ASP Dot Net Security Guidelines

From: Douglas Spooner (
Date: 09/11/02

From: Douglas Spooner <>
To: "''" <>
Date: Wed, 11 Sep 2002 17:49:35 +0100


As the title suggests I've been looking into the security issues that the
dot net platform brings with it.

Our developers are mainly looking to use the new functionality of .aspx and
xml web services, and of course it is connected to a sql 2000 server that
runs seperated from the box.

I have done some tests on a dev machine, i.e. locking down the entire system
with just system / admin ntfs permissions then use filemon from sysinternals
to set the permissions as it brings up access denied errors on the file

I also disabled un-needed services, locking down ports, latest patches,
renaming accounts, moving dangerous executables from the system directory
(cmd.exe ftp etc).

I've searched, msdn and but cant seem to find any
guidelines for securing a web server with the dot net platform installed on
it. Well I did find an msdn article but from what it suggested to do, it did
not seem very secure. (everyone read/list permissions all over the place)

Has anyone had any experience with this and wouldn't mind sharing any tips
or guides as I want to make sure what I've done is erm secure if that's a
word that can be used.

Also I've been looking at the security templates snap it and wondering if it
was possible to create my own template with file system permissions on so
when I come to making a production system I can just apply the template and
not spend a good couple of hours applying permissions to a fresh box.

Any comments would be most appreciated!


Douglas Spooner