how to set enableVersionHeader to false globally on IIS7 - asp.net

I've got several dozen sites that I wish to lock down running ASP.Net and part of the job is to turn off the bloody headers (saying what version of ASP.Net is running). This involves going to each and every web.config file and setting <httpRuntime enableVersionHeader="false" />
.
Is there any way to do this globally? The machine.config(s) , 4 in all, in IIS7 does not support enableVersionHeader="false" in the same httpRuntime tag.
Is there a special tag or section for this in the machine.config?
I wanted to add that <deployment retail="true" /> is another recommendation, but attempting to put that in the machine.config (under system.web) results in an error as well. (any ideas?)
Right now, I'm just going to put these in the web.configs, but it would be nice if MS would have this PCI mandatory feature inside IIS (a single typo in .config files can take a site or the entire server down - with such a popular request, you'd think they'd put this in the GUI!!!)

machine.config should have a webServer section and you should be able to set it there.
"You will need to add this configuration setting to each Machine.Config file inside the section.
<system.web>
<httpRuntime enableVersionHeader="false" />
.....
</system.web>
"
Reference: here

Since the enableHeader is FALSE it doesn't have to be mentioned at all.
Remove the entire element <httpRuntime enableVersionHeader="false" /> and try again

Related

Is "management" section not allowed in web.config?

I'm trying to add users to IIS Manager via web.config, but whenever I add the following lines, the web site stops working and says web.config is not valid.
The web site works if I add those lines in administration.config, but I like to keep the scope small by sticking with web.config.
<system.webServer>
<management>
<authorization defaultProvider="ConfigurationAuthorizationProvider">
<authorizationRules>
<scope path="/MyApp">
<add name="domain\user" />
</scope>
</authorizationRules>
</authorization>
</management>
</system.webServer>
A simple Google search can answer your question.
IIS Management element
From that page:
Note: The settings in the management element can only be configured in the Administration.config file.

Large file uploading

I want to upload a large file in asp.net app of visual studio 2010. But I have got connection reset error. How can I solve it? Thanks.
P.S I have changed the requestlimited in the webconfig which is not to be make any effect.
It's a security setting to limit the size of the request. It's a setting called RequestMaxLength in web config. I believe the default is 3 or 4 MB... An asp.net file upload will be limited by the number defined in this setting (any request for that matter).
<configuration>
<system.web>
<httpRuntime maxRequestLength="4096" executionTimeout="1200" />
</system.web>
</configuration>
It's not wise to make this a very large number because it exposes you to DOS attack since someone could just flood your server with huge files. There is also an executionTimeout property that might have to be set as well

Nested ASP.NET 'application' within IIS inheriting parent config values?

I currently have 2 x ASP.NET 3.5 web applications in IIS7 (lets call them WebParent and WebChild).
WebChild is nested within the WebParent listing in IIS7 and is set up as an application (rather than just a virtual directory within WebParent). Both currently use their own (Classic) application pool.
Both WebParent and WebChild have their own fully defined web.config files in their own root directories.
I had assumed that seeing as WebChild is defined as an 'Application' within IIS, that it would not inherit anything from the WebParent configuration file. However, despite this configuration, I am seeing errors related to various elements within the web.config already being defined (which is correct, there are a couple items that are in both config files, but I thought they should be treated completely independently from one another)?
Can anyone please clarify why this might be occurring?
The exact solution to your problem will depend on what configuration exception message you are seeing. However, this is a typical problem that can often be solved through use of the inheritInChildApplications attribute on the location element in the web.config for "WebParent". By wrapping the entire system.web section in a location element as follows, you should be able to eliminate the problem you described:
<location path="." inheritInChildApplications="false">
<system.web>
<!-- ... -->
</system.web>
</location>
With IIS 7, you will also want to wrap the system.WebServer section the same way:
<location path="." inheritInChildApplications="false">
<system.webServer>
<!-- ... -->
</system.webServer>
</location>
This solution is based on an excellent blog article that I found here.
If they are repeated, you'll have to <remove/> then in the child application web.config first, then add back the element you'd like it it's place. This is assuming that you'd like to have a different value. If you don't, then just omit the element. A connection string would be a good example of something that is likely common for all applications - so you only need to specify it in the root.
Example:
<siteMap defaultProvider="AdminSiteMapProvider" enabled="true">
<providers>
<remove name="AdminSiteMapProvider"/>
<add name="AdminSiteMapProvider" description="Admin SiteMap provider" type="System.Web.XmlSiteMapProvider" siteMapFile="~/App_Data/admin.sitemap" securityTrimmingEnabled="true" />
</providers>
</siteMap>
I think the inheritInChildApplications="false" is good for cases where you still want to inherit some part of the configuration from the parent.
In cases where you want to completely stop inheritance (as in this case if I'm correct), I'd suggest to use 2 separate application pools for the 2 apps and then apply a not very well documented setting in the applicationHost.config file as I explained in this question “Entry has already been added” - Two Separate App Pools
<add name="MyAppPool" autoStart="true" managedRuntimeVersion="v4.0" managedPipelineMode="Integrated" enableConfigurationOverride="false">
<processModel identityType="NetworkService" />
</add>
Follow Scott's advise and also ensure that you have right clicked WebChild in IIS and selected Convert to Application.

ASP.NET 3.5 application with multiple web.config files (IIS 7)

We are working on a web application that creates more web applications.
Each web application will have to get a Url Rewrite rule (URL REWRITE MODULE 2.0).
As far as I know, there's no way to add such rules without modifying the web.config file (am I right??).
So my plan was to work with multiple web.config partial files. One main .config file, and lots of .config files per application (every file will contain it's web application url rewrite rules).
This way sounds a little bit messy, but I can't think of anything else, and suggestions will be welcomed.
So is it possible to use very-multiple web.config files for the root application?
Thanks in advance, Gal.
This following Tag will do the trick.
The absence of this tag was the main reason for my problem when i using with two web.config files for my two different application running in my website.
**<location path="." inheritInChildApplications="false">**
<system.web>
<!-- ... -->
</system.web>
**</location>**
Every application must have a full web.config and not partial, exept if you go with net 4
The trick is to use a lot the remove command on the other inside web.config and remove the parents setting that must not used on this.
For example if on the main root you have the a module that you do not won to use it on the other trees, you use the remove command on all other web.config to remove it. Especial the modules that are on one Bin and not on an other directory bin.
<httpModules>
<remove name="TheHttoModuleNotNeedHere" />
<remove name="AnonymousIdentification" />
... add here your other modules for that directory...
</httpModules>
The remove command is working for almost all sessions on config.
You can do make it work, I have done it, but its a lot of work to find all the conflicts/unnecessary configs and remove it.
For some other session there also the clear command. For example on role Manager you can clear all and add new.
<roleManager enabled="true" ...>
<providers>
<clear />
<add name="MyName" ... type="System.Web.Security.SqlRoleProvider" />
</providers>
Hope this help as tips to make it work.

Disabling themes in a subdirectory with ASP.NET

This should be a simple one. I am using a program that has themes defined in its Web.config file. I want to turn these off for a subdirectory.
I copied Web.config into a subdirectory and tried removing the theme attribute from the pages element on Web.config but that didn't get me anywhere. I got a bunch of errors about elements that are apparently not allowed in non-root Web.config files so I removed all of those elements, but I am still getting the same error.
I tried adding EnableTheming="False" in the ASPX Page header, the thing that defines Language=C#, etc., but it didn't work either.
So if someone can tell me a tested, confirmed way to make this work, I would appreciate that. I am using .NET Framework 2.0 on Server 2003.
Got it with a very basic Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<pages theme="" />
</system.web>
</configuration>

Resources