RE: Securing ASP.NET for Hosting

From: Henry Sieff (hsieff@orthodon.com)
Date: 10/26/02


From: Henry Sieff <hsieff@orthodon.com>
To: 'Tyler Davis' <tdavis@sonicdev.com>, focus-ms@securityfocus.com
Date: Fri, 25 Oct 2002 18:39:01 -0500

No, sadly. Part of the problem is that the technology isn't mature yet, the
other part is that .net really puts the burden for security on the the
application design.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
authaspdotnet.asp discusses authentication in a .net environment.

http://www.dotnetjunkies.com/tutorials.aspx?tutorialid=396 gives a nice
overview of how IIS, Windows, and .NET work together. One of the articles he
references is
http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx, which is
also not bad.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconsecuringyourapplication.asp

When this topic came up earlier, somebody mentioned this article:
http://tiberi.us/view_article.aspx?article_id=27, not bad.

But none of them speak exactly to what you're asking, which is what every
admin who needs to support .net is going to be asking, which is "Exactly
what do I do to make sure the server itself is as secure as possible?"

Again, the two factors previously mentioned are responsible: once you've
done the locking down of IIS, you need to move onto setting security on the
Web services themselves, things like code access (remember, the whole idea
behind .net is to expose executable code to the world via http:
WHOOOOOO-HOOOOOOOO). Also, auhtentication to specific apps. And unlike the
best practices for securing IIS, all of the BP's stuff I've read is really
geared towards developers or focuses on securing access to the components.

At this point, we are not using ASP.NET for remotely accessible
applications. We definitely will, but not until me and the developers at my
Co. can figure out what we need to do.

Anyways, sorry for the ramble; this issue has come up here before, and I
watched hoping for someone to come up with a white paper. Then I did some
searching; I found no comprehensive guide, but a lot of good resources. At
this point, you, me, and everyone else tasked with deploying .net based apps
will have to formulate our own best practices based on careful study of the
basic info out there.

Henry
> -----Original Message-----
> From: Tyler Davis [mailto:tdavis@sonicdev.com]
> Sent: Friday, October 25, 2002 1:58 AM
> To: focus-ms@securityfocus.com
> Subject: Securing ASP.NET for Hosting
>
>
> Anyone got a link to any sites or whitepapers with info on securing
> asp.net in a hosting environment?
> Ive already got win2k and iis5 locked down, just need some info on
> asp.net
>
> Thanks,
> Tyler
>



Relevant Pages

  • Re: IIS log entries
    ... > Probably an obvious and basic question, but I've got IIS running on W2K ... looks like just worms and/or script kiddies. ... if your web server isn't completely secured and ready for prime ... More info in the securing checklists at the URL listed ...
    (microsoft.public.inetserver.iis.security)
  • RE: Locking down IIS
    ... "whitewash" method of security..."let's pretend there is nothing wrong"! ... They have plenty of information on securing your computer. ... > Subject: Re: Locking down IIS ...
    (Security-Basics)
  • Re: IIS on each developers machine
    ... > Do we have some document on msdn for securing the machines (with IIS) ... Tom Porterfield ...
    (microsoft.public.dotnet.general)
  • IIS Secure Baseline Builds - New IIS Security Paper Published
    ... If you are interested in seriously securing your IIS ... server deployments, the Microsoft IIS Community site has ... published an in-depth IIS security white paper that is ...
    (microsoft.public.inetserver.iis.security)
  • Securing ASP.NET for Hosting
    ... Anyone got a link to any sites or whitepapers with info on securing ... asp.net in a hosting environment? ... Ive already got win2k and iis5 locked down, ...
    (Focus-Microsoft)