The .NET configuration file structure was changed in ASP.NET v.1.1, which resulted
in a severe local exploit. The suggested patch fixes settings in the configuration
file to ensure that customer scripts are executed under the corresponding user account
rather than the built-in System account.
The improved patch performs the following:
Sets the following tag in C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\machine.config
Adds allowDefinition="MachineOnly" to the tag that defines the identity configuration section: