RE: Securing ASP.NET for Hosting
From: Henry Sieff (hsieff@orthodon.com)Date: 10/26/02
- Previous message: Tyler Davis: "Securing ASP.NET for Hosting"
- Maybe in reply to: Tyler Davis: "Securing ASP.NET for Hosting"
- Next in thread: David Sommers: "RE: Securing ASP.NET for Hosting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Henry Sieff <hsieff@orthodon.com> To: 'Tyler Davis' <tdavis@sonicdev.com>, focus-ms@securityfocus.com Date: Fri, 25 Oct 2002 18:39:01 -0500
No, sadly. Part of the problem is that the technology isn't mature yet, the
other part is that .net really puts the burden for security on the the
application design.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
authaspdotnet.asp discusses authentication in a .net environment.
http://www.dotnetjunkies.com/tutorials.aspx?tutorialid=396 gives a nice
overview of how IIS, Windows, and .NET work together. One of the articles he
references is
http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx, which is
also not bad.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconsecuringyourapplication.asp
When this topic came up earlier, somebody mentioned this article:
http://tiberi.us/view_article.aspx?article_id=27, not bad.
But none of them speak exactly to what you're asking, which is what every
admin who needs to support .net is going to be asking, which is "Exactly
what do I do to make sure the server itself is as secure as possible?"
Again, the two factors previously mentioned are responsible: once you've
done the locking down of IIS, you need to move onto setting security on the
Web services themselves, things like code access (remember, the whole idea
behind .net is to expose executable code to the world via http:
WHOOOOOO-HOOOOOOOO). Also, auhtentication to specific apps. And unlike the
best practices for securing IIS, all of the BP's stuff I've read is really
geared towards developers or focuses on securing access to the components.
At this point, we are not using ASP.NET for remotely accessible
applications. We definitely will, but not until me and the developers at my
Co. can figure out what we need to do.
Anyways, sorry for the ramble; this issue has come up here before, and I
watched hoping for someone to come up with a white paper. Then I did some
searching; I found no comprehensive guide, but a lot of good resources. At
this point, you, me, and everyone else tasked with deploying .net based apps
will have to formulate our own best practices based on careful study of the
basic info out there.
Henry
> -----Original Message-----
> From: Tyler Davis [mailto:tdavis@sonicdev.com]
> Sent: Friday, October 25, 2002 1:58 AM
> To: focus-ms@securityfocus.com
> Subject: Securing ASP.NET for Hosting
>
>
> Anyone got a link to any sites or whitepapers with info on securing
> asp.net in a hosting environment?
> Ive already got win2k and iis5 locked down, just need some info on
> asp.net
>
> Thanks,
> Tyler
>
- Previous message: Tyler Davis: "Securing ASP.NET for Hosting"
- Maybe in reply to: Tyler Davis: "Securing ASP.NET for Hosting"
- Next in thread: David Sommers: "RE: Securing ASP.NET for Hosting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
