Locking Configuration Settings

By default, configuration files located in subdirectories override and extend all configuration settings defined in parent configuration files. In application hosting scenarios, administrators often want to lock or make some settings on a site unchangeable to prevent modification. For example, an administrator might want to lock the sandbox security settings for hosted applications to reduce the risk of attacks on the system.

Administrators can lock configuration settings by adding an allowOverride="false" attribute to a <location> directive. This tells the configuration system to throw an error if a lower-level configuration file attempts to override any configuration section defined within this locked <location> directive.

The following configuration file example (which could be stored at either the main system level or at the site level) locks the trust level of two different ASP.NET applications (application1 and application2).

<configuration>
   <location path="application1" allowOverride="false">
      <system.web>
         <trust level="High"/>
      </system.web>
   </location>
     
   <location path="application2" allowOverride="false">
      <system.web>
         <trust level="Medium"/>
      </system.web>
   </location>
</configuration>

Any attempt to override the configuration settings in the preceding example by the configuration settings in the following example would generate a configuration system error.

<configuration>
   <system.web>
      <trust level="Full"/>
   </system.web>
</configuration>

See Also

ASP.NET Configuration | Configuring Applications