Make sure the ASP.NET application and the security of Web Services

xiaoxiao2021-03-06  48

Make sure the ASP.NET application and the security of Web Services

Update Date: April 12, 2004

This page

This module Content Target Application Scope How to Use this module method Method must description Machine.config and Web.configMachine.config and Web.config Guide ASP.NET Trust Level ASP.NET's Process Identifies analog Authentication Authorized Session Status View Status Computer Key Combinations Tracking Exception Management Remote Processing Web Services Disable Access Resources BIN Directory Event Log File Access ACL and Permissions Registry Data Access UNC Shared COM / DCOM Resource Denial Service Notes Web Description Security ASP.NET Application Snapshot Summary other resources

This module content

Safe ASP.NET web applications depends on a fully secure network, host, and platform infrastructure. When the above conditions are met, the attacker will try to use the WEB applications and the vulnerabilities in Web Services (usually listening to port 80). If the web application is not configured, the attacker may obtain the system access rights and utilize the system.

As an administrator, you must check the default computer-level configuration and each application configuration to process and delete all vulnerabilities or unsafe settings.

This module describes the new content in ASP.NET from the perspective of the system administrator and describes how to configure computer-wide and application-specific security settings. In addition, this module also provides a method of ensuring ASP.NET web applications and Web Services security, which is a supplement to ensuring the method recommended by the network, application server, database server, and Web server security.

Back to top

aims

Using this module can be implemented:

• Use the ASPNET_SETREG.EXE utility to store credentials and connect strings in the registry. • Manage the web application environment using the configuration file (* .config). • Learn how to lay layers and process Machine.config and Web.config. • Lock configuration settings. • Enforce computer range and web application security policies. • Use the element to customize the file and directory security settings. • Make sure the ASP.NET process identity is secure and uses custom simulations in the ASP.NET application. • Understand the NTFS permissions required for the ASP.NET process account. • Use table single authentication and URL authorization to protect resources. • Make sure the ASP.NET session status is secure. • Make sure the Web field is secure and protected by the bin directory.

Back to top

Scope of application

This module is suitable for the following products and technologies:

• Microsoft Windows Server 2000 • Microsoft .NET Framework 1.1 and ASP.NET 1.1 • Microsoft SQL Server 2000

Back to top

How to use this module

This module focuses on the main security precautions for the ASP.NET application. In order to fully understand the contents of this module, please:

• Read Module 16 Protect the Web Server. This module describes how to ensure the security of the Windows 2000 operating system and Microsoft .NET Framework. The secure basic platform is the premise of ensuring ASP.NET web application or Web Services security. • Use snapshots. Table 19.4 (Nature of this module) shows a snapshot of secure ASP.NET applications, which is securely configured in Machine.config and Web.config. This table can be used when configuring the server and application settings. • Use the checklist. The checklist of the "Checklist" section of this guide: Protecting the security of ASP.NET provides prinable job guidance for quick reference. Use task-based checkpoints that can quickly evaluate which steps are needed, and help you gradually complete your steps.

To obtain a relevant guide, read the module 20 to resident multiple ASP.NET applications, this module describes how to isolate multiple web applications running on the same server and how important system resources, and how to put each web application each other isolation. For more information on configuring part Trust WEB Applications and Web Services, see Module 9 ASP.NET Code Access Security. Back to top

method

To ensure the security of the ASP.NET application, you should first strengthen the operating system and .NET Framework installation benchmark, then apply secure application configuration settings to reduce the attacked surface of the application.

These measures include:

• Service. .NET Framework installed an ASP.NET status service to manage the ASP.NET session state outside the process. Make sure the ASP.NET status service is secure (if the service is installed). If you don't need it, disable the ASP.NET status service. • Agreement. Limit the Web Services protocol to reduce the attack surface. • Account. Create a default ASPNET account to run web applications, Web Services, and ASP.NET status services. If you create a custom account to run your processes or services, you must configure it as minimum privileged users, make it a minimum collection of NTFS permissions and Windows privileges. • Files and directories. The security of the application bin directory used to store private assemblies should be ensured to reduce the risk of the attacker download business logic. • Configure storage. Many security related settings for control functional areas (such as verification, authorization, session status, etc.) are maintained in machine.config and web.config XML configuration files. To ensure the security of the ASP.NET application, you must use secure configuration settings.

Back to top

Prerequisite

Some basic precautions and details should be found in taking steps to ensure that Web applications and Web Services are secure.

ASP.NET processing module

In Microsoft Windows 2000, Internet Information Services (IIS) 5.0 runs all web applications and Web Services in the ASP.NET_Wp.exe. The isolation unit is an application domain, and each virtual directory has its own application domain. Process level configuration settings Maintained by element in Machine.Config.

In Microsoft Windows Server 2003, IIS 6.0 application pool allows you to isolate applications with separate processes. For more information, see Module 20 Resident Multiple ASP.NET applications.

ASP.NET account

The ASPNET account is the minimum privileged local account created when installing .NET Framework. By default, it will run the ASP.NET work process and the ASP.NET status service.

If you decide to run a web application using a custom account, make sure the account is configured using the minimum privilege. This will reduce the risk of an attacker attempt to use the application's security context to execute code. In addition, you must specify an account credentials on the element. Make sure not store credentials in plain text. Encrypted credentials should be stored in the registry using the ASPNET_SETREG.EXE tool. Custom accounts must also grant appropriate NTFS permissions.

ASPNET_SETREG.EXE and Process, Session and Identification

ASPNET_SETREG.EXE allows you to store credentials and connect strings in an encrypted format in the registry. This tool allows encryption of the following properties:

The following example shows a run Aspnet_setreg.exe (to ensure the security credentials) element before and after custom account :

Username = "registry: hklm / slowware / yourapp / process / aspnet_setreg, username"

Password = "registry: hklm / slowware / yourapp / process / aspnet_setreg, password" />

You can choose to store the registry location of the encrypted data, but must be under HKEY_LOCAL_MACHINE. In addition to using data protection API (DPAPI) encrypted data and stores it in the registry, this tool also applies secure ACLs to limit access to the registry key. ACLs on the registry have a fully controlled permissions for the system, administrator, and creator owner. If you use a tool encrypted element or the connection string of the element, you must also grant read permissions for the ASP.NET process account.

To get an ASPNET_SETREG.EXE tool, please refer to Microsoft Knowledge Base Article 329290 How To: Use The ASP.NET Utility To Encrypt Credentials and Session State Connection Strings.

Simulation is not the default setting

By default, ASP.NET applications do not use simulation. Therefore, the ASP.NET work process identification will be used to perform resource access. The process identification read permissions (at least) must be granted to the application to be accessed by creating an appropriately configured ACL.

If analog simulation is enabled, the original call party (ie, IIS verification ID) can also be analog to simulate the fixed identifier specified on the element. For more information, see the simulation behind this module.

Typically, the ASP.NET application does not use simulation because it will have a negative impact on design, implementation, and scalability. For example, using analog will hinder the effective intermediate layer connection pool, which will limit the scalability of the application. Simulations are very useful for specific schemes, for example, when an application accessing resources using an anonymous user account. This is a common technology when you reside multiple applications on the same server. For more information, see Module 20 Resident Multiple Web Applications.

HttpForbiddenhandler, Urlscan and 404.dll

Many techniques can be used to block access to restricted resources. ASP.NET provides HTTPFORBIDENHHANDEER to map to HTTPFORBIDENHANDERLERs from the ASP.NET file type downloaded by HTTP. You can use the element application map.

IISLOCKDOWN.EXE provides 404.dll. Use it to configure IIS to map unwanted file extensions to 404.dll, so that "HTTP 404 - File NOT" message appears when requested for these files. Finally, you can use the URLSCAN ISAPI filter to block requests for restricted file types and executables. Urlscan is provided with the IISLockDown tool, or it can be obtained separately. For more information, see Microsoft Knowledge Base Article 307608 Info: Urlscan On IIS (English), and how to: Use Urlscan in this guide.

For more information on IISLOCKDOWN and URLSCAN, see Module 16 Protection Web Server.

Appsettings

element in web.config allows applications to store configuration data, such as database connection strings, or service account credentials. The advantage of this element is that the developer is allowed to centralize and standardize the storage and retrieval of the configuration data. Simplify management and deployment in Web.config.

Sensitive data (such as connection strings and credentials) should not be stored in a profile in a plain text format. Developers should encrypt them with DPAPI before storage confidentiality.

For more information about AppSettings, see Appsettings In ASP.NET displayed on MSDN® TV, whose URL is: http://msdn.microsoft.com/msdntv (English).

Back to top

Description Machine.config and Web.config

Configuration management provided by .NET Framework includes a wide range of settings, allowing administrators to manage web applications and their environments. These settings are stored in an XML configuration file, some of which control the setup of the computer, and other control applications specific configurations.

You can use any text editor to edit an XML configuration file such as a Notepad or an XML editor. XML tag is case sensitive, make sure you use the correct case.

Figure 19.1 shows an administrator to configure a configuration file for configuring an ASP.NET web application.

Figure 19.1ASP.NET configuration file

Machine.config and web.config file share many of the same configuration sections and XML elements. Machine.config is used to apply a computer-wide policy to all .NET Framework applications running on the local computer. Developers can also use the application-specific web.config file to customize the settings of a single application.

Note that Windows executables (such as WinForm applications) are configured using the configuration file. The names of these files originate from the name of the application executable file, for example, app.exe.config, where "app" is the application name.

Changes made to profiles will be dynamically applied, and there is usually no need to restart the server or any service, unless you change the element in Machine.Config, this module will later discuss this element later.

Table 19.1 shows the location of the configuration file.

Table 19.1: Profile location

Profile location Machine.config (each computer each .NET Framework installation one)% windir% / microsoft.net / framework / {version} / config web.config (each application has zero, one or more ) /inetpub/wwwroot/web.config /inetpub/wwwroot/YourApplication/web.config/inetpub/wwwroot/YourApplication/SubDir/web.config Enterprisesec.config (CAS enterprise-class configuration)% windir% / Microsoft.NET / Framework / {Version} / config security.config (Computer-Level CAS Configuration)% WINDIR% / Microsoft.Net / Framework / {Version} / Config Security.config (User-Level CAS Configuration) / Documents and Settings / {User} / Application Data / Microsoft / CLR Security Config / {version} Web_hightrust.configWeb_mediumtrust.configWeb_lowtrust.configWeb_minimaltrust.config (ASP.NET Web application configuration CAS)% windir% / Microsoft.NET / Framework / {version} / CONFIG ASP.NET Web-related applications For more information on the CAS configuration file, see Module 9 ASP.NET Code Access Security.

Hierarchical strategy assessment

For centralized management, you can use the settings in Machine.config. The settings in Machine.config can define a policy of computer-wide policies, or apply application-specific configurations via element. Developers can provide application profiles to overwrite some aspects of computer policies. For ASP.NET web applications, the web.config file is located in the virtual root directory of the application, or in the subdirectory in the virtual root directory (optional). Consider the arrangement shown in Figure 19.2.

Figure 19.2 Hierarchical configuration

In Figure 19.2, the Approot web application has a web.config file in the virtual root directory. The Subdir1 (non-virtual directory) also includes its own web.config file, which file will be used when the HTTP request is directed to http: // approot / subdir1. If a request is oriented to the subdir2 (virtual directory), for example, http: // server / approot / subdir2, settings from the approot directory will be applied. However, if the request is bypassed Approot orientation to SubDir2, for example, http: // server / subdir2, only the settings from Machine.config are applied.

In any case, the reference settings are obtained from Machine.Config. Next, you will get overwritten settings and other settings from any related web.config files.

If the same configuration element is used in Machine.config and one or more web.config files, the settings from the top of the hierarchy will overwrite the higher level settings. The new configuration settings that are not available in the computer-level application can also be applied to the web.config file, and some elements can use the element to clear the parent settings. The following table shows where the combined configuration settings are obtained for the web request combination applied in Figure 19.2.

Table 19.2: Application Configuration Settings

HTTP request combination settings from http: // server / approot machine.config web.config (approot v-dir) http:// Server / approot / subdir1 machine.config web.config (Approot V-DIR) Web.config (Subdir1 ) http: // server / approot / subdir2 machine.config web.config (approot v-dir) http:// Server / Subdir2 Machine.config

element is mainly used for three purposes:

• Apply configuration settings to a specific application file. • Centralize the application-specific settings in Machine.config. • Lock Configuration Settings to prevent application level coverage.

You can use the tag in Machine.config or Web.config. For Machine.config, if the path must be fully qualified, the path must be fully qualified to include a website name and a virtual directory name, and can include subdirectories and file names (optional). E.g:

.

Note that the website name must be included when using the location mark of Machine.config.

For web.config, the path relative to the virtual directory of the application. E.g:

.

Apply configuration settings to a specific file

Application settings for specific files using the "Path" property. For example, to apply an authorization rule to a file PageName.aspx in web.config, use the element:

Application Configuration Settings in Machine.Config

You can also use the statement of the specified application directory path to apply application-specific settings in Machine.config. This is conducive to centralized management. For example, the following code snippet shows how to force Windows authentication and how to prevent usage simulations in special applications.

Lock configuration settings

To prevent a single application override the computer-level policy configuration, you can put the settings into the element of Machine.Config and set the allowoverride = "false" property.

For example, to apply a policy that cannot be overwritten on the application level, use the element:

... The default value of the computer range

Leave the PATH attribute indicate that this setting will be applied to your computer, and the allowoverride = "false" ensures that the web.config setting does not override the specified value. Any behavior that attempts to add elements in web.config produces an exception, even if the elements in Machine.config match these elements in Web.config.

Back to top

Machine.config and Web.config Guide

The settings in the machine.config are the default value of the server to apply the computer level. If you want to force all applications on the server to use a specific configuration, you can use AllowOverride = "false" on the element, as described above. This is especially suitable for the resident plan. In the resident plan, you need to enforce all aspects of the security policy for all applications on the server.

For those settings that can be configured based on individual applications, the usual application provides a web.config file. Although multiple elements can be configured from Machine.config from Machine.config, separate web.config files can provide deployment advantages and make the machine.config file smaller.

The main problem that needs to be considered is what sets of computer policies should be forced to use. This depends on a specific solution. Some general solutions are as follows:

• Windows authentication considers an enterprise's intranet portal program, in which you want to pass the verification with the application and verify it by the organization via Active Directory. In this scenario, you can force Windows authentication, but allow a single application to simulate the following configuration:

• Reporting programs provide resident services to restrict applications so that they cannot access each other's resources to limit access to important system resources. To implement this goal, you can configure all applications to run part of the trust level. For example, an intermediate trust level restriction application can only access files within its own virtual directory hierarchy, and restrict access to other types of resources. For more information, see Module 9 ASP.NET Code Access Security. To apply intermediate trust strategies on all applications on the server, use the following configuration:

ACL and permissions

The configuration file contains sensitive data, so you need to use the appropriate configured ACL to limit access.

Machine.config

By default, use the following ACL to configure Machine.config:

Administrators: Fully controlled

System: Fully control

Power Users: Modify

Users: reading and execution

LocalMachine / ASPNET (Process Logo): Reading and Execution

Note On Windows Server 2003, the local service and network service accounts are also granted read permissions.

The member of the user group is granted by default because all managed code running on the computer must be able to read Machine.config.

The default ACL on Machine.config is a secure default value. However, if only a single web application runs on the server, or all web applications use the same process identifier, the ACL can be further restricted by deleting the user's access control item (ACE). If "users" is indeed deleted from DACL, you need to explicitly add a web process ID.

Web.config

.NET Framework does not have any web.config files installed. If you have an application that provides your own web.config, it usually inherits the ACL from the Inetpub directory. By default, the ACL will grant read permissions for members of the Everyone group. To lock the application-specific web.config, use one of the following ACLs.

For .NET Framework 1.0:

Administrators: Fully controlled

System: Fully control

ASP.NET process logo: read

UNC logo: read

Analog logo (fixed identification): read

Analog logo (original call square): read

For .NET Framework 1.1:

Administrators: Fully controlled

System: Fully control

ASP.NET process logo: read

UNC logo: read

Analog logo (fixed identification): read

If the application uses the simulation of the account (ie, if the fixed ID is analoged), if the , the account (for webuser) and processes in this case Need to read permissions. If the code benchmark is based on the Universal Naming Convention (UNC), you must grant read permissions for the UNC token ID provided by IIS.

If you are simulating but do not use clear credentials, such as , without using UNC, only the process needs access to the process in .NET Framework 1.1. For the .NET Framework 1.0, the ACL must be additionally configured to grant the read permissions to any identity that will be simulated (ie, must grant the original call party).

Back to top

Trust level in ASP.NET

The trust level of the application determines the permissions granted to the CAS policy. This also determines the extent to which the application can access secure resources and execute privileges.

Configure the application's trust level using the element. By default, the configuration level is set to "complete" as follows:

For more information on generating part of the Trust Web application using CAS, see Module 9 ASP.NET Code Access Security. For more information on the use of trust levels, please refer to Module 20 Resident Multiple ASP.NET Web Applications.

Back to top

ASP.NET process identity

ASP.NET Web Applications and Web Services are running in a shared instance of an ASP.NET_WP.exe. Process level settings (including process ID) configured using elements in Machine.Config.

The identity of the ASP.NET work process is configured using the username and password properties on the element. Configure the process identification:

• Use the default ASPNET account. • Use the minimum privilege custom account. • Encrypted credentials. • Do not run asp.net as System.

Use the default ASPNET account

The local ASPNET account is the default minimum privilege account, dedicated to running the ASP.NET web application and Web Services. If you can, use this account by configuring the default configuration:

Use minimal privilege custom account

If you must run the ASP.NET work process using the standby ID, make sure that the account used is configured as the minimum privileged account. This can limit the damage caused by the attacker trying to use the process security context. You may decide to use a spare account because you need to use Windows authentication to connect to a remote Microsoft SQL ServerTM database or network resource. Note that you can perform the above operations using the local ASPNET account. For more information, see Data Access behind this module.

For more information on NTFS privileges required for the ASP.NET process account, see the ACLs and permissions behind this module.

The following user rights should also be granted an ASP.NET process account:

• Access this computer from the network • Log in as a batch job. • As a service login. • Reject local login. • Refuse to log in through the terminal service.

Encryption credentials

If you need to use a custom account, don't store plain text credentials in Machine.config. You should use the ASPNET_SETREG.EXE utility to store encrypted credentials in the registry.

• Encrypted credentials

1. Run the following command from the command prompt: aspnet_setReg -k: Software / Yourapp / Process -u: Customaccount: P: Strongpassword

This command stores the encrypted connection string in the specified registry key and ensures that the registry key is secured by the restricted ACL, which grants full control permissions to System, Administrators, and Creator Owner. 2. Reconfigure the element and add the following UserName and Password properties.

Username = "registry: hklm / slowware / yourapp / process / aspnet_setreg, username"

Password = "registry: hklm / slowware / yourapp / process / aspnet_setreg, password" />

For more information, see Microsoft Knowledge Base Article 329290 How To: Use The ASP.NET Utility To Encrypt Credentials and Session State Connection Strings.

Don't run Asp.net as System

Do not run ASP.NET using the System account, or grant "as a part of the operating system" user permissions for the ASP.NET process account. This action eliminates the minimum privilege, thereby increasing the damage caused by an attacker's process security context executing code using a web application.

Back to top

simulation

By default, ASP.NET applications do not use simulation. When an application accesses Windows resources, the ASP.NET work process account (default ASPNET) is used.

element is used to enable simulation. Can simulate:

• Original call party (IIS verified identifier) ​​• fixed identification

Simulated original call party

To simulate the original call party, use the following configuration:

The simulation uses IIS to represent the access tokens that have verified caller. This can be an anonymous Internet user account (for example, if the application uses a table single authentication), it can also be a Windows account representing the original call (if the application uses Windows authentication). If you really want to enable the original call square to simulate, please pay attention to the following questions:

• Since the database connection cannot be collected, the scalability of the application will be reduced. • Since the ACL on the backend resource needs to be configured for a single user, the management workload is increased. • Delegate requires Kerberos authentication and appropriate Windows 2000 environments.

For more information, see "Microsoft patterns & practices Volume I, Building Secure ASP.NET Web Applications: Authentication, Authorization, and Secure Communication" of "How To" section of the "How To: Implement Kerberos Delegation for Windows 2000", Its URL is: http://msdn.microsoft.com/library/default.asp? Url = / library / en-us / dnnetsec / html / secnett05.asp.

Analog fixed logo

To simulate a fixed ID, use the UserName and Password property on the element to specify the ID:

Password = "STR0NG! Passw0rd" />

Please do not store the credentials shown here in plain text. You should use the ASPNET_SETREG.EXE tool to encrypt the credentials and store it in the registry.

• Encrypt credentials

1. Run the following command from the command prompt: aspnet_setReg -k: Software / Yourapp / Identity -u: Customaccount: P: Strongpassword

This command stores the encrypted connection string in the specified registry key and secures the registry key by restricted ACL, which grants full control permissions for System, Administrators, and CreatR Owner. 2. Reconfigure the element and add the following UserName and Password properties.

Username = "Registry: HKLM / Software / Yourapp / Identity / Aspnet_SetReg, Username"

Password = "registry: hklm / slowware / yourapp / identity / aspnet_setreg, password" />

3. Use regedt32.exe to create an ACL on the registry key to grant read permissions for the ASP.NET process account.

For more information, see Microsoft Knowledge Base Article 329290 How To: Use The ASP.NET Utility To Encrypt Credentials and Session State Connection Strings.

Some of the operating system

When the fixed identity is simulated by specifying the username and password attribute, the ASP.NET 1.0 process account needs to have "as a part of the operating system" user permission on Windows 2000. Since this can effectively increase the ASP.NET process account to access the privilege level of the local system account, ASP.NET 1.0 does not recommend using analog fixed identity. Note: This user privilege is not required if you are running ASP.NET 1.1 on Windows 2000 or Windows 2003 Server.

NTFS permission requirements

NTFS permissions must be appropriately configured for the analog identity. For more information, see "ACL and Permissions" behind this module.

Back to top

Authentication

Element Configures the authentication mode used by the application.

Appropriate authentication mode depends on how the application or Web Services is designed. Default Machine.config Settings Application Security Windows Authentication Default Values, as shown below:

Mode = "[Windows | Forms | Passport | NONE] ->

Table Single Authentication Guide

To use a form of authentication, set mode = "forms" on the element. Next, use the sub-element configuration form single authentication. The following code snippets displays a secure authentication element configuration:

Protection = "all" privacy and integrity

Requiressl = "true" Blocks from sending cookies via HTTP

Timeout = "10" limit session life

Name = "AppNameCookie" each application unique name

Path = "/ formsauth" and path

SLIDINGEXPIRATION = "True"> Sliding session life

Use the following suggestions to increase the security of format authentication:

• Sub-partitions. • Set protection = "all". • Use a small cookie timeout value. • Consider using a fixed validity period. • Use SSL to verify the table. • If you do not use SSL, set SLIDINGEXPIRATION = "false". • Do not use the element on the production server. • Configure elements. • Use the unique cookie name and path.

Sub-site

The public access area of ​​the website and the restricted access area can be separated. Applications that only allow users to access authenticated users and other pages and resources are placed in a separate folder, separated from the public access. By configuring SSL access in IIS to protect restricted subfolders, then use the element to limit access and mandatory login. For example, the following web.config configuration allows anyone to access the current directory (this provides public access), but prevents unauthorized users from accessing restricted subfolders. Any access attempts will force the form to log in.

The normal page is included in the virtual directory root folder.

Users who have not authenticated can view these pages and do not need

Use SSL to protect. ->

The restricted folder can only be used to verify and SSL access. ->

Information about other programming considerations (for example, how to navigate between restricted pages and non-limiting pages), see Module 10 Generate "Table Single Authentication" in the ASP.NET web page and controls.

Set protection = "all"

This setting ensures that the encrypted table is single authentication cookie to provide privacy and integrity. The key and algorithm for cookie encryption are specified on the element.

Encryption and integrity check prevents cookie from tampening, but if an attacker tries to capture cookies, this does not reduce the risk of cookie replay attacks. You can also use SSL to prevent attackers from capturing cookies through network monitoring software. Although use SSL, cookie will still be steal by a cross-site script (XSS). Applications must take sufficient preventive measures and appropriate input verification strategies to reduce this risk.

Use small cookie timeout value

You can use a small hour to limit the life of the session, thereby reducing the risk of the window suffering from the Cookie replay attack.

Consider using fixed validity

Consider setting SlidingExpiration = "false" on the element, making the deadline of the cookie fixed, rather than reset the validity period after each Web request. This is important if you do not use SSL protection cookies.

Note This feature is provided in the .NET Framework 1.1.

Use SSL for format authentication

You can use SSL protection credentials and authentication cookies. SSL prevents attackers from capturing credentials or table single authentication cookies to the application to prove your identity. Stealing authentication cookie is stealing login.

Set requestl = "true". This will set the Secure property in the cookie, which ensures that you do not transfer cookies from the browser to the server via the HTTP link. HTTPS (SSL) is required.

Note this is the setting of the .NET Framework 1.1. It uses a clear program that sets the Cookie's Secure property in an application built from version 1.0. For more information and sample code, see Module 10 Generating a secure ASP.NET web page and control.

If you don't use SSL, set slidingexpiration = "false" to secure the cookie's timeout period to a certain period of time (in minutes) by setting the SlidingExPiration to false. Otherwise, the timeout time should be updated for each web server. If cookie is captured, it will provide an attacker enough time to access your application as a user who has passed authentication.

Note This feature is provided in .NET Framework 1.1.

Do not use elements on the production server

User credentials can be stored in the XML configuration file to support rapid development and limited testing. Please do not use the actual end user credentials. The end user credentials should not be stored in the profile on the production server. Production applications should implement custom user credentials, for example, in the SQL Server database.

Configuring MachineKey

The element defines an encryption algorithm for encrypting a single single authentication cookie. This element can also be used to maintain the encryption key. For more information, see the computer key section of this module.

Use the unique cookie name and path

Unique Name and Path property values. Make sure the name has uniqueness, prevent problems when multiple applications on the same server can be prevented.

Back to top

Authorize

Unless the user has a clear resource access, such as a special web page, resource file, directory, etc., whether it is configured to refuse access by default. ASP.NET provides two configurable gateway guards that can be used to control access to restricted resources. From:

• File authorization. This gateway is implemented by the ASP.NET FileAuthorizationModule HTTP module. • URL authorization. This gateway guard is implemented by the ASP.NET UrlauthorizationModule HTTP module.

Document authorization

This gateway guards only with Windows authentication and with the following configuration.

When using Windows authentication, this gatekeeper will be automatically valid without simulation. To configure the gateway guard, configure the Windows ACL on the file and folder. Note that the gateway guards only controls access to file types that are mapped by IIS to the following ASP.NET ISAPI extended: aspnet_isapi.dll.

URL authorization

Use this gateway guards any application. It is configured using the element, which can control which users and user groups have the right to access the application. The default elements in Machine.config are as follows:

Users = "[* |? | Name]"

* - all users

? - Anonymous users

[name] - Named User

Roles = "[Name]" ->

URL license

The following instructions help you successfully configure the URL authorization:

• Authorization settings in web.config are usually applied to all files in all of their subdirectors unless the subdirectory contains its own Web.config. In this case, the settings in the subdirectory overwrite the settings of the parent directory. • URL authorization is applied only to file types that are mapped by IIS to ASP.NET ISAPI extensions: ASPNET_ISAPI.DLL. • When an application uses Windows authentication, a Visit permission is granted for Windows users and group accounts. The username takes the format of "Authority / WindowsUsername", and the role name takes "Authority / WindowsGroupName" format, "Authority" here can be a domain name or native name, depending on the account type. Many people are well known to the "Builtin" string. For example, a local administrator group is represented as "Builtin / Administrators". The local user group is represented as "Builtin / Users". Note that for .NET Framework 1.0, the agency name, and group names are case sensitive. Group names must match the group names that appear in Windows. • When the application uses a table single authentication, the custom user and role authorization maintained in the custom user store. For example, if you use a form to authenticate a user who access a database, you can authorize according to the role you retrieved from the database. • You can use the tag to apply the authorization setting to a single file or directory. The following example shows how to apply licenses to specific files (page.aspx):

Back to top

Session status

Applications that depend on each user session status can store session status at the following location:

• In the ASP.NET work process • In the Process Status Service (can run on the web server or remote server) • In SQL Server Data Storage

The relevant location is stored with the connection details in the element of Machine.Config. The default setting is as follows:

StateConnectionstring = "TCPIP = 127.0.0.1: 42424"

STATENETWORKTIMEOUT = "10" SqlConnectionstring = "DATA

Source = 127.0.0.1; Integrated Security = SSPI "

Cookieles = "false" Timeout = "20" />

Note If you do not use the ASP.NET status service on a web server, you can use the MMC service management unit to disable the service.

Make sure the SQL Server session status storage area

If you are using SQL Server session status storage, the following suggestions help ensure the security of the session state:

• Use Windows Authentication for Database • Encryption SQLConnectionstring • Limit application login in the database • Make sure channel security

For more information on setting up a SQL Server session status storage database, see Microsoft Knowledge Base Article 311209 How To: Configure ASP.NET for Persistent SQL Server Session State Management (English). Use Windows authentication for the database

If you use Mode = "SQLServer", you can use Windows authentication to connect to the status database and use the minimum privilege account, such as a copy of the local ASPNET account. This means you can use trusted connections without having to provide credentials in the connection string, so the credentials will not be transmitted to the database over the network.

Encryption SQLConnectionString

You can encrypt the SQLConnectionstring property value using the ASPNETREG.EXE tool. This is especially important if you use SQL authentication to the status database, because the credentials are in the connection string, but also recommended using the above encryption when using Windows authentication.

• Encryption SqlConnectionstring

1. Run the following command from the command prompt. ASPNET_SETREG -K: Software / Yourapp / sessionState -c: {Your connection string}

This command stores the encrypted connection string in the specified registry key and secures the registry key by restricted ACL, which grants full control permissions for System, Administrators, and CreatR Owner. 2. Reconfigure the element and add the following SqlConnectionstring property. SessionState Mode = "SQLServer"

Sqlconnectionstring = "Registry: HKLM / Software / Yourapp / sessionState

/ Aspnet_setreg, sqlconnectionstring "/>

3. Use regedt32.exe to create an ACL on the registry key to grant read permissions for the ASP.NET process account.

Limit application login in the database

The application of the application in the database should be restricted so that the application can only access the required status table and the ASP.NET to query the stored procedure of the database.

• Restrict the application login in the status database

1. Create a replicated local account copy on the status database server using the same name and strong password running the ASP.NET application. For more information on accessing the remote database using the ASPNET account, see Data Access behind this module. 2. Create a local Windows group (such as ASPNETWebApps) on the database server and add the local ASPNET account to the group. 3. Grant access to SQL Server is granted to the Windows group via newly entered the WINDOWS group. SP_GrantLogin 'Machine / ASPNetWebApps' Note The name of the database server replaces Machine. 4. Grant SQL login access to the ASPSTATE database. The following T-SQL will create a database user named WebAppuser and associate the login. Use aspstate

Go

sp_grantdbaccess 'Machine / AspNetWebApps', 'WebAppuser'

5. Create a user-defined database role. Use aspstate

Go

SP_ADDROLE 'WebAppUserRole'

6. Add a database user to a new database role. Use aspstate

Go

sp_addrolemember ',' WebAppuser'7. Configure permissions for database role in the database. Grant execution permission to the stored procedure provided with the AspState database. Grant Execute On CreateTemptables to WebAppuserrole

Repeat this command with all stored procedures provided with the ASPSTATE database. View your full list using the SQL Server Enterprise Manager.

Make sure channel security

To protect the sensitive session status of the network over the web server and remote status storage, you should use IPSec or SSL to ensure the security of the channels of the two servers. This provides privacy and integrity for session status data across the network. If you use SSL, you must install server certificates on the database server. For more information on using SSL on SQL Server, see Module 18 to ensure the security of the database server.

Ensure the security of the processed status service

If you use Mode = StareServer, the following suggestions help ensure the security of the session state:

• Run Status Services using minimum privilege account • Make sure channel security • Consider changing the default port • Encrypted status connection string

Run Status Services using minimum privileged account

By default, the ASPNET Local Minimal Privilege Account Run Status service will be used. There is no need to change this configuration.

Make sure channel security

If the status service is on a remote server, you should use IPSec to secure the secure to remote status storage to ensure that the user status remains privacy and will not be modified.

Consider changing the default port

ASP.NET Status Services listens on port 42424. In order to avoid using this well-known default port, you can change the port by editing the following registry key:

HKLM / SYSTEM / CURRENTCONTROLSET / SERVICES / ASPNET_STATE / PARAMETERS

The port number is defined by a value named Port. If you change the port number in the registry, for example, change to 45678, you must change the connection string in the element at the same time, as shown below:

StateConnectionstring = "TCPIP = 127.0.0.1: 45678"

Encrypt STATECONNECTIONSTRING

You can encrypt the StateConnectionstring property value to hide the status stored IP address and port number. Use the ASPNET_SETREG.EXE tool.

• Encrypt STATECONNectionstring

1. Run the following command from the command prompt. ASPNET_SETREG -K: Software / Yourapp / sessionState -d: {Connection String}

This command stores the encrypted connection string in the specified registry key and secures the registry key by restricted ACL, which grants full control permissions for System, Administrators, and CreatR Owner. 2. Reconfigure the element and add the following StateConnectionstring property:

Sqlconnectionstring = "Registry: HKLM / Software / Yourapp / sessionState

/ ASPNET_SETREG, SQLCONNECTIONSTRING "... />

3. Use regedt32.exe to create an ACL on the registry key to grant read permissions for the ASP.NET process account.

Back to top

View status

If the application uses view status, you must use Message Verification Code (MAC) to protect to ensure that this view status will not be modified on the client. You can use elements in Machine.config to enable or disable view status and MAC protection for all applications on your computer.

By default, the EnableViewStateMac property on the element in Machine.config ensures view status through the MAC.

EnableViewState = "true" enableviewStateMac = "true"

Autoeventwireup = "true" validaterequest = "true" />

If you use a view status, make sure the enableViewStateMac is set to true. Element Defines the algorithm used by the protection view status.

Back to top

Computer key

Element is used to specify the encryption key, verification key, and algorithm used by the protective table. The following code example shows the default settings in Machine.Config:

DecryptionKey = "Autogenerate, isolateApps" Validation = "Sha1" />

Consider the following suggestions when configuring :

• Use a unique encryption key for multiple applications • Setting validation = "sha1" • Manually generate keys for web field

Use a unique encryption key for multiple applications

If you reside multiple applications on a web server, you should use a unique key for each application on your computer, not a key to all applications. This avoids in a resident environment, an application can spoof view status or encrypted forms authentication cookie.

You should also use IsolateApps settings. This is the new setting in .NET Framework 1.1, used to indicate ASP.NET to automatically generate encryption keys, and make each application key is unique.

Set validation = "sha1"

The value of the Validation property specifies the integrity check used by the page-level view state. Possible values ​​are "SHA1", "MD5" and "3Des".

If protection = "all" is used on the element, the table single authentication cookie is encrypted and the integrity can be ensured. Whether the validation attribute is set, Table Single authentication is encrypted using tripledes (3des).

Note: Table Single authentication cookie encryption is independent of the ValidationKey setting, which is based on the DecryptionKey property.

If Validation = "SHA1" is set on , the SHA1 algorithm will be used to check the integrity of the page-level view state, and the element is configured as a view status MAC. For more information, see the view status in front of this module.

You can also set the validation property to MD5. SHA1 should be used because the hash value generated by this algorithm is larger than the MD5, so safer. If Validation = "3DES" is set on , the 3DES algorithm will be encrypted for the page-level view status (also check the integrity), even if the element is configured as a view status MAC.

Manually generate a key for Web field

In a web field, a clear key value must be set and the same key value is used on all computers in the Web field. See the webfield considerations behind this module.

Back to top

debugging

Element controls compiler settings for dynamic page compilation, which starts when the client requests a web page (.aspx file) or web service (.asmx file). This is very important not to use debug internal version on the production server, because the attacker may utilize debug information and may leak the source code details.

This element controls the compilation process. Be sure to disable debug compilation on the production server. Set debug = "false" as follows:

By default, temporary files will be created and compiled in the following directory:

% WINNT% / Microsoft.Net / Framework / {version} / Temporary ASP.NET FILES

You can specify the location of each application using the Tempdirectory property, but this property has no advantage in terms of security.

Note that the ASP.NET process identification specified on the element requires full control of access to the temporary compilation directory.

Make sure not to store debug files (extensions .pdb) and assembly on the production server.

Back to top

track

Tracking should not be enabled on the production server, as system-level tracking information may provide a great help to an attacker understanding the application and finding weaknesses.

You can use the element configuration tracking. Set enabled = "false" on the production server, as shown below:

RequestLimit = "10" tracemode = "sortbytime" />

If you really need to track the event of an active application, it is best to simulate problems in the test environment, or enable tracking and set locally = "true" (if needed), to prevent tracking details from returning to the remote client.

Back to top

Abnormal management

Unusual details are not allowed to return from the web application to the client. Malicious users may utilize system-level diagnostic information to understand the application and find weak points that can be utilized when they attack.

Element can be used to configure custom general error messages, and the message should be returned to the client when an application occurs. The error page should include the corresponding general error message and can contain additional support details. This element can also be returned to different error pages based on exception conditions.

Make sure to set the Mode property to ON and specify the default redirection page, as shown below:

With the DEFAULTREDIRECT property, you can use the application's custom error page, for example, in which the details of the support contact can be included.

Be careful not to use mode = "OFF" because this may return a detailed error page containing system level information to the client.

If you want a different error type to return a separate error page, one or more elements can be used as shown below. In this example, "404 (not found) error is redirected to a page," 500 (INTERNAL System ErrorS) is directed to another page, and all other errors are directed to the page specified on the defaultRedirect property.

Back to top

Remote processing

Do not disclose the .NET remote processing endpoint on the web server accessing the Internet. To disable remote processing, you can disable requests for these extensions by mapping requests to HTTPFORBIDENHANDERs to HTTPFORBIDENHANDERs. Use the following elements under :

.

Note that this does not prevent Web applications from using a web application to connect to the downstream objects using the remote processing infrastructure. However, it prevents clients from connecting to objects on the web server.

Back to top

Web Services

Web Services can be configured using the element. Establish a secure Web Services configuration:

• Disable unwanted Web Services • Disable unused protocol • Prohibition of automatically generate WSDL

Disable unwanted web services

If you don't use Web Services, you can disable Web Services by mapping a request for .asmx (Web Services) file extensions to HttpForbiddenhandler in Machine.Config, as shown below:

.

Disable unused protocol

elements can define the protocols supported by Web Services. By default, httppost and httpget are disabled on .Net Framework 1.1, as shown below:

->

->

The attacked face can be reduced by disabling unnecessary protocols (including HTTPPOST and HTTPGET). For example, an external attacker may embed a malicious link in an email, so that internal Web Services is performed using the end user's security context. Disabling HTTPGET protocol is an effective countermeasure. This is similar to the XSS attack in many ways. The difference in this attack is that it uses the tag to use the tag on the public access web page to embed the GET Web Services. Both attacks allow external users to call internal Web Services. Disable protocols can reduce risks.

If the production server provides web services that can be publicly searched, HTTPGET and HTTPPPOST must be enabled so that you can search for this service.

Prohibited automatically generate WSDL

Document Protocol is used to dynamically generate a Web Services Description Language (WSDL). WSDL describes the characteristics of Web Services, such as the method of the service, and supported protocols. The client uses this information to build a message in the corresponding format. By default, Web Services will disclose WSDL, allowing any users who can connect to the web server via the Internet.

Sometimes, you may need to manually distribute the WSDL file to your partner to prohibit public access. In this way, the development team can distribute each Web Services. WSDL file to the business group, respectively. Then, the business group is distributed to a designated partner that needs to use Web Services.

To disable the document protocol, you should comment on the protocol in Machine.Config, as shown below:

->

Back to top

Forbidden resources from access

To prohibit downloading protected resources and files via HTTP, map these resources and files to the HttpForbiddenhandler of ASP.NET.

The protected resource is mapped to the HTTPFORBIDDENHANDLERHTTP handler under the element in Machine.Config. The HTTP handler is responsible for processing a web request for a particular file extension. Remote processing should not be enabled on the front-end Web server; remote processing should only be enabled on the intermediate application server isolated from the Internet.

• The following file extension is mapped to the HTTP handler in Machine.config: • .aspx is used for the ASP.NET page. • .Rem and. SoAP are used for remote processing. • .asmx is used for web services. • .asax, .scx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .ssp, .licx, .resx, .resources are protected resources, being mapped to System.Web.httpForbiddenhandler .

For the .NET Framework resource, if you do not use a file extension, map the extension to System.Web.httpForbiddenhandler in Machine.Config, as shown in the following example:

In this example, the .vbproj file extension maps to System.Web.httpForbiddenhandler. If the client requests the path ended with .vbProj, ASP.NET will return a message, indicating "this type of page is not served" (this type of page cannot be provided).

• The following guidelines apply to handle the .NET Framework file extension: • You will map unused extensions to HttpForbiddenhandler. If the ASP.NET page is not provided, the .aspx is mapped to HttpForbiddenhandler. If you don't use Web Services, map .asmx maps to HttpForbiddenhandler. • Disable remote processing on the web server accessing the Internet. The remote processing extension (.soap, and .rem) on the web server access to the Internet is mapped to HTTPFORBIDENHANDELER.

Back to top

bin directory

The bin directory under the ASP.NET application virtual root directory contains the application's private assembly, and if the code hidden file is used during the development process, the page-level implementation of the application is included.

Make sure the bin directory is safe

Make sure the application's bin directory is secure and prevent unintentional download business logic:

• Delete web privileges. • Delete all authentication settings.

Delete web privileges

Use IIS management unit to ensure that bin directory does not have read, write or directory browsing permissions. Also make sure to set "Execute" permissions to "None".

Delete all authentication settings

Use the IIS management unit to remove authentication settings from a bin directory. This will cause all access to be rejected.

Back to top

Event log

Minimal privilege accounts (such as ASPNET) have sufficient permissions, you can use existing event sources to write records in the event log. However, its permissions are not enough to create new event sources. To create new event sources, you must join a new entry under the following registry:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / EVENTLOG /

To avoid this problem, if you have administrator privilege, you can create an event source when you install. This class can be instantiated using the .NET installer class, by the Windows installer (if you are using .msi deployment) or installutil.exe system utility (if you do not use. Msi deployment). For more information on how to use the event log installer, see Module 10 Build a secure ASP.NET web page and control. If you cannot create an event source when installing, you must add permissions to the following registry key and grant access to the ASP.NET process account or any analog account (if the application uses analog).

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / EVENTLOG

Accounts must have at least the following permissions:

• Query key value • Setting key value • Create a sub-key • Enumeration sub-key • Notification • Read

Back to top

File access

Any file accessed accessed in the ACL must have an access control (ACE), at least an ASP.NET process account or analog identifier to a read permissions. Typically, the ACL is configured on the directory and then the file inherits the setting.

In addition to using NTFS permissions to limit access to files and directories, you can use ASP.NET trust levels to limit Web applications and Web Services to limit which areas can access file systems. For example, medium trusted web applications can only access files in their own virtual directory hierarchy.

For more information on the ASP.NET CAS policy, see Module 9 ASP.NET Code Access Security.

Back to top

ACL and permissions

ASP.NET Process Accounts and (for specific directories) Any analog identifier (if the application uses analog) requires the following NTFS permissions. In addition to the permissions required to access the application-specific file system resource, the permissions shown in Table Table 19.3 should be used.

Table 19.3: NTFS permissions required for ASP.NET process accounts

Directory Required Permissions Temporary ASP.NET Files% WINDIR% / Microsoft.Net / Framework / {Version} Temporary ASP.NET Files Process Account and Analog Identification: Fully Control Temporary Directory (% Temp%) Process Account fully controlled .NET Framework directory % WINDIR% / Microsoft.net / framework / {version} Process account and analog ID: read and execute the folder content read .NET Framework configuration directory% windir% / microsoft.net / framework / {version} / config Process account and analog identification: read and execute a folder content reading Website root root C: / INETPUB / WWWWROOT or default website pointing path Process Account: Read System Root Directory% WINDIR% / System32 Process Account: Read Global Assembly Cache% WINDIR% / Assembly Process Account and Analog Identity: Read Content Directory C: / INETPUB / WWWROOT / YOURWEBAPP Process Account: Read and Execute List Folder Content Read Note For .NET Framework 1.0 until All parent directory of the file system root directory also requires the above permissions. The parent directory includes: C: / C: / INETPUB / C: / INETPUB / WWWROOT /

Back to top

Registry

Any registry entry accessed by the application must have an ACE in the ACL, at least an ASP.NET process account or analog identifier to read permissions.

Back to top

data access

To access a remote database from an ASP.NET application using Windows authentication, you can use the following methods:

• Using the default ASP.NET process account. By creating a mirror account for the same username and password on the database server, you can use the default ASP.NET process account. On Windows 2000, the default process account is ASPNET. On Windows Server 2003, the default process account is NetWorkService. A disadvantage of using the local account is that if you can dump the SAM database (need to manage privileges), you can access the credentials. The main advantage is that the local account can be delineated according to a specific server, which is difficult to implement when using domain accounts. • Run the ASP.NET using the minimum privilege domain account. This method can simplify management, which means that the password of the synchronous mirror account is not required. If the web server and database server are in a stand-alone non-confidence domain, or the firewall spaced the two servers, and the firewall does not allow Windows authentication to use the required ports, the method cannot be used. • Simulate anonymous web account. If you use a form or Passport authentication, you can simulate anonymous web account (the default account is IUSR_MACHINE) and create a mirror account on the Database server. This method can be used if the scenario resides multiple web applications on the same Web server. You can use IIS to configure different anonymous accounts for each application's virtual directory. On Windows Server 2003, you can run multiple applications in a stand-alone working process, using the IIS 6.0 application pool and configure separate identity for each application pool. Configuring data access for ASP.NET applications

Regardless of which method is used, it should restrict the application account in the database. To do this, create a SQL Server login for your account and grant access to the required database, then restrict its permissions, so that it can only access the minimum database object you need. Ideally, permissions should be restricted, allowing logins to access the stored procedures used by the application or Web Services.

The following procedure assumes that the mirrored local account is used, but the domain account can use the same method to limit the capabilities of the account in the database.

• Configuring database access for ASP.NET applications

1. Use the Computer Management Tool to change the password of the local ASPNET account on the web server to a known strong password. In order to create a mirror account on the database server, you need to do this. 2. Changing the password property on the element in Machine.config, so that the ASP.NET work process continues to run with the ASPNET account. Use ASPNET_SETREG.EXE to store encrypted credentials in the registry. 3. Create a local account using the same name (ASPNET) and Quality Code on the Database Server. 4. Create a local Windows group (such as ASPNETWebApp) on the Database Server and add a local ASPNET account to the group. 5. By creating a new login, grant access to SQL Server for the Windows group, as follows: sp_grantlogin 'Machine / ASPNetWebApp' Note: Use the name of the database server to replace Machine. 6. Grant the access to the database to SQL. The following T-SQL will create the database user WebAppuser associated with the login. Use youdatabase

Go

sp_grantdbaccess 'Machine / ASPNetWebApp', 'WebAppuser'

7. Create a user-defined database role. Use youdatabase

Go

SP_ADDROLE 'WebAppUserRole'

8. Add database users to your new database role. Use youdatabase

Go

Sp_addroleMember 'WebAppuserRole', 'WebAppuser'

9. Configure the permissions to the database role in the database. Ideally, the stored procedures used only for the application query the database, not the permissions of the direct access table. Grant Execute On Sprocname to WebAppUserrole

Back to top

UNC sharing

ASP.NET applications can use UNC sharing by two main methods:

• Access files on UNC shares For example, the application must access the //remoteserver/share/somefile.dat and other remote files. • The IIS virtual directory of the application application on UNC sharing is mapped to remote sharing, such as // RemoteServer / AppName. In this scenario, HTTP requests are processed by the web server, but the application's web page, resource, and private assemblies are located on remote sharing.

Access files on UNC sharing

If the application accesses files on UNC sharing, ASP.NET process accounts or any analog identifiers must have the corresponding access to the sharing and basic directory or files.

If you use a local ASPNET process account, you must create a mirror account on the remote server using the appropriate username and password, or you must create a minimum privilege domain account that you have access to both servers. On Windows Server 2003, the NetworkService account for running the ASP.NET web application can authenticate via the network, so you only need to grant access to your computer account.

Resident application in UNC sharing

You can use IIS to configure the virtual directory to point to UNC shares on other computers, such as // RemoteServer / AppName. When doing this, IIS will prompt you to provide account credentials for establishing a connection with a remote computer.

Note: The account credentials are stored in the IIS metal database in encrypted format, but can be obtained through the API. It should be ensured that the minimum privileged account is used. For more information, see Microsoft Knowledge Base Articles 280383 IIS Security Recommendations When You Use A UNC Share and UserName and Password Credentials.

If the application resides in UNC sharing unless analog is enabled, ASP.NET will simulate the UNC token provided by IIS (creating account credentials provided for IIS), as follows The configuration shown in:

Username = "Registry: HKLM / Software / Yourapp / Identity / Aspnet_SetReg, Username"

Password = "registry: hklm / slowware / yourapp / identity / aspnet_setreg, password" />

If the fixed analog account is provided via the username and password properties, ASP.NET will use this account instead of using the IIS UNC token to access sharing. The fixed analog account will also be used when an application accesss any resource.

Note In the above example, the encrypted account credentials have been stored in the registry using ASPNET_SETREG.EXE.

If you use the following configuration, the original call party (identified by IIS authentication) simulation is used, although the application will use analog tokens when the application accesss any resources, but ASP.NET will still use the token provided by UNC to access the shared Application file.

Note: The account for UNC shares must also be able to read Machine.config.

Code Access Security Notes

The code access security policy is granted to the Intranet permission set for applications on UNC sharing. The intranet rights set does not include the ASPNETHOSTINGPERMISSION required for the ASP.NET web application runtime, so the application will not be able to run if the policy is not explicitly modified.

The following two methods can be used:

• A fully trust level for UNC sharing for resident applications. This is the simplest management method, if you run .NET Framework 1.0, you can only use this method because ASP.NET 1.0 web applications need to fully trust. • Configure the code access security policy to grant the code to AspNethostingPermission and any other permissions thereafter (depending on the resource type accessed by the code). Since ASP.NET dynamically creates a code and compile page classes, you must use code groups to the UNC and Temporary ASP.NET Files directories when configuring policies. The default temporary directory is /Winnt/Microsoft.Net/framework/ {version} / temptorary ASP.NET FILES, but you can use the TempDirectory property of the element to configure this location for each application. For more information on the ASP.NET code access security policy and how to handle the privilege code, see Module 9 ASP.NET Code Access Security. Note When the configuration policy should be shared, not the area granted trust level (by using the file location). This can be more refined because all applications are not affected into a particular area.

Back to top

COM / DCOM resources

The application will use the process ID or analog ID when calling COM-based resources (such as service components). The client's authentication and analog level are configured using the ComautsSonation Level and ComimPersonation level properties on the element in Machine.Config.

For more information and suggestions, see Module 17 Make sure the Enterprise Service Precautions in the Security of the Application Server.

Back to top

Refusal service consideration

ASP.NET's following features can help you deal with the Denial of Service for ASP.NET applications:

• By default, POST request is limited to 4 MB. • Check the client to make sure the client is still in the connection status before requested to enter the work queue. This prevents the attacker from disconnecting the client after sending multiple requests. • After the restriction time is configured, the request is required to perform the operation timeout.

The configuration value is kept on the element in Machine.config. The following code example shows the default settings in version 1.1 of Machine.Config:

MaxRequestLength = "4096"

UsefullyqualifiedRedirectURL = "false"

Minfreethreads = "8"

MinLocalRequestFreethreads = "4" appRequestQueuelimit = "100"

EnableVersionHeader = "True" />

You may need to reduce the value of the maxRequestLength property to prevent users from uploading a lot of files. The maximum allowed is 4 MB. In the Open Hack competition, MaxRequestLength is limited to 1/2 MB, as shown in the following example:

Note ASP.NET cannot resolve the data package level attack. The data package level attack must be resolved by strengthening the TCP / IP stack. For more information on how to configure TCP / IP stack, see "How to" section in this guide: Strengthen TCP / IP stack security.

Back to top

WEB precautions

If the ASP.NET web application runs in the web field, it cannot guarantee that the continuous request from the same client is handled by the same web server. This will affect:

• Session Status • Encryption and Verification • DPAPI

Session status

In order to avoid the interaction of the server, the ASP.NET session state outside the process can be reserved in the ASP.NET SQL Server status database, or the processes outside the remote computer running on the remote computer. For more information on how to ensure security in remote status storage, participate in the session status section in front of this document.

Encryption and verification

The key for encryption and verification forms authentication cookie and view status must be the same on all servers in the web field. The AutoGenerate setting on the element must be replaced with the commonly used key value.

For more information on how to generate and configure keys, see Microsoft Knowledge Base Article 312906 How To: Create Keys by Using Visual C # .NET for Use in Forms Authentication.

DPAPI

In order to encrypt data, developers sometimes use DPAPI. If you store confidential, encrypted strings using DPAPI and computer key storage, encrypted data for the specified computer, without copying encrypted data between each computer in a web or cluster.

If you use a DPAPI and a user key, the data can be decrypted on any computer having a roaming user profile. However, it is not recommended because any computer that can use an account for encrypting data on the network will be decrypted on the data.

DPAPI is ideal for configuring confidentiality on the web server, such as database connection strings. If the encrypted data is stored on the remote server (eg, in the database), other encryption techniques should be used. For more information on how to store encrypted data in the database, see Module 14 Build a secure data access.

Back to top

Safety ASP.NET application snapshot

The following snapshot shows the properties of the secure ASP.NET application so you can easily and quickly compare the settings with your own configuration.

Table 19.4: Snapshot of Security ASP.NET Application Configuration

Component Features Process Logo Sp .NET Work Process As ASPNET:

Password = "AutoGenerate" /> Custom Account (if used) is the minimum privilege account. Customize credentials encryption in the registry:

Process / aspnet_setReg, UserName

Password = "Registry: hklm / software / yourapp /

Process / aspnet_setReg, Password "/> Analog analog identifier encryption in the registry:

Username = "Registry: hklm / software / yourapp /

Identity / Aspnet_SetReg, UserName

Password = "Registry: hklm / software / yourapp /

Identity / aspnet_setReg, Password "/> Authentication website is divided into public access zones and restricted access zones. Table Single authentication configuration is safe:

Protection = "all"

Requiressl = "True"

TIMEOUT = "10"

Name = "AppnameCookie"

Path = "/ formsauth"

SlidingExpiration = "true" /> encrypts and integrity checking authentication cookies. Authentication cookies need to use SSL. If you do not use SSL, the sliding deadline should be set to false. Session life is restricted. The cookie name and path are unique. Do not use the element. Authorization ACL is configured on ASP.NET resources. Configure element. Session status disables unwanted ASP.NET status services.

The communication channel stored with the remote status has been encrypted as needed. Connect the ASPSTATE database using Windows authentication. Application Login has limited access to the ASPSTATE database. Connection parameters (SQLConnectionstring and StateConnectionstring) encrypts in the registry. Configure an ASP.NET status service for non-default ports. View Status View Status Mac is enabled on elements in Machine.config. The computer key validation property is set to SHA1. The key to each application running on the web server is unique. ViewState and Forms Verification are protected:

DecryptionKey = "Autogenerate, isolateApps"

Validation = "SHA1" /> Disabled resource protected resources map to System.Web.httpForbiddenhandler. Debug disable debug internal version: