While working on a project today I got a bit frustrated. Instead of having one security setting per node in the conceptual tree that a web server in effect is, thus allowing people to actually configure authorizations to the allow the least possible and still run the applications, there are six hundred and fifty nine separate places to configure access usually meaning that in the initial phase people run everything as Enterprise Administrators, from the web site identity down to the least possible scriptlet just to get something up on the screen when you test the app on your own box. If you insist that ‘but we need to make the websites impossible to configure, otherwise there is no security’, at least provide me with a big fat ‘Make it so’ button that allows me to ensure that, say, an AD group that should be allowed to look at a web site, by me having pressed the Patrick Stewart-button while the group was selected, they would actually be able to see the web content without any error 500.x/ 403.x because a .config file had the wrong permission sets way back somewhere. I love low permission worker process identities, but please configure them automagically through the admin tools. The problem is other people and viruses messing with the websites, Making them impossible to configure isn’t exactly helping people to lower security settings. Just don’t leave the server open for attacks in the first place so that other people than me get to configure my server and you’ll see that security will be just fine.
OF course, once I calmed down I realized there are ways of dealing with the frustration, especially with IIS7.0 and I should at least share this link.