RE: Harden ASP.NET Configuration

• Previous message: Brian W. Spolarich: "RE: Harden ASP.NET Configuration"
• Maybe in reply to: :: gary ::: "Harden ASP.NET Configuration"
• Next in thread: Henry Sieff: "RE: Harden ASP.NET Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 13 May 2003 17:04:46 +0100
To: ":: gary ::" <gary.bright@cisd.panasonic.co.uk>, <focus-ms@securityfocus.com>

the majority of the mappings you list are for development purposes,
you'd never leave '.csproj' enabled for example on a production server.

someplace after the install of the SDK there's a readme detailing the
ones you wouldn't want on the production server. also I believe the
document at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
c/html/secnetlpMSDN.asp details this as well.

hth
Spence

-----Original Message-----
From: :: gary :: [mailto:gary.bright@cisd.panasonic.co.uk]
Sent: 13 May 2003 14:18
To: focus-ms@securityfocus.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.

This footnote also confirms that this email message has been swept
for the presence of known computer viruses.

**********************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Everyone

I'm trying to find explanations for each of these application mappings
which get installed with .net framework.

I know its comes down to what the relevant application has been written
for, but if I knew in what context they would get used in, I believe
that would help me understand

I'll also be interested to hear of how other IIS Admins have gone about
the deployment of the .net framework to a live internet environment, for
example what advice they can offer me and whether of not they trimmed
down the application mappings or left them as standard.

As well trying to build further on my understanding of .NET (from a
security point of view) the main thing I'm scared of is it that old
default settings had mappings like

.htw, .ida, .idq, .asp, .cer, .cdx, .asa, .idc, .shtm, .shtml, .stm,

Which later on Microsoft provided tools to easily disable them realising
there mistake of including them by default and while I don't want to
Knock the efforts MS has put into security recently I can't help feeling
that they are lining themselves up for kicking have all these mappings
for .net enabled by default (after the framework install) and providing
very little documentation for locking down the .NET IIS Configuration
(see snip from iis5.0 checklist.)

I know that while it comes down to only enabling the relevant mappings
for your website I just don't think MS is making that point with the
.NET framework

Be Interested in what you think

Thanks for time

Best Regards

Gary

<SNIP>
Harden ASP.NET Configuration

If the .NET Framework has been installed on the system, download and
install the latest version of the .NET Framework and any service packs.
Review the configuration of the .NET Framework, and ASP.NET in
particular, to ensure ASP.NET does not increase your vulnerability to
attack.
</SNIP>

[.net Application Mappings]

.asax
.ascx
.ashx
.asmx
.aspx
.axd
.vsdisco
.rem
.soap
.config
.cs
.csproj
.vb
.vbproj
.webinfo
.licx
.resx
.resources

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBPsDvOPM1kDfiKwBGEQKzjwCg44YHnqND5bJNE6/C50xfDROq5VUAoKgr
XoZOU2RkNDca5jS9RxQcUqgX
=HD6r
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
-----
FastTrain has your solution for a great CISSP Boot Camp. The industry`s
most recognized corporate security certification track, provides a
comprehensive prospectus based upon the core principle concepts of
security. This ALL INCLUSIVE curriculum utilizes lectures, case studies
and true hands-on utilization of pertinent security tools. For a limited
time you can enter for a chance to win one of the latest technological
innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------
------

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.

This footnote also confirms that this email message has been swept
for the presence of known computer viruses.

**********************************************************************

-----------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------------

• Previous message: Brian W. Spolarich: "RE: Harden ASP.NET Configuration"
• Maybe in reply to: :: gary ::: "Harden ASP.NET Configuration"
• Next in thread: Henry Sieff: "RE: Harden ASP.NET Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]