4 | <strong>EPiServer</strong> <strong>Operator's</strong> <strong>Guide</strong>/Web.Config Read/write Used to be able to savesystem settings.Internet Information Server (IIS)AuthenticationThe authentication mechanism you choose in IIS depends on the authentication you use in ASP.NET. If you useforms authentication, as we recommend, you should only allow Anonymous access, as IIS is not responsible forauthentication then.If you use Windows authentication in ASP.NET, you should configure IIS for Basic Authentication or IntegratedAuthentication. Integrated Authentication cannot normally be used over firewalls, which is why it is normally onlyan alternative for intranets.Refer to the white paper, "Security in <strong>EPiServer</strong>" for a more detailed description, including the advantages anddisadvantages of using certain authentication mechanisms.Directory Settings<strong>EPiServer</strong> 4 is a pure ASP.NET application and does not require any settings other than the standard settings. Itis, however, advisable to secure directories so that certain file types are not allowed in certain directories. Theground rule is to only allow Read permission in directories with downloadable files, like images, and only Scriptpermission in directories with script files, e.g. ASP.NET files. This is so that the code can only be executed andnot read. An exception is that IIS 5.0 requires Read permission to be set on a directory in order for a defaultdocument to work, e.g. default.aspx. This mainly applies to the admin, edit and root directories.Our recommendations for directory settings can be found in the table below:Directory Read Write Log accessDirectorybrowsingallowedIndex thisdirectoryPermissions/ X X X ScriptAdmin X X Scriptadmin/Download X NoneEdit X X ScriptHelp X X NoneImages X X NoneLang X NoneStyles X X NoneUtil X ScriptUtil/activex X X NoneUtil/flash X X NoneUtil/help X X NoneUtil/images X X NoneUtil/javascript X X NoneCopyright © ElektroPost Stockholm AB - www.episerver.com
ASP.NET Configuration | 5Util/styles X X NoneUtil/temp x NoneUtil/portalframeworks X Nonetemplates X ScriptUpload X X X NoneMapping of File Types and Error Pages<strong>EPiServer</strong> uses an adapted error page for "404 Not Found" to handle requests for directories that only exist in<strong>EPiServer</strong> and not in the file structure. The page stated here is /Util/NotFound.aspx as standard. This is nota requirement and can be directed to any ASP.NET page without disturbing <strong>EPiServer</strong>'s functionality.Document SecurityIt is standard for all uploaded files to be publicly available for visitors, i.e. there is no access check or dependenceon the page's publication status. This is because the files are delivered directly from IIS and not via <strong>EPiServer</strong>.This is acceptable in most cases, that is to say if you do not work with sensitive information, e.g. on extranet, orinformation that may not be publicly available before the publication date.It is possible to configure uploaded files to be managed by <strong>EPiServer</strong> instead, where you can set the accessrights on directories directly from file management in Edit mode. You can also configure so that the page'sdirectory inherits the same access rights as the page. This is so that documents will not be available before thepage is. <strong>EPiServer</strong>'s file functions are called Unified File System and the configuration is described in detail in theTechnical note, "Unified File System".When Unified File System is set up, all files are moved to a protected directory, publicly unavailable from Internet,in the operating environment. All links that, for example, point to upload, will continue working as <strong>EPiServer</strong> takesover all file access to this directory and handles access control. It is possible, for example, to give certain editorsaccess rights to change in certain directories, or only extranet users access to a particular directory.ASP.NET ConfigurationThis chapter focuses on some important points concerning the general operation of the ASP.NET environment,some of which are related to <strong>EPiServer</strong>.Sessions<strong>EPiServer</strong> does not use sessions, neither in Edit nor Admin mode. If the templates on the Web site do not usesessions either, you can inactivate them, so as not to unnecessarily use server resources. Do this by setting themode attribute to "off" in web.config under the sessionState part. See Microsoft KB Q306996 for more detailedinstructions.If a Web site saves information that is critical to the company in sessions, e.g. a shopping basket on a shoppingsite, you should consider not saving sessions in the ASP.NET process as is standard. You can choose to isolatethe sessions handling to a state server, or to a database. See Microsoft KB Q311209. The advantage is thatinformation in sessions will not be lost when ASP.NET or the IIS restarts. The disadvantage is that they negativelyaffect performance.Copyright © ElektroPost Stockholm AB - www.episerver.com