AW: ASP Dot Net Security Guidelines
From: Dominick Baier (db@die-lounge.com)Date: 09/11/02
- Previous message: cathal connolly: "Re: ASP Dot Net Security Guidelines"
- In reply to: Douglas Spooner: "ASP Dot Net Security Guidelines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dominick Baier" <db@die-lounge.com> To: "'Douglas Spooner'" <webmaster@technicweb.com> Date: Wed, 11 Sep 2002 20:35:47 +0200
Hi,
i have set up 2 dotnet server and did a pen-test of a dotnet server for
another company.
i wouldn't focus so much on the file system permissions.
first of all i implement all good security basics practices (least
privilege, minimal system, patchlevel) of the server itself.
- shut all unused ports, remove unused services - i wrote a script for
that - it's still in development - but if you are interested let me know
remember that you can't shutdown port 445 if iis is
running....take care of that by using packet filtering of some kind!
- highest patchlevel
- move wwwroot away from the drive where \winnt resides
- remove admin rights from dangerous programs like ftp, tftp, cmd,
net...
- enable auditing
- one very important point is to use iislockdown or at least urlscan -
use the allow sections rather than the deny section - least privilege
you remember :)
- think about remote administration, since you don't have access to the
system via mmc - think about ssh or terminal services admin mode (if
configured right....)
if all these prerequisites are given it is not so important to acl every
file or registry key....
my 2c
greetings
dominick
-----Ursprüngliche Nachricht-----
Von: Douglas Spooner [mailto:webmaster@technicweb.com]
Gesendet: Mittwoch, 11. September 2002 18:50
An: 'focus-ms@securityfocus.com'
Betreff: ASP Dot Net Security Guidelines
Hi
As the title suggests I've been looking into the security issues that
the dot net platform brings with it.
Our developers are mainly looking to use the new functionality of .aspx
and xml web services, and of course it is connected to a sql 2000 server
that runs seperated from the box.
I have done some tests on a dev machine, i.e. locking down the entire
system with just system / admin ntfs permissions then use filemon from
sysinternals to set the permissions as it brings up access denied errors
on the file system.
I also disabled un-needed services, locking down ports, latest patches,
renaming accounts, moving dangerous executables from the system
directory (cmd.exe ftp etc).
I've searched asp.net, msdn and google.com but cant seem to find any
guidelines for securing a web server with the dot net platform installed
on it. Well I did find an msdn article but from what it suggested to do,
it did not seem very secure. (everyone read/list permissions all over
the place)
Has anyone had any experience with this and wouldn't mind sharing any
tips or guides as I want to make sure what I've done is erm secure if
that's a word that can be used.
Also I've been looking at the security templates snap it and wondering
if it was possible to create my own template with file system
permissions on so when I come to making a production system I can just
apply the template and not spend a good couple of hours applying
permissions to a fresh box.
Any comments would be most appreciated!
Regards
Douglas Spooner
- Previous message: cathal connolly: "Re: ASP Dot Net Security Guidelines"
- In reply to: Douglas Spooner: "ASP Dot Net Security Guidelines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
