Snapshot of a Secure ASP.NET Application

Process identity

The ASP.NET worker process runs as ASPNET:

 <processModel username="machine"               password="AutoGenerate" /> 

The custom account (if used) is least privileged.

The custom account credentials are encrypted in the registry:

 <processModel     userName="registry:HKLM\SOFTWARE\YourApp \ process\ASPNET_SETREG,userName"     password="registry:HKLM\SOFTWARE\YourApp \ process\ASPNET_SETREG,password"/> 

Impersonation

Impersonation identities are encrypted in the registry:

 <identity impersonate="true"        userName="registry:HKLM\SOFTWARE\YourApp \ identity\ASPNET_SETREG,userName"           password="registry:HKLM\SOFTWARE\YourApp \ identity\ASPNET_SETREG,password"/> 

Authentication

The Web site is partitioned for public and restricted access.

The Forms authentication configuration is secure:

 <forms loginUrl="Restricted\login.aspx"        protection="All"        requireSSL="true"        timeout="10"        name="AppNameCookie"        path="/FormsAuth"        slidingExpiration="true" /> 

The authentication cookie is encrypted and integrity checked.

SSL is required for authentication cookie.

Sliding expiration is set to false, if SSL is it is not used.

The session lifetime is restricted.

Cookie names and paths are unique.

The <credentials> element is not used.

Authorization

ACLs are configured on ASP.NET resources.

<authorization> elements are configured.

Session state

The ASP.NET state service is disabled if it is not required.

 <sessionState  mode="Off " /> 

The communication channel to the remote state store is encrypted if necessary.

Windows authentication is used to connect to ASPState database.

The application login has restricted access to ASPState database.

The connection parameters ( sqlConnectionString and stateConnectionString ) are encrypted in the registry.

The ASP.NET state service is configured for a non-default port.

View state

The view-state MAC is enabled on the <pages> element in Machine.config.

Machine key

The validation attribute set to SHA1.

Keys are unique for each application running on the Web server.

ViewState and Forms Authentication are protected:

 <machineKey validationKey="AutoGenerate,IsolateApps"             decryptionKey="AutoGenerate,IsolateApps"             validation="SHA1"/> 

Forbidden resources

Protected resources are mapped to System.Web.HttpForbiddenHandler .

Debugging

Debug builds are disabled:

 <compilation debug="false" . . . 

Tracing

Tracing is disabled.

 <trace enabled='false' localOnly='true . . . 

Exception management

Custom errors are enabled.

Default redirect page is used:

 <customErrors mode="On"               defaultRedirect="YourErrorPage.htm" /> 

Remoting

Remoting is disabled on Internet- facing Web servers:

 <httpHandlers>  <add verb="*" path="*.soap"        type="System.Web.HttpForbiddenHandler"/>   <add verb="*" path="*.rem"        type="System.Web.HttpForbiddenHandler"/>   . . .  </httpHandlers> 

Web services

Web services are disabled if they are not required:

 <httpHandlers>     <add verb="*" path="*.asmx"          type="System.Web.HttpForbiddenHandler"/>       . . .  </httpHandlers> 

Unnecessary protocols are disabled:

 <webServices>   <protocols>       <!-- <add name="HttpPost"/> -->       <!-- <add name="HttpGet"/> -->  . . . 

The documentation protocol is disabled to prevent the automatic generation of WSDL:

 <webServices>   <protocols >      <!--<add name="Documentation"/>--> . . . 

Bin directory

The bin directory is secured.

( Read , Write , and Directory browsing permissions removed from bin. Execute permissions are set to None .)

Authentication settings are removed from bin directory