Given a server's only role is to be a webserver, and the server is only for hosting dedicated applications there is no kind of collocation / user manageable websites.
Is there really any purpose to applicationHost.config settings of overrideModeDefault="Deny"?
Would there be any reasons that replacing all Deny with Allow would be a bad idea?
To quote the docs, the
overrideModeDefault="Deny"attribute is generally used to deny changes to configuration settings that:Even in an environment where your server (public facing) is dedicated to running your own applications, it's generally good practice to not allow changes these settings. The reason being that if your site is hijacked it can't be further subverted by allowing attackers to add their own ISAPI filters or tinker with other critical settings in a site's
web.configfile.Another reason being is where you have developers (who are not server admins) who may not understand the implications of casually overriding a setting to get something to work in a site's
web.configwhich may affect the overall performance and security of the server.If you have full control over the server then it's still better to keep these changes restricted to
applicationHost.configrather than allow them to be set willy nilly in siteweb.configfiles. The server admin team then become the gatekeepers of any changes that might need to be applied for a particular site.