RE: Harden ASP.NET Configuration

From: Jolyon Wharton (joly1_at_bombdiggity.com)
Date: 05/13/03

  • Next message: Colcord, Aaron: "RE: Harden ASP.NET Configuration"
    Date: 13 May 2003 13:49:10 -0000
    To: focus-ms@securityfocus.com, gary.bright@cisd.panasonic.co.uk
    
    

    IMHO dotnet is not too bad out the box, it will never be *BSD but it's not bad. From what I gather there isn't much to bolting down dotnet as a web application other than the usual security procedures one would go though anyway.

    To answer you question about extension, most of what you have quoted there are processed file to do with dymanic page delievery (.aspx, .vb, .cs etc) or to do with web services (vsdisco, .soap, asmx etc) or config file (.asax, .config) so I guess if you weren't going to use one of these aspects of ASP.NET then you could remove the mapping. Presonally I wouldn't. There are some for creating you own controls (ascx)and for delivering to other media consumers (ashx). The .csproj and .vbproj are the project files and shouldn't be posted to a production box anyway although ASP.DOT will not servre them through a web browser anyway. But at the end of the day they are only xml files to tell the compiler what's included and don't content any credentials so what would be the harm if they were hacked anyway?

    Hope this helped

    Regards
    Jolyon

    -----Original Message-----
    From: :: gary :: [mailto:gary.bright@cisd.panasonic.co.uk]
    Sent: 13 May 2003 14:18
    To: focus-ms@securityfocus.com
    Subject: Harden ASP.NET Configuration

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hello Everyone

    I'm trying to find explanations for each of these application mappings which get installed with .net framework.

    I know its comes down to what the relevant application has been written for, but if I knew in what context they would get used in, I believe that would help me understand

    I'll also be interested to hear of how other IIS Admins have gone about the deployment of the .net framework to a live internet environment, for example what advice they can offer me and whether of not they trimmed down the application mappings or left them as standard.

    As well trying to build further on my understanding of .NET (from a security point of view) the main thing I'm scared of is it that old default settings had mappings like

    .htw, .ida, .idq, .asp, .cer, .cdx, .asa, .idc, .shtm, .shtml, .stm,

    Which later on Microsoft provided tools to easily disable them realising there mistake of including them by default and while I don't want to Knock the efforts MS has put into security recently I can't help feeling that they are lining themselves up for kicking have all these mappings for .net enabled by default (after the framework install) and providing very little documentation for locking down the .NET IIS Configuration (see snip from iis5.0 checklist.)

    I know that while it comes down to only enabling the relevant mappings for your website I just don't think MS is making that point with the .NET framework

    Be Interested in what you think

    Thanks for time

    Best Regards

    Gary

    <SNIP>
    Harden ASP.NET Configuration

    If the .NET Framework has been installed on the system, download and install the latest version of the .NET Framework and any service packs. Review the configuration of the .NET Framework, and ASP.NET in particular, to ensure ASP.NET does not increase your vulnerability to attack.
    </SNIP>

    [.net Application Mappings]

    .asax
    .ascx
    .ashx
    .asmx
    .aspx
    .axd
    .vsdisco
    .rem
    .soap
    .config
    .cs
    .csproj
    .vb
    .vbproj
    .webinfo
    .licx
    .resx
    .resources

    -----BEGIN PGP SIGNATURE-----
    Version: 6.5.8ckt http://www.ipgpp.com/

    iQA/AwUBPsDvOPM1kDfiKwBGEQKzjwCg44YHnqND5bJNE6/C50xfDROq5VUAoKgr
    XoZOU2RkNDca5jS9RxQcUqgX
    =HD6r
    -----END PGP SIGNATURE-----

    -----------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-focus-ms
    ------------------------------------------------------------------------------

    -----------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-focus-ms
    ------------------------------------------------------------------------------


  • Next message: Colcord, Aaron: "RE: Harden ASP.NET Configuration"

    Relevant Pages

    • RE: LANguard vs Nessus
      ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ... of pertinent security tools. ... For a limited time you can enter for a chance ...
      (Security-Basics)
    • RE: block internet at two workstations :VSMail mx1
      ... > Data Security Administrator ... > FastTrain has your solution for a great CISSP Boot Camp. ... > INCLUSIVE curriculum utilizes lectures, ... For a limited time you can enter for a chance ...
      (Security-Basics)
    • RE: p2p and ISA
      ... End Users can't install what they don't have access to. ... > recognized corporate security certification track, ... This ALL INCLUSIVE curriculum utilizes lectures, ... For a limited time you can enter ...
      (Focus-Microsoft)
    • RE: Share Point?
      ... Has anyone here tested Share Point's security? ... prospectus based upon the core principle concepts of security. ... INCLUSIVE curriculum utilizes lectures, ... For a limited time you can enter for a ...
      (Focus-Microsoft)
    • RE: p2p and ISA
      ... allow the user to install the application. ... > recognized corporate security certification track, ... This ALL INCLUSIVE curriculum utilizes lectures, ... For a limited time you can enter ...
      (Focus-Microsoft)