There are two attributes that come handy if you want to enforce application settings in IIS: overrideModeDefault and allowDefinition. If your users try to override settings when these attributes are used, they may see to see HTTP Error 500.19.
overrideModeDefault attribute
Example: If you don’t want anybody to change the default document in your IIS, use overrideModeDefault attribute in the applicationHost.config as the example below.
<sectionGroup name="system.webServer">
<section name="defaultDocument" overrideModeDefault="Deny" /></sectionGroup>
If an application owner tries to set the default document in a web.config file, this error message will be displayed:
HTTP Error 500.19 – Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault=”Deny”), or set explicitly by a location tag with overrideMode=”Deny” or the legacy allowOverride=”false”.
If you try to change the default document in IIS Manager, you will receive this error message:
There was an error while performing this operation.
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault=”Deny”), or set explicitly by a location tag with overrideMode=”Deny” or the legacy allowOverride=”false”.
allowDefinition attribute
Use allowDefinition attribute if you want to specify which configuration file can edit which tags.
For instance, if you want to allow server-level configuration and deny application-level configuration, here is the setting that should go to your applicationHost.config file:
<sectionGroup name="system.webServer"> <section name="defaultDocument" overrideModeDefault="Allow" allowDefinition="MachineToWebRoot" /></sectionGroup>
When an application owner tries to set the default document in a web.config file, the error message below will appear.
Configuration section can only be set in machine.config or root web.config
This error is displayed becasue we specified MachineToWebRoot in allowDefinition attribute. It means that only machine.config, applicationHost.config, and root web.config file (the one in the same folder as machine.config) can override this setting.
Here are other values for allowDefinition attribute (Source:(
|
“Everywhere” |
The section can be defined in any configuration level. The default value. |
|
“MachineToApplication” |
The section can be defined in the Machine.config or ApplicationHost.config file. |
|
“MachineOnly” |
The section can be defined only in the Machine.config file. |
|
“MachineToWebRoot” |
The section can be defined in the Machine.config, ApplicationHost.config, or Web.config file. The Web.config file is stored in the Web site root. |
|
“AppHostOnly” |
The section can be defined only in the ApplicationHost.config file. |