ASP Dot Net Security Guidelines

From: Douglas Spooner (webmaster@technicweb.com)
Date: 09/11/02


From: Douglas Spooner <webmaster@technicweb.com>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Wed, 11 Sep 2002 17:49:35 +0100

Hi

As the title suggests I've been looking into the security issues that the
dot net platform brings with it.

Our developers are mainly looking to use the new functionality of .aspx and
xml web services, and of course it is connected to a sql 2000 server that
runs seperated from the box.

I have done some tests on a dev machine, i.e. locking down the entire system
with just system / admin ntfs permissions then use filemon from sysinternals
to set the permissions as it brings up access denied errors on the file
system.

I also disabled un-needed services, locking down ports, latest patches,
renaming accounts, moving dangerous executables from the system directory
(cmd.exe ftp etc).

I've searched asp.net, msdn and google.com but cant seem to find any
guidelines for securing a web server with the dot net platform installed on
it. Well I did find an msdn article but from what it suggested to do, it did
not seem very secure. (everyone read/list permissions all over the place)

Has anyone had any experience with this and wouldn't mind sharing any tips
or guides as I want to make sure what I've done is erm secure if that's a
word that can be used.

Also I've been looking at the security templates snap it and wondering if it
was possible to create my own template with file system permissions on so
when I come to making a production system I can just apply the template and
not spend a good couple of hours applying permissions to a fresh box.

Any comments would be most appreciated!

Regards

Douglas Spooner



Relevant Pages

  • Re: Customzing Security Template Files
    ... You are welcome Shawn. ... I tried my template editing steps with an XPSP2 ... > permissions dialog box when you configure a service and you don't end up ... >> As you work with the Security Templates and the Security Configuration ...
    (microsoft.public.security)
  • Re: Customzing Security Template Files
    ... different from System need full permissions to the service.>> ... I did try some more experimenting with new template files and came ... load the Security Templates snap-in and expand the Security ... > Windows Server 2003 given the version of guide you mention). ...
    (microsoft.public.security)
  • Re: Customzing Security Template Files
    ... I tried my template editing steps with an XPSP2 ... permissions dialog box when you configure a service and you don't end up ... > As you work with the Security Templates and the Security Configuration ... >> Windows Server 2003 given the version of guide you mention). ...
    (microsoft.public.security)
  • Re: Error convert applying security template
    ... How did you try to change permissions? ... template into Local Security Policy on one or more domain controllers, ... template into Domain Controller Security policy or another GPO?? ...
    (microsoft.public.win2000.security)
  • RE: What server hardening are you doing these days?
    ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
    (Focus-Microsoft)