Harden ASP.NET Configuration

From: :: gary :: (gary.bright_at_cisd.panasonic.co.uk)
Date: 05/13/03

Next message: Jolyon Wharton: "RE: Harden ASP.NET Configuration"

Previous message: Harbar, Spencer: "RE: Share Point?"
Next in thread: Jolyon Wharton: "RE: Harden ASP.NET Configuration"
Maybe reply: Jolyon Wharton: "RE: Harden ASP.NET Configuration"
Maybe reply: Colcord, Aaron: "RE: Harden ASP.NET Configuration"
Maybe reply: Brian W. Spolarich: "RE: Harden ASP.NET Configuration"
Maybe reply: Harbar, Spencer: "RE: Harden ASP.NET Configuration"
Maybe reply: Henry Sieff: "RE: Harden ASP.NET Configuration"
Maybe reply: Deus, Attonbitus: "RE: Harden ASP.NET Configuration"
Maybe reply: Henry Sieff: "RE: Harden ASP.NET Configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ms@securityfocus.com>
Date: Tue, 13 May 2003 14:17:59 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Everyone

I'm trying to find explanations for each of these application mappings
which get installed with .net framework.

I know its comes down to what the relevant application has been written
for, but if I knew in what context they would get used in, I believe that
would help me understand

I'll also be interested to hear of how other IIS Admins have gone about the
deployment of the .net framework to a live internet environment, for
example what advice they can offer me and whether of not they trimmed down
the application mappings or left them as standard.

As well trying to build further on my understanding of .NET (from a
security point of view) the main thing I'm scared of is it that old default
settings had mappings like

.htw, .ida, .idq, .asp, .cer, .cdx, .asa, .idc, .shtm, .shtml, .stm,

Which later on Microsoft provided tools to easily disable them realising
there mistake of including them by default and while I don't want to Knock
the efforts MS has put into security recently I can't help feeling that
they are lining themselves up for kicking have all these mappings for .net
enabled by default (after the framework install) and providing very little
documentation for locking down the .NET IIS Configuration (see snip from
iis5.0 checklist.)

I know that while it comes down to only enabling the relevant mappings for
your website I just don't think MS is making that point with the .NET
framework

Be Interested in what you think

Thanks for time

Best Regards

Gary

<SNIP>
Harden ASP.NET Configuration

If the .NET Framework has been installed on the system, download and
install the latest version of the .NET Framework and any service packs.
Review the configuration of the .NET Framework, and ASP.NET in particular,
to ensure ASP.NET does not increase your vulnerability to attack.
</SNIP>

[.net Application Mappings]

.asax
.ascx
.ashx
.asmx
.aspx
.axd
.vsdisco
.rem
.soap
.config
.cs
.csproj
.vb
.vbproj
.webinfo
.licx
.resx
.resources

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBPsDvOPM1kDfiKwBGEQKzjwCg44YHnqND5bJNE6/C50xfDROq5VUAoKgr
XoZOU2RkNDca5jS9RxQcUqgX
=HD6r
-----END PGP SIGNATURE-----

-----------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------------

Next message: Jolyon Wharton: "RE: Harden ASP.NET Configuration"

Previous message: Harbar, Spencer: "RE: Share Point?"
Next in thread: Jolyon Wharton: "RE: Harden ASP.NET Configuration"
Maybe reply: Jolyon Wharton: "RE: Harden ASP.NET Configuration"
Maybe reply: Colcord, Aaron: "RE: Harden ASP.NET Configuration"
Maybe reply: Brian W. Spolarich: "RE: Harden ASP.NET Configuration"
Maybe reply: Harbar, Spencer: "RE: Harden ASP.NET Configuration"
Maybe reply: Henry Sieff: "RE: Harden ASP.NET Configuration"
Maybe reply: Deus, Attonbitus: "RE: Harden ASP.NET Configuration"
Maybe reply: Henry Sieff: "RE: Harden ASP.NET Configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: What is .Net?
... You have a policy and you have permissions. ... C: drive and start if from there: reason: not enough security rights. ... how the hell can you configure the .NET framework ... are doing and that this software can be trusted, or else you won't install ...
(microsoft.public.dotnet.general)
RE: Harden ASP.NET Configuration
... I'm trying to find explanations for each of these application mappings ... which get installed with .net framework. ... Knock the efforts MS has put into security recently I can't help feeling ... for .net enabled by default (after the framework install) and providing ...
(Focus-Microsoft)
Re: KB953297
... you may receive Windows Update error code "0x643" or Windows ... After running the .NET Framework Cleanup Tool, ... download links on the page then run Windows Update manually to install ... security updates for same. ...
(microsoft.public.windowsupdate)
Re: NET Framework 1.1 updates wont install
... MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 ... security update for .NET Framework V1.1 SP 1. ... The removal tool you linked in other posts here downloads but won't install. ...
(microsoft.public.windowsupdate)
RE: Harden ASP.NET Configuration
... Here is an overview of some basic security steps for IIS5/ASP.NEt ... > which get installed with .net framework. ... > the application mappings or left them as standard. ... > documentation for locking down the .NET IIS Configuration ...
(Focus-Microsoft)