Re: ASP Dot Net Security Guidelines

From: cathal connolly (cathal@isoli.co.uk)
Date: 09/11/02 

From: "cathal connolly" <cathal@isoli.co.uk>
To: "Douglas Spooner" <webmaster@technicweb.com>, <focus-ms@securityfocus.com>
Date: Wed, 11 Sep 2002 19:54:17 +0100

Basically you'll treat an asp.net application server as you would an asp
application server , which you've more or less done already. Theres a good
article on some potential issues at:
http://tiberi.us/view_article.aspx?article_id=27

----- Original Message -----
From: "Douglas Spooner" <webmaster@technicweb.com>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, September 11, 2002 5:49 PM
Subject: ASP Dot Net Security Guidelines

> Hi
>
> As the title suggests I've been looking into the security issues that the
> dot net platform brings with it.
>
> Our developers are mainly looking to use the new functionality of .aspx
and
> xml web services, and of course it is connected to a sql 2000 server that
> runs seperated from the box.
>
> I have done some tests on a dev machine, i.e. locking down the entire
system
> with just system / admin ntfs permissions then use filemon from
sysinternals
> to set the permissions as it brings up access denied errors on the file
> system.
>
> I also disabled un-needed services, locking down ports, latest patches,
> renaming accounts, moving dangerous executables from the system directory
> (cmd.exe ftp etc).
>
> I've searched asp.net, msdn and google.com but cant seem to find any
> guidelines for securing a web server with the dot net platform installed
on
> it. Well I did find an msdn article but from what it suggested to do, it
did
> not seem very secure. (everyone read/list permissions all over the place)
>
> Has anyone had any experience with this and wouldn't mind sharing any tips
> or guides as I want to make sure what I've done is erm secure if that's a
> word that can be used.
>
> Also I've been looking at the security templates snap it and wondering if
it
> was possible to create my own template with file system permissions on so
> when I come to making a production system I can just apply the template
and
> not spend a good couple of hours applying permissions to a fresh box.
>
> Any comments would be most appreciated!
>
> Regards
>
> Douglas Spooner
>

Relevant Pages

  • Re: Access Control Best Practices for shared hosting seem at odds with Web Site Starters
    ... the server can write a file somewher. ... Security depends on the application itself. ... The MS Shared Hosting Deployment Guide lists among best practices: ... Ensure strong permissions are used on Web content ...
    (microsoft.public.inetserver.iis.security)
  • Re: File Sharing Nightmares
    ... Vista's SP1 has some stuff disabling secedit in favor of gpedit.msc. ... that the server was the issue. ... "The Group Policy security settings that apply to this machine could not be ... >> Permissions trouble for the registry entries. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: File Upload - Security Issues
    ... You want to upload a file for what reason and you do ... file and what pitfalls you see re: security might be helpful on this end?! ... files to an IIS server that doesn't have MS Office actually installed? ... 2* Upon submit this is submitted to an ASP page that then (using the XML ...
    (microsoft.public.scripting.vbscript)
  • [NT] Vulnerability in Internet Information Services Allows Code Execution (MS08-006)
    ... Get your security news from a reliable source. ... Vulnerability in Internet Information Services Allows Code Execution ... exists in the way that IIS handles input to ASP Web pages. ... Services on all supported editions of Windows XP and Windows Server 2003. ...
    (Securiteam)
  • Re: Moved & Deleted Files
    ... > share has correct share/ntfs permissions and that the permissions are not ... > share will not go to the recycle bin on the server. ... > For Windows 2000 you can enable auditing of object access in the Local ... > Security Policy or Domain Controller Security Policy for domain controllers ...
    (microsoft.public.security)