ASP.NET Security

Application and server security are paramount considerations for the Web developer. Unfortunately, security considerations are often given a low priority in the design process. Application architecture decisions about authentication, authorization, and user impersonation should be considered carefully and reviewed thoroughly as the application is implemented.

• To launch the Computer Management application from the command prompt, enter start compmgmt.msc. You can also launch the Internet Information Services Management snap-in directly by entering start inetmgr.

• Never use Basic Authentication without requiring Secure Sockets Layer (SSL) so that user credentials are sent in an encrypted form. Using Basic Authentication without encrypting communications is referred to as sending credentials “in the clear” and is a very bad practice.

• A Windows user account is always associated with an executing request. A good way to review the security of a Web application is to walk through what identity is being used by Windows when executing any part of the request.

• Do not run the worker process as an account other than ASPNET unless absolutely necessary. Compromising the worker process that is running as SYSTEM would give an attacker much higher-level permissions than the ASPNET account. Any page will execute as this user unless impersonation is enabled.

• You can force IIS 6 on Windows Server 2003 to use the version 5.0 behavior in the Internet Services Manager by right-clicking the Web Sites folder, selecting Properties, and selecting Run WWW Service In IIS 5.0 Isolation Mode on the Services tab.

• Always use SSL in conjunction with ASP.NET Forms Authentication to secure the transmission of user names, passwords, and authentication tickets from the FormsAuthenticationTickets object.

• RedirectFromLoginPage relies on the user having been redirected to the login page with a query string to know where to redirect them back to. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=mypage.aspx, mypage.aspx is the return URL that the user is redirected to. If the user requests the login page directly, he will be sent to the page configured as the default for the Web application in the Internet Services Manager, usually default.aspx.

• Never store user passwords in clear text.

• File Authorization works only against file types that are mapped in the Internet Services Manager to ASP.NET. File types that are not handled by ASP.NET will be subject to the IIS authorization checks.

• Allow and deny tags are processed sequentially by ASP.NET. The first match found is used, so if you allow a user with one statement and deny them with another, the order of elements will determine whether the user gains access.

• Do not set validateRequest=“false” in the page’s configuration element unless absolutely necessary. The better option is to set validate_Request= “false” in the page directive for those pages where validation will be handled in your custom code. Such a page directive is shown on the first line of Code Listing 8-11.

• Call the Server.HTMLEncode method on all user input before displaying it.

• Disable services on the Web server that aren’t being used. For example, if you type net start at the command prompt, you will probably be surprised at the number of services running on the server. You might not need Simple Mail Transfer Protocol (SMTP), Infrared Monitor, or DHCP client running on the server. Look at the demands of the Web application, and be sure that the running services are needed to make the server and the application run correctly.