|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
How to: Lock ASP.NET Configuration Settings
By default, ASP.NET configuration files that are located in subdirectories override and extend configuration settings that are declared in parent configuration files. In application hosting scenarios, you might want to lock some settings of an ASP.NET application to prevent modification at lower levels. For example, you can lock the security settings for hosted applications to help prevent administrators from inadvertently changing those security settings.
You can lock configuration settings in ASP.NET configuration files (Web.config files) by adding an allowOverride attribute to a location element and setting the allowOverride attribute to false. Then within the location element, you can define the configuration section that you want to lock. ASP.NET will throw an exception if another configuration file attempts to override any configuration section that is defined within this locked location element.
Using a location element with an allowOverride=false attribute locks the entire configuration section. You can also lock individual configuration elements and attributes using lockItem, lockElements, lockAttributes, lockAllAttributesExcept, and lockAllElementsExcept. For more information, see General Attributes Inherited by Section Elements.
The following code example shows part of a Web.config file that locks the trust level of two different ASP.NET applications: application1 and application2. Any attempt to override the configuration settings in the trust configuration section raises a configuration system error.
<configuration> <location path="application1" allowOverride="false"> <system.web> <trust level="High" /> </system.web> </location> <location path="application2" allowOverride="false"> <system.web> <trust level="Medium" /> </system.web> </location> </configuration>