AW: ASP Dot Net Security Guidelines
From: Dominick Baier (db@die-lounge.com)Date: 09/11/02
- Previous message: Dominick Baier: "AW: ASP Dot Net Security Guidelines"
- In reply to: cathal connolly: "Re: ASP Dot Net Security Guidelines"
- Next in thread: Dominick Baier: "AW: ASP Dot Net Security Guidelines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dominick Baier" <db@die-lounge.com> To: "'cathal connolly'" <cathal@isoli.co.uk> Date: Wed, 11 Sep 2002 23:27:42 +0200
Hi,
the article gives a good idea of how to start -
an asp.net webserver is not really that different than a asp or static
webserver -
the ultimate reference for me still is :
securing windows nt/2000 for the internet by stefan norberg (o'reilly)
but i totally disagree with enabling automatic update on a web server -
who tells you that your dns is not poisoned - maybe you get updates you
don't want and these are installed automatically - i prefer checking the
certificate of a hotfix oder a service pack by myself before installing
it.
greets
dominick baier
ernw.de
-----Ursprüngliche Nachricht-----
Von: cathal connolly [mailto:cathal@isoli.co.uk]
Gesendet: Mittwoch, 11. September 2002 20:54
An: Douglas Spooner; focus-ms@securityfocus.com
Betreff: Re: ASP Dot Net Security Guidelines
Basically you'll treat an asp.net application server as you would an asp
application server , which you've more or less done already. Theres a
good article on some potential issues at:
http://tiberi.us/view_article.aspx?article_id=27
----- Original Message -----
From: "Douglas Spooner" <webmaster@technicweb.com>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, September 11, 2002 5:49 PM
Subject: ASP Dot Net Security Guidelines
> Hi
>
> As the title suggests I've been looking into the security issues that
> the dot net platform brings with it.
>
> Our developers are mainly looking to use the new functionality of
> .aspx
and
> xml web services, and of course it is connected to a sql 2000 server
> that runs seperated from the box.
>
> I have done some tests on a dev machine, i.e. locking down the entire
system
> with just system / admin ntfs permissions then use filemon from
sysinternals
> to set the permissions as it brings up access denied errors on the
> file system.
>
> I also disabled un-needed services, locking down ports, latest
> patches, renaming accounts, moving dangerous executables from the
> system directory (cmd.exe ftp etc).
>
> I've searched asp.net, msdn and google.com but cant seem to find any
> guidelines for securing a web server with the dot net platform
> installed
on
> it. Well I did find an msdn article but from what it suggested to do,
> it
did
> not seem very secure. (everyone read/list permissions all over the
> place)
>
> Has anyone had any experience with this and wouldn't mind sharing any
> tips or guides as I want to make sure what I've done is erm secure if
> that's a word that can be used.
>
> Also I've been looking at the security templates snap it and wondering
> if
it
> was possible to create my own template with file system permissions on
> so when I come to making a production system I can just apply the
> template
and
> not spend a good couple of hours applying permissions to a fresh box.
>
> Any comments would be most appreciated!
>
> Regards
>
> Douglas Spooner
>
- Previous message: Dominick Baier: "AW: ASP Dot Net Security Guidelines"
- In reply to: cathal connolly: "Re: ASP Dot Net Security Guidelines"
- Next in thread: Dominick Baier: "AW: ASP Dot Net Security Guidelines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
