RE: Harden ASP.NET Configuration

From: Colcord, Aaron (AColcord_at_rwbaird.com)
Date: 05/13/03

  • Next message: Brian W. Spolarich: "RE: Harden ASP.NET Configuration"
    To: "':: gary ::'" <gary.bright@cisd.panasonic.co.uk>, focus-ms@securityfocus.com
    Date: Tue, 13 May 2003 10:04:51 -0500
    
    

    I don't know if this helps:
    http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b815155

    Aaron

    -----Original Message-----
    From: :: gary :: [mailto:gary.bright@cisd.panasonic.co.uk]
    Sent: Tuesday, May 13, 2003 8:18 AM
    To: focus-ms@securityfocus.com
    Subject: Harden ASP.NET Configuration

    **********************************************************************
    Robert W. Baird & Co. is required by regulation to review and store
    both outgoing and incoming electronic correspondence. Baird
    may be required to produce-mail records for the SEC or other regulators in a criminal investigation. E-mail transmission cannot
    be guaranteed to be secure, timely or error-free. Baird therefore
    recommends that you do not send confidential information to us via
    electronic mail, including account numbers, social security
    numbers or any personal identification numbers. This is not an
    offer, or solicitation of an offer to buy or sell any security
    investment or other product. Any information regarding specific
    investment products is subject to change without notice. Any review,
    forwarding, dissemination or other use of, or taking of any action in
    reliance upon this information by persons or entities other than the
    intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer
    on which it exists.

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hello Everyone

    I'm trying to find explanations for each of these application mappings
    which get installed with .net framework.

    I know its comes down to what the relevant application has been written
    for, but if I knew in what context they would get used in, I believe that
    would help me understand

    I'll also be interested to hear of how other IIS Admins have gone about the
    deployment of the .net framework to a live internet environment, for
    example what advice they can offer me and whether of not they trimmed down
    the application mappings or left them as standard.

    As well trying to build further on my understanding of .NET (from a
    security point of view) the main thing I'm scared of is it that old default
    settings had mappings like

    .htw, .ida, .idq, .asp, .cer, .cdx, .asa, .idc, .shtm, .shtml, .stm,

    Which later on Microsoft provided tools to easily disable them realising
    there mistake of including them by default and while I don't want to Knock
    the efforts MS has put into security recently I can't help feeling that
    they are lining themselves up for kicking have all these mappings for .net
    enabled by default (after the framework install) and providing very little
    documentation for locking down the .NET IIS Configuration (see snip from
    iis5.0 checklist.)

    I know that while it comes down to only enabling the relevant mappings for
    your website I just don't think MS is making that point with the .NET
    framework

    Be Interested in what you think

    Thanks for time

    Best Regards

    Gary

    <SNIP>
    Harden ASP.NET Configuration

    If the .NET Framework has been installed on the system, download and
    install the latest version of the .NET Framework and any service packs.
    Review the configuration of the .NET Framework, and ASP.NET in particular,
    to ensure ASP.NET does not increase your vulnerability to attack.
    </SNIP>

    [.net Application Mappings]

    .asax
    .ascx
    .ashx
    .asmx
    .aspx
    .axd
    .vsdisco
    .rem
    .soap
    .config
    .cs
    .csproj
    .vb
    .vbproj
    .webinfo
    .licx
    .resx
    .resources

    -----BEGIN PGP SIGNATURE-----
    Version: 6.5.8ckt http://www.ipgpp.com/

    iQA/AwUBPsDvOPM1kDfiKwBGEQKzjwCg44YHnqND5bJNE6/C50xfDROq5VUAoKgr
    XoZOU2RkNDca5jS9RxQcUqgX
    =HD6r
    -----END PGP SIGNATURE-----

    ----------------------------------------------------------------------------
    -
    FastTrain has your solution for a great CISSP Boot Camp. The industry`s most

    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL
    INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
    utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-focus-ms
    ----------------------------------------------------------------------------

    --
    **********************************************************************
    Robert W. Baird & Co. is required by regulation to review and store 
    both outgoing  and incoming electronic correspondence.  Baird 
    may be required to produce-mail records for the SEC or other regulators in a criminal investigation.  E-mail transmission cannot 
    be guaranteed to be secure, timely or error-free.  Baird therefore 
    recommends that you do not send confidential information to us via 
    electronic mail, including account numbers, social security 
    numbers or any personal identification numbers. This is not an 
    offer, or solicitation of an offer to buy or sell any security 
    investment or other product. Any information regarding specific 
    investment products is subject to change without notice. Any review, 
    forwarding, dissemination or other use of, or taking of any action in 
    reliance upon this information by persons or entities other than the 
    intended recipient is prohibited.  If you received this in error, please contact the sender and delete the material from any computer 
    on which it exists. 
    -----------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry`s most 
    recognized corporate security certification track, provides a comprehensive 
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
    of pertinent security tools. For a limited time you can enter for a chance 
    to win one of the latest technological innovations, the SEGWAY HT. 
    Log onto http://www.securityfocus.com/FastTrain-focus-ms
    ------------------------------------------------------------------------------
    

  • Next message: Brian W. Spolarich: "RE: Harden ASP.NET Configuration"

    Relevant Pages