i just have read an interesting article. Basically it says, you should fine-tune IIS settings for every application in 2 ways:
- handler mappings – remove all unused by application
- modules – remove all unused by application
Well, i develop ASP.NET for some time now, even at work, and we never ever have done this on production environment afaik. I understand the theoretical advantages presented – minimizing “surface” of application (security), and improving performance. But I am really curious, if you do this in real life (real projects for your customers, not proof-of-concept projects). What are the downsides of this (maintanability maybe?). And most important question – is it worth it ? Is, for example, the performance gain even visible ?
In addition, if you consider this a good practice, please present some good and consistent way (or point me to tutorial), how exactly you do this process – how you decide what stay and what to remove.
For example, what is minimal but working set for ASP.NET MVC 3 application, which uses custom authentication (session based, not relying on Forms auth, Windows auth etc.), no webservices and similar features ?
EDIT
I have found this article : http://madskristensen.net/post/Remove-default-HTTP-modules-in-ASPNET.aspx
In it, Scott Guthrie says:
In general you can get some very small performance wins using this approach – although I’d probably recommend not doing it. The reason is that some features of ASP.NET (forms auth, roles, caching, etc) will of course stop working once you remove the modules they depend on. Trying to figure out why this has happened can often be confusing.
But still no measurments, practices (i am not really convinced by “you can be surprised later” argument 🙂
For what’s it worth, Security Best Practices for IIS 8 has this:
IIS Modules Overview also has IIS modules reference with a section called ‘Potential issues when removing this module‘ for each module. For example, if DefaultAuthentication module is removed: