510856/imodelbinder-or-ioc-in-asp-net-mvc)” This is my little stackoverflow.com question. The answer leads to… IoC.

rasx()