Bryan Sullivan has written an excellent article describing the various secure configuration options in .NET's Web.config file. If you write ASP.NET applications be sure to check this out.

"Some enlightened software architects and developers are becoming educated on these threats to application security and are designing their Web-based applications with security in mind. By "baking in" application security from the start of the development process, rather than trying to �brush it on� at the end, you are much more likely to create secure applications that will withstand hackers' attacks.

However, even the most meticulous and security-aware C# or VB.NET code can still be vulnerable to attack if you neglect to secure the Web.config configuration files of your application. Incorrectly configured Web-based applications can be just as dangerous as those that have been incorrectly coded. To make matters worse, many configuration settings actually default to insecure values.

This article lists five of the �worst offenders� of misconfigurations of application security that are universally problematic for all ASP.NET Web-based applications."

Article Link: http://www.securitypark.co.uk/article.asp?articleid=26905&CategoryID=1