Step 16. Machine.Config


This section covers hardening information about machine level settings that apply to all applications. For application specific hardening settings, see Chapter 19, "Securing Your ASP.NET Application."

The Machine.config file maintains numerous machine wide settings for the .NET Framework, many of which affect security. Machine.config is located in the following directory:

%windir%\Microsoft.NET\Framework\{version}\CONFIG

Note  

You can use any text or XML editor (Notepad, for example) to edit XML configuration files. XML tags are case sensitive, so be sure to use the correct case.

During this step, you:

  • Map protected resources to HttpForbiddenHandler .

  • Verify that tracing . is disabled .

  • Verify that debug compiles are disabled .

  • Verify that ASP.NET errors are not returned to the client .

  • Verify session state settings .

Map Protected Resources to HttpForbiddenHandler

HTTP handlers are located in Machine.config beneath the <httpHandlers> element. HTTP handlers are responsible for processing Web requests for specific file extensions. Remoting should not be enabled on front-end Web servers; enable remoting only on middle- tier application servers that are isolated from the Internet.

  • The following file extensions are mapped in Machine.config to HTTP handlers:

  • .aspx is used for ASP.NET pages

  • .rem and .soap are used for Remoting.

  • .asmx is used for Web Services.

  • .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp, .licx, .resx, and .resources are protected resources and are mapped to System.Web.HttpForbiddenHandler .

For .NET Framework resources, if you do not use a file extension, then map the extension to System.Web.HttpForbiddenHandler in Machine.config, as shown in the following example:

 <add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler" /> 

In this case, the .vbproj file extension is mapped to System.Web.HttpForbiddenHandler . If a client requests a path that ends with .vbproj, then ASP.NET returns a message that states "This type of page is not served ."

  • The following guidelines apply to handling .NET Framework file extensions:

  • Map extensions you do not use to HttpForbiddenHandler . If you do not serve ASP.NET pages, then map .aspx to HttpForbiddenHandler . If you do not use Web Services, then map .asmx to HttpForbiddenHandler .

  • Disable Remoting on Internet- facing Web servers . Map remoting extensions (.soap and .rem) on Internet-facing Web servers to HttpForbiddenHandler .

Disable .NET Remoting

To disable .NET Remoting disable requests for .rem and .soap extensions, use the following elements beneath <httpHandlers> :

 <add verb="*" path="*.rem" type="System.Web.HttpForbiddenHandler"/> <add verb="*" path="*.soap" type="System.Web.HttpForbiddenHandler"/> 
Note  

This does not prevent a Web application on the Web server from connecting to a downstream object by using the Remoting infrastructure. However, it prevents clients from connecting to objects on the Web server.

Verify That Tracing Is Disabled

You configure tracing in Machine.config by using the <trace> element. While it is useful on development and test servers, do not enable tracing on production servers, because system-level trace information can greatly assist an attacker to profile an application and probe for weak spots.

Use the following configuration on production servers:

 <trace enabled="false" localOnly="true" pageOutput="false"         requestLimit="10" traceMode="SortByTime"/> 

Set enabled="false" on production servers. If you do need to trace problems with live applications, simulate the problem in a test environment, or if necessary, enable tracing and set localOnly="true" to prevent trace details from being returned to remote clients.

Verify That Debug Compiles Are Disabled

You can control whether or not the compiler produces debug builds that include debug symbols by using the <compilation> element. To turn off debug compiles, set debug="false" as shown below:

 <compilation debug="false" explicit="true" defaultLanguage="vb" /> 

Verify That ASP.NET Errors Are Not Returned to Clients

You can use the <customErrors> element to configure custom, generic error messages that should be returned to the client in the event of an application exception condition.

Make sure that the mode attribute is set to "RemoteOnly" as shown in the following example:

 <customErrors mode="RemoteOnly" /> 

After installing an ASP.NET application, you can configure the setting to point to your custom error page as shown in the following example:

 <customErrors mode="On" defaultRedirect="YourErrorPage.htm" /> 

Verify Session State Settings

If you do not use session state, verify that session state is disabled in Machine.config as shown in the following example:

 <sessionState mode="Off" . . . /> 

Also, ensure that the ASP.NET State Service is disabled. The default session state mode is "InProc" and the ASP.NET State Service is set to manual. For more information about securing session state if you install an ASP.NET application that requires it, see "Session State," in Chapter 19, "Securing Your ASP.NET Application and Web Services."




Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net