Web Hosting with IIS and ASP.NET

Re: Allowing Full Trust for a specific IIS web site

OWScott — Fri, 04 Jan 2008 23:33:44 GMT

Hi Antony,

Yes, you're correct. That is just the website name in IIS. In theory it could be confused since IIS6 doesn't enforce site name uniqueness, (in fact, the metabase property is called ServerComment which doesn't even sound like a name of a site) but most people don't have duplicate site names for their own sake.

You can set it up subfolder too if you want, for example path="Site.com/subfolder".

Thanks,

Scott

Re: Allowing Full Trust for a specific IIS web site

WEBPC — Fri, 04 Jan 2008 20:05:38 GMT

Scott

thanks for the info. Just to make sure I am on the right path. Am I right in thinking that "Default Web Site" in the

OWScott:
<location allowOverride="false" path="Default Web Site">

line refers to the site description in IIS and would work for any of the other site descriptions?

I am aware of the security implications but thanks for clarifying them.

Antony

Re: Allowing Full Trust for a specific IIS web site

Tareq — Fri, 04 Jan 2008 18:28:39 GMT

Cool Learned something new today.

Re: Allowing Full Trust for a specific IIS web site

OWScott — Fri, 04 Jan 2008 18:15:42 GMT

Actually, even running the app pool as Local System won't get around CAS. This is an ASP.NET code level check that isn't controlled by the process identity.

To change it, you must change it in the root web.config file. But there are 2 considerations to be mindful of:

Giving some people full trust violates the trust of the whole server, unless you and everyone else on the server trust them. For example, you can set to full trust for your own admin site, but if you do it just because someone's site doesn't work in partial trust, that person now has access to get around the CAS security check which defeats the purpose of CAS. So, for CAS to work properly, it needs to apply to everyone, not just some people.
Every time you 'touch' web.config, an AppDomain recycle will occur on the entire server, so all InProc session state and caching will be lost and you'll have many slow first-page-loads. So, the change has a large impact on the server.

But, that said, if you decide to do it, here is how:

In your root web.config, under the <configuration> level, add something like this:

This will apply to just the site set in the path attribute and can be set to any of the security policies defined, or Full, as in this example.

Thanks,

Scott

Re: Allowing Full Trust for a specific IIS web site

WEBPC — Fri, 04 Jan 2008 18:13:11 GMT

Tareq,

thanks for the response. We run each site/app in their own application pool using individual user accounts and don't want to run them with a high level account.

I believe that we can do what we want by adding entries to the machine web.config, I just don't know the entries.

Antony

Re: Allowing Full Trust for a specific IIS web site

Tareq — Fri, 04 Jan 2008 18:02:11 GMT

I believe you can do this in IIS. Create a new application pool in IIS run it under local System. Warning: this is the highest level of permission you can give a website. Then you can go to your website from IIS and change the application pool to the one you just created. Hope this help you.

Good Luck

Tareq

Allowing Full Trust for a specific IIS web site

WEBPC — Fri, 04 Jan 2008 17:52:54 GMT

In our enviroment we have set the .Net trust level to 'Medium' and set override=False.

Now we want to allow some specific sites to run at full trust without every site owner being able to override the default medium level. How can I do this? Would assume it involve some additional entries in the machine web.config file.

TIA

Antony