Make sure the ASP.NET application and the security of Web Services
Update Date: April 12, 2004
This page
This module Content Target Application Scope How to Use this module method Method must description Machine.config and Web.configMachine.config and Web.config Guide ASP.NET Trust Level ASP.NET's Process Identifies analog Authentication Authorized Session Status View Status Computer Key Combinations Tracking Exception Management Remote Processing Web Services Disable Access Resources BIN Directory Event Log File Access ACL and Permissions Registry Data Access UNC Shared COM / DCOM Resource Denial Service Notes Web Description Security ASP.NET Application Snapshot Summary other resources
This module content
Safe ASP.NET web applications depends on a fully secure network, host, and platform infrastructure. When the above conditions are met, the attacker will try to use the WEB applications and the vulnerabilities in Web Services (usually listening to port 80). If the web application is not configured, the attacker may obtain the system access rights and utilize the system.
As an administrator, you must check the default computer-level configuration and each application configuration to process and delete all vulnerabilities or unsafe settings.
This module describes the new content in ASP.NET from the perspective of the system administrator and describes how to configure computer-wide and application-specific security settings. In addition, this module also provides a method of ensuring ASP.NET web applications and Web Services security, which is a supplement to ensuring the method recommended by the network, application server, database server, and Web server security.
Back to top
aims
Using this module can be implemented:
• Use the ASPNET_SETREG.EXE utility to store credentials and connect strings in the registry. • Manage the web application environment using the configuration file (* .config). • Learn how to lay layers and process Machine.config and Web.config. • Lock configuration settings. • Enforce computer range and web application security policies. • Use the
Back to top
Scope of application
This module is suitable for the following products and technologies:
• Microsoft Windows Server 2000 • Microsoft .NET Framework 1.1 and ASP.NET 1.1 • Microsoft SQL Server 2000
Back to top
How to use this module
This module focuses on the main security precautions for the ASP.NET application. In order to fully understand the contents of this module, please:
• Read Module 16 Protect the Web Server. This module describes how to ensure the security of the Windows 2000 operating system and Microsoft .NET Framework. The secure basic platform is the premise of ensuring ASP.NET web application or Web Services security. • Use snapshots. Table 19.4 (Nature of this module) shows a snapshot of secure ASP.NET applications, which is securely configured in Machine.config and Web.config. This table can be used when configuring the server and application settings. • Use the checklist. The checklist of the "Checklist" section of this guide: Protecting the security of ASP.NET provides prinable job guidance for quick reference. Use task-based checkpoints that can quickly evaluate which steps are needed, and help you gradually complete your steps.
To obtain a relevant guide, read the module 20 to resident multiple ASP.NET applications, this module describes how to isolate multiple web applications running on the same server and how important system resources, and how to put each web application each other isolation. For more information on configuring part Trust WEB Applications and Web Services, see Module 9 ASP.NET Code Access Security. Back to top
method
To ensure the security of the ASP.NET application, you should first strengthen the operating system and .NET Framework installation benchmark, then apply secure application configuration settings to reduce the attacked surface of the application.
These measures include:
• Service. .NET Framework installed an ASP.NET status service to manage the ASP.NET session state outside the process. Make sure the ASP.NET status service is secure (if the service is installed). If you don't need it, disable the ASP.NET status service. • Agreement. Limit the Web Services protocol to reduce the attack surface. • Account. Create a default ASPNET account to run web applications, Web Services, and ASP.NET status services. If you create a custom account to run your processes or services, you must configure it as minimum privileged users, make it a minimum collection of NTFS permissions and Windows privileges. • Files and directories. The security of the application bin directory used to store private assemblies should be ensured to reduce the risk of the attacker download business logic. • Configure storage. Many security related settings for control functional areas (such as verification, authorization, session status, etc.) are maintained in machine.config and web.config XML configuration files. To ensure the security of the ASP.NET application, you must use secure configuration settings.
Back to top
Prerequisite
Some basic precautions and details should be found in taking steps to ensure that Web applications and Web Services are secure.
ASP.NET processing module
In Microsoft Windows 2000, Internet Information Services (IIS) 5.0 runs all web applications and Web Services in the ASP.NET_Wp.exe. The isolation unit is an application domain, and each virtual directory has its own application domain. Process level configuration settings Maintained by
In Microsoft Windows Server 2003, IIS 6.0 application pool allows you to isolate applications with separate processes. For more information, see Module 20 Resident Multiple ASP.NET applications.
ASP.NET account
The ASPNET account is the minimum privileged local account created when installing .NET Framework. By default, it will run the ASP.NET work process and the ASP.NET status service.
If you decide to run a web application using a custom account, make sure the account is configured using the minimum privilege. This will reduce the risk of an attacker attempt to use the application's security context to execute code. In addition, you must specify an account credentials on the
ASPNET_SETREG.EXE and Process, Session and Identification
ASPNET_SETREG.EXE allows you to store credentials and connect strings in an encrypted format in the registry. This tool allows encryption of the following properties:
•
Username = "registry: hklm / slowware / yourapp / process / aspnet_setreg, username" Password = "registry: hklm / slowware / yourapp / process / aspnet_setreg, password" /> You can choose to store the registry location of the encrypted data, but must be under HKEY_LOCAL_MACHINE. In addition to using data protection API (DPAPI) encrypted data and stores it in the registry, this tool also applies secure ACLs to limit access to the registry key. ACLs on the registry have a fully controlled permissions for the system, administrator, and creator owner. If you use a tool encrypted To get an ASPNET_SETREG.EXE tool, please refer to Microsoft Knowledge Base Article 329290 How To: Use The ASP.NET Utility To Encrypt Credentials and Session State Connection Strings. Simulation is not the default setting By default, ASP.NET applications do not use simulation. Therefore, the ASP.NET work process identification will be used to perform resource access. The process identification read permissions (at least) must be granted to the application to be accessed by creating an appropriately configured ACL. If analog simulation is enabled, the original call party (ie, IIS verification ID) can also be analog to simulate the fixed identifier specified on the Typically, the ASP.NET application does not use simulation because it will have a negative impact on design, implementation, and scalability. For example, using analog will hinder the effective intermediate layer connection pool, which will limit the scalability of the application. Simulations are very useful for specific schemes, for example, when an application accessing resources using an anonymous user account. This is a common technology when you reside multiple applications on the same server. For more information, see Module 20 Resident Multiple Web Applications. HttpForbiddenhandler, Urlscan and 404.dll Many techniques can be used to block access to restricted resources. ASP.NET provides HTTPFORBIDENHHANDEER to map to HTTPFORBIDENHANDERLERs from the ASP.NET file type downloaded by HTTP. You can use the IISLOCKDOWN.EXE provides 404.dll. Use it to configure IIS to map unwanted file extensions to 404.dll, so that "HTTP 404 - File NOT" message appears when requested for these files. Finally, you can use the URLSCAN ISAPI filter to block requests for restricted file types and executables. Urlscan is provided with the IISLockDown tool, or it can be obtained separately. For more information, see Microsoft Knowledge Base Article 307608 Info: Urlscan On IIS (English), and how to: Use Urlscan in this guide. For more information on IISLOCKDOWN and URLSCAN, see Module 16 Protection Web Server. Appsettings Sensitive data (such as connection strings and credentials) should not be stored in a profile in a plain text format. Developers should encrypt them with DPAPI before storage confidentiality. For more information about AppSettings, see Appsettings In ASP.NET displayed on MSDN® TV, whose URL is: http://msdn.microsoft.com/msdntv (English). Back to top Description Machine.config and Web.config Configuration management provided by .NET Framework includes a wide range of settings, allowing administrators to manage web applications and their environments. These settings are stored in an XML configuration file, some of which control the setup of the computer, and other control applications specific configurations. You can use any text editor to edit an XML configuration file such as a Notepad or an XML editor. XML tag is case sensitive, make sure you use the correct case. Figure 19.1 shows an administrator to configure a configuration file for configuring an ASP.NET web application. Figure 19.1ASP.NET configuration file Machine.config and web.config file share many of the same configuration sections and XML elements. Machine.config is used to apply a computer-wide policy to all .NET Framework applications running on the local computer. Developers can also use the application-specific web.config file to customize the settings of a single application. Note that Windows executables (such as WinForm applications) are configured using the configuration file. The names of these files originate from the name of the application executable file, for example, app.exe.config, where "app" is the application name. Changes made to profiles will be dynamically applied, and there is usually no need to restart the server or any service, unless you change the Table 19.1 shows the location of the configuration file. Table 19.1: Profile location Profile location Machine.config (each computer each .NET Framework installation one)% windir% / microsoft.net / framework / {version} / config web.config (each application has zero, one or more ) /inetpub/wwwroot/web.config /inetpub/wwwroot/YourApplication/web.config/inetpub/wwwroot/YourApplication/SubDir/web.config Enterprisesec.config (CAS enterprise-class configuration)% windir% / Microsoft.NET / Framework / {Version} / config security.config (Computer-Level CAS Configuration)% WINDIR% / Microsoft.Net / Framework / {Version} / Config Security.config (User-Level CAS Configuration) / Documents and Settings / {User} / Application Data / Microsoft / CLR Security Config / {version} Web_hightrust.configWeb_mediumtrust.configWeb_lowtrust.configWeb_minimaltrust.config (ASP.NET Web application configuration CAS)% windir% / Microsoft.NET / Framework / {version} / CONFIG ASP.NET Web-related applications For more information on the CAS configuration file, see Module 9 ASP.NET Code Access Security. Hierarchical strategy assessment For centralized management, you can use the settings in Machine.config. The settings in Machine.config can define a policy of computer-wide policies, or apply application-specific configurations via Figure 19.2 Hierarchical configuration In Figure 19.2, the Approot web application has a web.config file in the virtual root directory. The Subdir1 (non-virtual directory) also includes its own web.config file, which file will be used when the HTTP request is directed to http: // approot / subdir1. If a request is oriented to the subdir2 (virtual directory), for example, http: // server / approot / subdir2, settings from the approot directory will be applied. However, if the request is bypassed Approot orientation to SubDir2, for example, http: // server / subdir2, only the settings from Machine.config are applied. In any case, the reference settings are obtained from Machine.Config. Next, you will get overwritten settings and other settings from any related web.config files. If the same configuration element is used in Machine.config and one or more web.config files, the settings from the top of the hierarchy will overwrite the higher level settings. The new configuration settings that are not available in the computer-level application can also be applied to the web.config file, and some elements can use the Table 19.2: Application Configuration Settings HTTP request combination settings from http: // server / approot machine.config web.config (approot v-dir) http:// Server / approot / subdir1 machine.config web.config (Approot V-DIR) Web.config (Subdir1 ) http: // server / approot / subdir2 machine.config web.config (approot v-dir) http:// Server / Subdir2 Machine.config • Apply configuration settings to a specific application file. • Centralize the application-specific settings in Machine.config. • Lock Configuration Settings to prevent application level coverage. You can use the . Note that the website name must be included when using the location mark of Machine.config. For web.config, the path relative to the virtual directory of the application. E.g: . Apply configuration settings to a specific file Application settings for specific files using the "Path" property. For example, to apply an authorization rule to a file PageName.aspx in web.config, use the Application Configuration Settings in Machine.Config You can also use the Lock configuration settings To prevent a single application override the computer-level policy configuration, you can put the settings into the For example, to apply a policy that cannot be overwritten on the application level, use the ... The default value of the computer range Leave the PATH attribute indicate that this setting will be applied to your computer, and the allowoverride = "false" ensures that the web.config setting does not override the specified value. Any behavior that attempts to add elements in web.config produces an exception, even if the elements in Machine.config match these elements in Web.config. Back to top Machine.config and Web.config Guide The settings in the machine.config are the default value of the server to apply the computer level. If you want to force all applications on the server to use a specific configuration, you can use AllowOverride = "false" on the For those settings that can be configured based on individual applications, the usual application provides a web.config file. Although multiple The main problem that needs to be considered is what sets of computer policies should be forced to use. This depends on a specific solution. Some general solutions are as follows: • Windows authentication considers an enterprise's intranet portal program, in which you want to pass the verification with the application and verify it by the organization via Active Directory. In this scenario, you can force Windows authentication, but allow a single application to simulate the following configuration: • Reporting programs provide resident services to restrict applications so that they cannot access each other's resources to limit access to important system resources. To implement this goal, you can configure all applications to run part of the trust level. For example, an intermediate trust level restriction application can only access files within its own virtual directory hierarchy, and restrict access to other types of resources. For more information, see Module 9 ASP.NET Code Access Security. To apply intermediate trust strategies on all applications on the server, use the following configuration: ACL and permissions The configuration file contains sensitive data, so you need to use the appropriate configured ACL to limit access. Machine.config By default, use the following ACL to configure Machine.config: Administrators: Fully controlled System: Fully control Power Users: Modify Users: reading and execution LocalMachine / ASPNET (Process Logo): Reading and Execution Note On Windows Server 2003, the local service and network service accounts are also granted read permissions. The member of the user group is granted by default because all managed code running on the computer must be able to read Machine.config. The default ACL on Machine.config is a secure default value. However, if only a single web application runs on the server, or all web applications use the same process identifier, the ACL can be further restricted by deleting the user's access control item (ACE). If "users" is indeed deleted from DACL, you need to explicitly add a web process ID. Web.config .NET Framework does not have any web.config files installed. If you have an application that provides your own web.config, it usually inherits the ACL from the Inetpub directory. By default, the ACL will grant read permissions for members of the Everyone group. To lock the application-specific web.config, use one of the following ACLs. For .NET Framework 1.0: Administrators: Fully controlled System: Fully control ASP.NET process logo: read UNC logo: read Analog logo (fixed identification): read Analog logo (original call square): read For .NET Framework 1.1: Administrators: Fully controlled System: Fully control ASP.NET process logo: read UNC logo: read Analog logo (fixed identification): read If the application uses the simulation of the account (ie, if the fixed ID is analoged), if the If you are simulating but do not use clear credentials, such as Back to top Trust level in ASP.NET The trust level of the application determines the permissions granted to the CAS policy. This also determines the extent to which the application can access secure resources and execute privileges. Configure the application's trust level using the For more information on generating part of the Trust Web application using CAS, see Module 9 ASP.NET Code Access Security. For more information on the use of trust levels, please refer to Module 20 Resident Multiple ASP.NET Web Applications. Back to top ASP.NET process identity ASP.NET Web Applications and Web Services are running in a shared instance of an ASP.NET_WP.exe. Process level settings (including process ID) configured using The identity of the ASP.NET work process is configured using the username and password properties on the • Use the default ASPNET account. • Use the minimum privilege custom account. • Encrypted Use the default ASPNET account The local ASPNET account is the default minimum privilege account, dedicated to running the ASP.NET web application and Web Services. If you can, use this account by configuring the default configuration: Use minimal privilege custom account If you must run the ASP.NET work process using the standby ID, make sure that the account used is configured as the minimum privileged account. This can limit the damage caused by the attacker trying to use the process security context. You may decide to use a spare account because you need to use Windows authentication to connect to a remote Microsoft SQL ServerTM database or network resource. Note that you can perform the above operations using the local ASPNET account. For more information, see Data Access behind this module. For more information on NTFS privileges required for the ASP.NET process account, see the ACLs and permissions behind this module. The following user rights should also be granted an ASP.NET process account: • Access this computer from the network • Log in as a batch job. • As a service login. • Reject local login. • Refuse to log in through the terminal service. Encryption If you need to use a custom account, don't store plain text credentials in Machine.config. You should use the ASPNET_SETREG.EXE utility to store encrypted credentials in the registry. • Encrypted 1. Run the following command from the command prompt: aspnet_setReg -k: Software / Yourapp / Process -u: Customaccount: P: Strongpassword This command stores the encrypted connection string in the specified registry key and ensures that the registry key is secured by the restricted ACL, which grants full control permissions to System, Administrators, and Creator Owner. 2. Reconfigure the Username = "registry: hklm / slowware / yourapp / process / aspnet_setreg, username" Password = "registry: hklm / slowware / yourapp / process / aspnet_setreg, password" /> For more information, see Microsoft Knowledge Base Article 329290 How To: Use The ASP.NET Utility To Encrypt Credentials and Session State Connection Strings. Don't run Asp.net as System Do not run ASP.NET using the System account, or grant "as a part of the operating system" user permissions for the ASP.NET process account. This action eliminates the minimum privilege, thereby increasing the damage caused by an attacker's process security context executing code using a web application. Back to top simulation By default, ASP.NET applications do not use simulation. When an application accesses Windows resources, the ASP.NET work process account (default ASPNET) is used. • Original call party (IIS verified identifier) • fixed identification Simulated original call party To simulate the original call party, use the following configuration: The simulation uses IIS to represent the access tokens that have verified caller. This can be an anonymous Internet user account (for example, if the application uses a table single authentication), it can also be a Windows account representing the original call (if the application uses Windows authentication). If you really want to enable the original call square to simulate, please pay attention to the following questions: • Since the database connection cannot be collected, the scalability of the application will be reduced. • Since the ACL on the backend resource needs to be configured for a single user, the management workload is increased. • Delegate requires Kerberos authentication and appropriate Windows 2000 environments. For more information, see "Microsoft patterns & practices Volume I, Building Secure ASP.NET Web Applications: Authentication, Authorization, and Secure Communication" of "How To" section of the "How To: Implement Kerberos Delegation for Windows 2000", Its URL is: http://msdn.microsoft.com/library/default.asp? Url = / library / en-us / dnnetsec / html / secnett05.asp. Analog fixed logo To simulate a fixed ID, use the UserName and Password property on the Password = "STR0NG! Passw0rd" /> Please do not store the credentials shown here in plain text. You should use the ASPNET_SETREG.EXE tool to encrypt the credentials and store it in the registry. • Encrypt 1. Run the following command from the command prompt: aspnet_setReg -k: Software / Yourapp / Identity -u: Customaccount: P: Strongpassword This command stores the encrypted connection string in the specified registry key and secures the registry key by restricted ACL, which grants full control permissions for System, Administrators, and CreatR Owner. 2. Reconfigure the Username = "Registry: HKLM / Software / Yourapp / Identity / Aspnet_SetReg, Username" Password = "registry: hklm / slowware / yourapp / identity / aspnet_setreg, password" /> 3. Use regedt32.exe to create an ACL on the registry key to grant read permissions for the ASP.NET process account. For more information, see Microsoft Knowledge Base Article 329290 How To: Use The ASP.NET Utility To Encrypt Credentials and Session State Connection Strings. Some of the operating system When the fixed identity is simulated by specifying the username and password attribute, the ASP.NET 1.0 process account needs to have "as a part of the operating system" user permission on Windows 2000. Since this can effectively increase the ASP.NET process account to access the privilege level of the local system account, ASP.NET 1.0 does not recommend using analog fixed identity. Note: This user privilege is not required if you are running ASP.NET 1.1 on Windows 2000 or Windows 2003 Server. NTFS permission requirements NTFS permissions must be appropriately configured for the analog identity. For more information, see "ACL and Permissions" behind this module. Back to top Authentication Appropriate authentication mode depends on how the application or Web Services is designed. Default Machine.config Settings Application Security Windows Authentication Default Values, as shown below:
Mode = "[Windows | Forms | Passport | NONE] -> Table Single Authentication Guide To use a form of authentication, set mode = "forms" on the Protection = "all" privacy and integrity Requiressl = "true" Blocks from sending cookies via HTTP Timeout = "10" limit session life Name = "AppNameCookie" each application unique name Path = "/ formsauth" and path SLIDINGEXPIRATION = "True"> Sliding session life Use the following suggestions to increase the security of format authentication: • Sub-partitions. • Set protection = "all". • Use a small cookie timeout value. • Consider using a fixed validity period. • Use SSL to verify the table. • If you do not use SSL, set SLIDINGEXPIRATION = "false". • Do not use the Sub-site The public access area of the website and the restricted access area can be separated. Applications that only allow users to access authenticated users and other pages and resources are placed in a separate folder, separated from the public access. By configuring SSL access in IIS to protect restricted subfolders, then use the The normal page is included in the virtual directory root folder. Users who have not authenticated can view these pages and do not need Use SSL to protect. -> The restricted folder can only be used to verify and SSL access. -> Information about other programming considerations (for example, how to navigate between restricted pages and non-limiting pages), see Module 10 Generate "Table Single Authentication" in the ASP.NET web page and controls. Set protection = "all" This setting ensures that the encrypted table is single authentication cookie to provide privacy and integrity. The key and algorithm for cookie encryption are specified on the Encryption and integrity check prevents cookie from tampening, but if an attacker tries to capture cookies, this does not reduce the risk of cookie replay attacks. You can also use SSL to prevent attackers from capturing cookies through network monitoring software. Although use SSL, cookie will still be steal by a cross-site script (XSS). Applications must take sufficient preventive measures and appropriate input verification strategies to reduce this risk. Use small cookie timeout value You can use a small hour to limit the life of the session, thereby reducing the risk of the window suffering from the Cookie replay attack. Consider using fixed validity Consider setting SlidingExpiration = "false" on the Note This feature is provided in the .NET Framework 1.1. Use SSL for format authentication You can use SSL protection credentials and authentication cookies. SSL prevents attackers from capturing credentials or table single authentication cookies to the application to prove your identity. Stealing authentication cookie is stealing login. Set requestl = "true". This will set the Secure property in the cookie, which ensures that you do not transfer cookies from the browser to the server via the HTTP link. HTTPS (SSL) is required. Note this is the setting of the .NET Framework 1.1. It uses a clear program that sets the Cookie's Secure property in an application built from version 1.0. For more information and sample code, see Module 10 Generating a secure ASP.NET web page and control. If you don't use SSL, set slidingexpiration = "false" to secure the cookie's timeout period to a certain period of time (in minutes) by setting the SlidingExPiration to false. Otherwise, the timeout time should be updated for each web server. If cookie is captured, it will provide an attacker enough time to access your application as a user who has passed authentication. Note This feature is provided in .NET Framework 1.1. Do not use User credentials can be stored in the XML configuration file to support rapid development and limited testing. Please do not use the actual end user credentials. The end user credentials should not be stored in the profile on the production server. Production applications should implement custom user credentials, for example, in the SQL Server database. Configuring MachineKey The Use the unique cookie name and path Unique Name and Path property values. Make sure the name has uniqueness, prevent problems when multiple applications on the same server can be prevented. Back to top Authorize Unless the user has a clear resource access, such as a special web page, resource file, directory, etc., whether it is configured to refuse access by default. ASP.NET provides two configurable gateway guards that can be used to control access to restricted resources. From: • File authorization. This gateway is implemented by the ASP.NET FileAuthorizationModule HTTP module. • URL authorization. This gateway guard is implemented by the ASP.NET UrlauthorizationModule HTTP module. Document authorization This gateway guards only with Windows authentication and with the following configuration. When using Windows authentication, this gatekeeper will be automatically valid without simulation. To configure the gateway guard, configure the Windows ACL on the file and folder. Note that the gateway guards only controls access to file types that are mapped by IIS to the following ASP.NET ISAPI extended: aspnet_isapi.dll. URL authorization Use this gateway guards any application. It is configured using the
Users = "[* |? | Name]" * - all users ? - Anonymous users [name] - Named User Roles = "[Name]" -> URL license The following instructions help you successfully configure the URL authorization: • Authorization settings in web.config are usually applied to all files in all of their subdirectors unless the subdirectory contains its own Web.config. In this case, the settings in the subdirectory overwrite the settings of the parent directory. • URL authorization is applied only to file types that are mapped by IIS to ASP.NET ISAPI extensions: ASPNET_ISAPI.DLL. • When an application uses Windows authentication, a Visit permission is granted for Windows users and group accounts. The username takes the format of "Authority / WindowsUsername", and the role name takes "Authority / WindowsGroupName" format, "Authority" here can be a domain name or native name, depending on the account type. Many people are well known to the "Builtin" string. For example, a local administrator group is represented as "Builtin / Administrators". The local user group is represented as "Builtin / Users". Note that for .NET Framework 1.0, the agency name, and group names are case sensitive. Group names must match the group names that appear in Windows. • When the application uses a table single authentication, the custom user and role authorization maintained in the custom user store. For example, if you use a form to authenticate a user who access a database, you can authorize according to the role you retrieved from the database. • You can use the Back to top Session status Applications that depend on each user session status can store session status at the following location: • In the ASP.NET work process • In the Process Status Service (can run on the web server or remote server) • In SQL Server Data Storage The relevant location is stored with the connection details in the StateConnectionstring = "TCPIP = 127.0.0.1: 42424" STATENETWORKTIMEOUT = "10" SqlConnectionstring = "DATA Source = 127.0.0.1; Integrated Security = SSPI " Cookieles = "false" Timeout = "20" /> Note If you do not use the ASP.NET status service on a web server, you can use the MMC service management unit to disable the service. Make sure the SQL Server session status storage area If you are using SQL Server session status storage, the following suggestions help ensure the security of the session state: • Use Windows Authentication for Database • Encryption SQLConnectionstring • Limit application login in the database • Make sure channel security For more information on setting up a SQL Server session status storage database, see Microsoft Knowledge Base Article 311209 How To: Configure ASP.NET for Persistent SQL Server Session State Management (English). Use Windows authentication for the database If you use Mode = "SQLServer", you can use Windows authentication to connect to the status database and use the minimum privilege account, such as a copy of the local ASPNET account. This means you can use trusted connections without having to provide credentials in the connection string, so the credentials will not be transmitted to the database over the network. Encryption SQLConnectionString You can encrypt the SQLConnectionstring property value using the ASPNETREG.EXE tool. This is especially important if you use SQL authentication to the status database, because the credentials are in the connection string, but also recommended using the above encryption when using Windows authentication. • Encryption SqlConnectionstring 1. Run the following command from the command prompt. ASPNET_SETREG -K: Software / Yourapp / sessionState -c: {Your connection string} This command stores the encrypted connection string in the specified registry key and secures the registry key by restricted ACL, which grants full control permissions for System, Administrators, and CreatR Owner. 2. Reconfigure the Sqlconnectionstring = "Registry: HKLM / Software / Yourapp / sessionState / Aspnet_setreg, sqlconnectionstring "/> 3. Use regedt32.exe to create an ACL on the registry key to grant read permissions for the ASP.NET process account. Limit application login in the database The application of the application in the database should be restricted so that the application can only access the required status table and the ASP.NET to query the stored procedure of the database. • Restrict the application login in the status database 1. Create a replicated local account copy on the status database server using the same name and strong password running the ASP.NET application. For more information on accessing the remote database using the ASPNET account, see Data Access behind this module. 2. Create a local Windows group (such as ASPNETWebApps) on the database server and add the local ASPNET account to the group. 3. Grant access to SQL Server is granted to the Windows group via newly entered the WINDOWS group. SP_GrantLogin 'Machine / ASPNetWebApps' Note The name of the database server replaces Machine. 4. Grant SQL login access to the ASPSTATE database. The following T-SQL will create a database user named WebAppuser and associate the login. Use aspstate Go sp_grantdbaccess 'Machine / AspNetWebApps', 'WebAppuser' 5. Create a user-defined database role. Use aspstate Go SP_ADDROLE 'WebAppUserRole' 6. Add a database user to a new database role. Use aspstate Go sp_addrolemember ',' WebAppuser'7. Configure permissions for database role in the database. Grant execution permission to the stored procedure provided with the AspState database. Grant Execute On CreateTemptables to WebAppuserrole Repeat this command with all stored procedures provided with the ASPSTATE database. View your full list using the SQL Server Enterprise Manager. Make sure channel security To protect the sensitive session status of the network over the web server and remote status storage, you should use IPSec or SSL to ensure the security of the channels of the two servers. This provides privacy and integrity for session status data across the network. If you use SSL, you must install server certificates on the database server. For more information on using SSL on SQL Server, see Module 18 to ensure the security of the database server. Ensure the security of the processed status service If you use Mode = StareServer, the following suggestions help ensure the security of the session state: • Run Status Services using minimum privilege account • Make sure channel security • Consider changing the default port • Encrypted status connection string Run Status Services using minimum privileged account By default, the ASPNET Local Minimal Privilege Account Run Status service will be used. There is no need to change this configuration. Make sure channel security If the status service is on a remote server, you should use IPSec to secure the secure to remote status storage to ensure that the user status remains privacy and will not be modified. Consider changing the default port ASP.NET Status Services listens on port 42424. In order to avoid using this well-known default port, you can change the port by editing the following registry key: HKLM / SYSTEM / CURRENTCONTROLSET / SERVICES / ASPNET_STATE / PARAMETERS The port number is defined by a value named Port. If you change the port number in the registry, for example, change to 45678, you must change the connection string in the StateConnectionstring = "TCPIP = 127.0.0.1: 45678" Encrypt STATECONNECTIONSTRING You can encrypt the StateConnectionstring property value to hide the status stored IP address and port number. Use the ASPNET_SETREG.EXE tool. • Encrypt STATECONNectionstring 1. Run the following command from the command prompt. ASPNET_SETREG -K: Software / Yourapp / sessionState -d: {Connection String} This command stores the encrypted connection string in the specified registry key and secures the registry key by restricted ACL, which grants full control permissions for System, Administrators, and CreatR Owner. 2. Reconfigure the Sqlconnectionstring = "Registry: HKLM / Software / Yourapp / sessionState / ASPNET_SETREG, SQLCONNECTIONSTRING "... /> 3. Use regedt32.exe to create an ACL on the registry key to grant read permissions for the ASP.NET process account. Back to top View status If the application uses view status, you must use Message Verification Code (MAC) to protect to ensure that this view status will not be modified on the client. You can use By default, the EnableViewStateMac property on the EnableViewState = "true" enableviewStateMac = "true" Autoeventwireup = "true" validaterequest = "true" /> If you use a view status, make sure the enableViewStateMac is set to true. Back to top Computer key DecryptionKey = "Autogenerate, isolateApps" Validation = "Sha1" /> Consider the following suggestions when configuring • Use a unique encryption key for multiple applications • Setting validation = "sha1" • Manually generate keys for web field Use a unique encryption key for multiple applications If you reside multiple applications on a web server, you should use a unique key for each application on your computer, not a key to all applications. This avoids in a resident environment, an application can spoof view status or encrypted forms authentication cookie. You should also use IsolateApps settings. This is the new setting in .NET Framework 1.1, used to indicate ASP.NET to automatically generate encryption keys, and make each application key is unique. Set validation = "sha1" The value of the Validation property specifies the integrity check used by the page-level view state. Possible values are "SHA1", "MD5" and "3Des". If protection = "all" is used on the Note: Table Single authentication cookie encryption is independent of the ValidationKey setting, which is based on the DecryptionKey property. If Validation = "SHA1" is set on You can also set the validation property to MD5. SHA1 should be used because the hash value generated by this algorithm is larger than the MD5, so safer. If Validation = "3DES" is set on Manually generate a key for Web field In a web field, a clear key value must be set and the same key value is used on all computers in the Web field. See the webfield considerations behind this module. Back to top debugging This element controls the compilation process. Be sure to disable debug compilation on the production server. Set debug = "false" as follows: By default, temporary files will be created and compiled in the following directory: % WINNT% / Microsoft.Net / Framework / {version} / Temporary ASP.NET FILES You can specify the location of each application using the Tempdirectory property, but this property has no advantage in terms of security. Note that the ASP.NET process identification specified on the Make sure not to store debug files (extensions .pdb) and assembly on the production server. Back to top track Tracking should not be enabled on the production server, as system-level tracking information may provide a great help to an attacker understanding the application and finding weaknesses. You can use the RequestLimit = "10" tracemode = "sortbytime" /> If you really need to track the event of an active application, it is best to simulate problems in the test environment, or enable tracking and set locally = "true" (if needed), to prevent tracking details from returning to the remote client. Back to top Abnormal management Unusual details are not allowed to return from the web application to the client. Malicious users may utilize system-level diagnostic information to understand the application and find weak points that can be utilized when they attack. Make sure to set the Mode property to ON and specify the default redirection page, as shown below: With the DEFAULTREDIRECT property, you can use the application's custom error page, for example, in which the details of the support contact can be included. Be careful not to use mode = "OFF" because this may return a detailed error page containing system level information to the client. If you want a different error type to return a separate error page, one or more Back to top Remote processing Do not disclose the .NET remote processing endpoint on the web server accessing the Internet. To disable remote processing, you can disable requests for these extensions by mapping requests to HTTPFORBIDENHANDERs to HTTPFORBIDENHANDERs. Use the following elements under . Note that this does not prevent Web applications from using a web application to connect to the downstream objects using the remote processing infrastructure. However, it prevents clients from connecting to objects on the web server. Back to top Web Services Web Services can be configured using the • Disable unwanted Web Services • Disable unused protocol • Prohibition of automatically generate WSDL Disable unwanted web services If you don't use Web Services, you can disable Web Services by mapping a request for .asmx (Web Services) file extensions to HttpForbiddenhandler in Machine.Config, as shown below: Disable unused protocol -> -> The attacked face can be reduced by disabling unnecessary protocols (including HTTPPOST and HTTPGET). For example, an external attacker may embed a malicious link in an email, so that internal Web Services is performed using the end user's security context. Disabling HTTPGET protocol is an effective countermeasure. This is similar to the XSS attack in many ways. The difference in this attack is that it uses the If the production server provides web services that can be publicly searched, HTTPGET and HTTPPPOST must be enabled so that you can search for this service. Prohibited automatically generate WSDL Document Protocol is used to dynamically generate a Web Services Description Language (WSDL). WSDL describes the characteristics of Web Services, such as the method of the service, and supported protocols. The client uses this information to build a message in the corresponding format. By default, Web Services will disclose WSDL, allowing any users who can connect to the web server via the Internet. Sometimes, you may need to manually distribute the WSDL file to your partner to prohibit public access. In this way, the development team can distribute each Web Services. WSDL file to the business group, respectively. Then, the business group is distributed to a designated partner that needs to use Web Services. To disable the document protocol, you should comment on the protocol in Machine.Config, as shown below: -> Back to top Forbidden resources from access To prohibit downloading protected resources and files via HTTP, map these resources and files to the HttpForbiddenhandler of ASP.NET. The protected resource is mapped to the HTTPFORBIDDENHANDLERHTTP handler under the • The following file extension is mapped to the HTTP handler in Machine.config: • .aspx is used for the ASP.NET page. • .Rem and. SoAP are used for remote processing. • .asmx is used for web services. • .asax, .scx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .ssp, .licx, .resx, .resources are protected resources, being mapped to System.Web.httpForbiddenhandler . For the .NET Framework resource, if you do not use a file extension, map the extension to System.Web.httpForbiddenhandler in Machine.Config, as shown in the following example: In this example, the .vbproj file extension maps to System.Web.httpForbiddenhandler. If the client requests the path ended with .vbProj, ASP.NET will return a message, indicating "this type of page is not served" (this type of page cannot be provided). • The following guidelines apply to handle the .NET Framework file extension: • You will map unused extensions to HttpForbiddenhandler. If the ASP.NET page is not provided, the .aspx is mapped to HttpForbiddenhandler. If you don't use Web Services, map .asmx maps to HttpForbiddenhandler. • Disable remote processing on the web server accessing the Internet. The remote processing extension (.soap, and .rem) on the web server access to the Internet is mapped to HTTPFORBIDENHANDELER. Back to top bin directory The bin directory under the ASP.NET application virtual root directory contains the application's private assembly, and if the code hidden file is used during the development process, the page-level implementation of the application is included. Make sure the bin directory is safe Make sure the application's bin directory is secure and prevent unintentional download business logic: • Delete web privileges. • Delete all authentication settings. Delete web privileges Use IIS management unit to ensure that bin directory does not have read, write or directory browsing permissions. Also make sure to set "Execute" permissions to "None". Delete all authentication settings Use the IIS management unit to remove authentication settings from a bin directory. This will cause all access to be rejected. Back to top Event log Minimal privilege accounts (such as ASPNET) have sufficient permissions, you can use existing event sources to write records in the event log. However, its permissions are not enough to create new event sources. To create new event sources, you must join a new entry under the following registry: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / EVENTLOG / To avoid this problem, if you have administrator privilege, you can create an event source when you install. This class can be instantiated using the .NET installer class, by the Windows installer (if you are using .msi deployment) or installutil.exe system utility (if you do not use. Msi deployment). For more information on how to use the event log installer, see Module 10 Build a secure ASP.NET web page and control. If you cannot create an event source when installing, you must add permissions to the following registry key and grant access to the ASP.NET process account or any analog account (if the application uses analog). HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / EVENTLOG Accounts must have at least the following permissions: • Query key value • Setting key value • Create a sub-key • Enumeration sub-key • Notification • Read Back to top File access Any file accessed accessed in the ACL must have an access control (ACE), at least an ASP.NET process account or analog identifier to a read permissions. Typically, the ACL is configured on the directory and then the file inherits the setting. In addition to using NTFS permissions to limit access to files and directories, you can use ASP.NET trust levels to limit Web applications and Web Services to limit which areas can access file systems. For example, medium trusted web applications can only access files in their own virtual directory hierarchy. For more information on the ASP.NET CAS policy, see Module 9 ASP.NET Code Access Security. Back to top ACL and permissions ASP.NET Process Accounts and (for specific directories) Any analog identifier (if the application uses analog) requires the following NTFS permissions. In addition to the permissions required to access the application-specific file system resource, the permissions shown in Table Table 19.3 should be used. Table 19.3: NTFS permissions required for ASP.NET process accounts Directory Required Permissions Temporary ASP.NET Files% WINDIR% / Microsoft.Net / Framework / {Version} Temporary ASP.NET Files Process Account and Analog Identification: Fully Control Temporary Directory (% Temp%) Process Account fully controlled .NET Framework directory % WINDIR% / Microsoft.net / framework / {version} Process account and analog ID: read and execute the folder content read .NET Framework configuration directory% windir% / microsoft.net / framework / {version} / config Process account and analog identification: read and execute a folder content reading Website root root C: / INETPUB / WWWWROOT or default website pointing path Process Account: Read System Root Directory% WINDIR% / System32 Process Account: Read Global Assembly Cache% WINDIR% / Assembly Process Account and Analog Identity: Read Content Directory C: / INETPUB / WWWROOT / YOURWEBAPP Process Account: Read and Execute List Folder Content Read Note For .NET Framework 1.0 until All parent directory of the file system root directory also requires the above permissions. The parent directory includes: C: / C: / INETPUB / C: / INETPUB / WWWROOT / Back to top Registry Any registry entry accessed by the application must have an ACE in the ACL, at least an ASP.NET process account or analog identifier to read permissions. Back to top data access To access a remote database from an ASP.NET application using Windows authentication, you can use the following methods: • Using the default ASP.NET process account. By creating a mirror account for the same username and password on the database server, you can use the default ASP.NET process account. On Windows 2000, the default process account is ASPNET. On Windows Server 2003, the default process account is NetWorkService. A disadvantage of using the local account is that if you can dump the SAM database (need to manage privileges), you can access the credentials. The main advantage is that the local account can be delineated according to a specific server, which is difficult to implement when using domain accounts. • Run the ASP.NET using the minimum privilege domain account. This method can simplify management, which means that the password of the synchronous mirror account is not required. If the web server and database server are in a stand-alone non-confidence domain, or the firewall spaced the two servers, and the firewall does not allow Windows authentication to use the required ports, the method cannot be used. • Simulate anonymous web account. If you use a form or Passport authentication, you can simulate anonymous web account (the default account is IUSR_MACHINE) and create a mirror account on the Database server. This method can be used if the scenario resides multiple web applications on the same Web server. You can use IIS to configure different anonymous accounts for each application's virtual directory. On Windows Server 2003, you can run multiple applications in a stand-alone working process, using the IIS 6.0 application pool and configure separate identity for each application pool. Configuring data access for ASP.NET applications Regardless of which method is used, it should restrict the application account in the database. To do this, create a SQL Server login for your account and grant access to the required database, then restrict its permissions, so that it can only access the minimum database object you need. Ideally, permissions should be restricted, allowing logins to access the stored procedures used by the application or Web Services. The following procedure assumes that the mirrored local account is used, but the domain account can use the same method to limit the capabilities of the account in the database. • Configuring database access for ASP.NET applications 1. Use the Computer Management Tool to change the password of the local ASPNET account on the web server to a known strong password. In order to create a mirror account on the database server, you need to do this. 2. Changing the password property on the Go sp_grantdbaccess 'Machine / ASPNetWebApp', 'WebAppuser' 7. Create a user-defined database role. Use youdatabase Go SP_ADDROLE 'WebAppUserRole' 8. Add database users to your new database role. Use youdatabase Go Sp_addroleMember 'WebAppuserRole', 'WebAppuser' 9. Configure the permissions to the database role in the database. Ideally, the stored procedures used only for the application query the database, not the permissions of the direct access table. Grant Execute On Sprocname to WebAppUserrole Back to top UNC sharing ASP.NET applications can use UNC sharing by two main methods: • Access files on UNC shares For example, the application must access the //remoteserver/share/somefile.dat and other remote files. • The IIS virtual directory of the application application on UNC sharing is mapped to remote sharing, such as // RemoteServer / AppName. In this scenario, HTTP requests are processed by the web server, but the application's web page, resource, and private assemblies are located on remote sharing. Access files on UNC sharing If the application accesses files on UNC sharing, ASP.NET process accounts or any analog identifiers must have the corresponding access to the sharing and basic directory or files. If you use a local ASPNET process account, you must create a mirror account on the remote server using the appropriate username and password, or you must create a minimum privilege domain account that you have access to both servers. On Windows Server 2003, the NetworkService account for running the ASP.NET web application can authenticate via the network, so you only need to grant access to your computer account. Resident application in UNC sharing You can use IIS to configure the virtual directory to point to UNC shares on other computers, such as // RemoteServer / AppName. When doing this, IIS will prompt you to provide account credentials for establishing a connection with a remote computer. Note: The account credentials are stored in the IIS metal database in encrypted format, but can be obtained through the API. It should be ensured that the minimum privileged account is used. For more information, see Microsoft Knowledge Base Articles 280383 IIS Security Recommendations When You Use A UNC Share and UserName and Password Credentials. If the application resides in UNC sharing unless analog is enabled, ASP.NET will simulate the UNC token provided by IIS (creating account credentials provided for IIS), as follows The configuration shown in: Username = "Registry: HKLM / Software / Yourapp / Identity / Aspnet_SetReg, Username" Password = "registry: hklm / slowware / yourapp / identity / aspnet_setreg, password" /> If the fixed analog account is provided via the username and password properties, ASP.NET will use this account instead of using the IIS UNC token to access sharing. The fixed analog account will also be used when an application accesss any resource. Note In the above example, the encrypted account credentials have been stored in the registry using ASPNET_SETREG.EXE. If you use the following configuration, the original call party (identified by IIS authentication) simulation is used, although the application will use analog tokens when the application accesss any resources, but ASP.NET will still use the token provided by UNC to access the shared Application file. Note: The account for UNC shares must also be able to read Machine.config. Code Access Security Notes The code access security policy is granted to the Intranet permission set for applications on UNC sharing. The intranet rights set does not include the ASPNETHOSTINGPERMISSION required for the ASP.NET web application runtime, so the application will not be able to run if the policy is not explicitly modified. The following two methods can be used: • A fully trust level for UNC sharing for resident applications. This is the simplest management method, if you run .NET Framework 1.0, you can only use this method because ASP.NET 1.0 web applications need to fully trust. • Configure the code access security policy to grant the code to AspNethostingPermission and any other permissions thereafter (depending on the resource type accessed by the code). Since ASP.NET dynamically creates a code and compile page classes, you must use code groups to the UNC and Temporary ASP.NET Files directories when configuring policies. The default temporary directory is /Winnt/Microsoft.Net/framework/ {version} / temptorary ASP.NET FILES, but you can use the TempDirectory property of the Back to top COM / DCOM resources The application will use the process ID or analog ID when calling COM-based resources (such as service components). The client's authentication and analog level are configured using the ComautsSonation Level and ComimPersonation level properties on the For more information and suggestions, see Module 17 Make sure the Enterprise Service Precautions in the Security of the Application Server. Back to top Refusal service consideration ASP.NET's following features can help you deal with the Denial of Service for ASP.NET applications: • By default, POST request is limited to 4 MB. • Check the client to make sure the client is still in the connection status before requested to enter the work queue. This prevents the attacker from disconnecting the client after sending multiple requests. • After the restriction time is configured, the request is required to perform the operation timeout. The configuration value is kept on the MaxRequestLength = "4096" UsefullyqualifiedRedirectURL = "false" Minfreethreads = "8" MinLocalRequestFreethreads = "4" appRequestQueuelimit = "100" EnableVersionHeader = "True" /> You may need to reduce the value of the maxRequestLength property to prevent users from uploading a lot of files. The maximum allowed is 4 MB. In the Open Hack competition, MaxRequestLength is limited to 1/2 MB, as shown in the following example: Note ASP.NET cannot resolve the data package level attack. The data package level attack must be resolved by strengthening the TCP / IP stack. For more information on how to configure TCP / IP stack, see "How to" section in this guide: Strengthen TCP / IP stack security. Back to top WEB precautions If the ASP.NET web application runs in the web field, it cannot guarantee that the continuous request from the same client is handled by the same web server. This will affect: • Session Status • Encryption and Verification • DPAPI Session status In order to avoid the interaction of the server, the ASP.NET session state outside the process can be reserved in the ASP.NET SQL Server status database, or the processes outside the remote computer running on the remote computer. For more information on how to ensure security in remote status storage, participate in the session status section in front of this document. Encryption and verification The key for encryption and verification forms authentication cookie and view status must be the same on all servers in the web field. The AutoGenerate setting on the For more information on how to generate and configure keys, see Microsoft Knowledge Base Article 312906 How To: Create Keys by Using Visual C # .NET for Use in Forms Authentication. DPAPI In order to encrypt data, developers sometimes use DPAPI. If you store confidential, encrypted strings using DPAPI and computer key storage, encrypted data for the specified computer, without copying encrypted data between each computer in a web or cluster. If you use a DPAPI and a user key, the data can be decrypted on any computer having a roaming user profile. However, it is not recommended because any computer that can use an account for encrypting data on the network will be decrypted on the data. DPAPI is ideal for configuring confidentiality on the web server, such as database connection strings. If the encrypted data is stored on the remote server (eg, in the database), other encryption techniques should be used. For more information on how to store encrypted data in the database, see Module 14 Build a secure data access. Back to top Safety ASP.NET application snapshot The following snapshot shows the properties of the secure ASP.NET application so you can easily and quickly compare the settings with your own configuration. Table 19.4: Snapshot of Security ASP.NET Application Configuration Component Features Process Logo Sp .NET Work Process As ASPNET: Password = "AutoGenerate" /> Custom Account (if used) is the minimum privilege account. Customize credentials encryption in the registry: Process / aspnet_setReg, UserName Password = "Registry: hklm / software / yourapp / Process / aspnet_setReg, Password "/> Analog analog identifier encryption in the registry: Username = "Registry: hklm / software / yourapp / Identity / Aspnet_SetReg, UserName Password = "Registry: hklm / software / yourapp / Identity / aspnet_setReg, Password "/> Authentication website is divided into public access zones and restricted access zones. Table Single authentication configuration is safe: Protection = "all" Requiressl = "True" TIMEOUT = "10" Name = "AppnameCookie" Path = "/ formsauth" SlidingExpiration = "true" /> encrypts and integrity checking authentication cookies. Authentication cookies need to use SSL. If you do not use SSL, the sliding deadline should be set to false. Session life is restricted. The cookie name and path are unique. Do not use the DecryptionKey = "Autogenerate, isolateApps" Validation = "SHA1" /> Disabled resource protected resources map to System.Web.httpForbiddenhandler. Debug disable debug internal version: tag to use the
tag on the public access web page to embed the GET Web Services. Both attacks allow external users to call internal Web Services. Disable protocols can reduce risks.
