RE: Harden ASP.NET Configuration

From: Henry Sieff (hsieff_at_orthodon.com)
Date: 05/13/03

  • Next message: Marc Fossi: "Article Announcement: U.S. Information Security Law, Part 3" 
    To: "':: gary ::'" <gary.bright@cisd.panasonic.co.uk>, focus-ms@securityfocus.com
Date: Tue, 13 May 2003 15:37:32 -0500

    Here is an overview of some basic security steps for IIS5/ASP.NEt

    http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp?frame=tru
    e#openhack_topic3&_r=1

    Didn't find it in time for my first email.

    Henry

    > -----Original Message-----
    > From: :: gary :: [mailto:gary.bright@cisd.panasonic.co.uk]
    > Sent: Tuesday, May 13, 2003 8:18 AM
    > To: focus-ms@securityfocus.com
    > Subject: Harden ASP.NET Configuration
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Hello Everyone
    >
    > I'm trying to find explanations for each of these application mappings
    > which get installed with .net framework.
    >
    > I know its comes down to what the relevant application has
    > been written
    > for, but if I knew in what context they would get used in, I
    > believe that
    > would help me understand
    >
    > I'll also be interested to hear of how other IIS Admins have
    > gone about the
    > deployment of the .net framework to a live internet environment, for
    > example what advice they can offer me and whether of not they
    > trimmed down
    > the application mappings or left them as standard.
    >
    > As well trying to build further on my understanding of .NET (from a
    > security point of view) the main thing I'm scared of is it
    > that old default
    > settings had mappings like
    >
    > .htw, .ida, .idq, .asp, .cer, .cdx, .asa, .idc, .shtm, .shtml, .stm,
    >
    > Which later on Microsoft provided tools to easily disable
    > them realising
    > there mistake of including them by default and while I don't
    > want to Knock
    > the efforts MS has put into security recently I can't help
    > feeling that
    > they are lining themselves up for kicking have all these
    > mappings for .net
    > enabled by default (after the framework install) and
    > providing very little
    > documentation for locking down the .NET IIS Configuration
    > (see snip from
    > iis5.0 checklist.)
    >
    > I know that while it comes down to only enabling the relevant
    > mappings for
    > your website I just don't think MS is making that point with the .NET
    > framework
    >
    > Be Interested in what you think
    >
    > Thanks for time
    >
    > Best Regards
    >
    > Gary
    >
    > <SNIP>
    > Harden ASP.NET Configuration
    >
    > If the .NET Framework has been installed on the system, download and
    > install the latest version of the .NET Framework and any
    > service packs.
    > Review the configuration of the .NET Framework, and ASP.NET
    > in particular,
    > to ensure ASP.NET does not increase your vulnerability to attack.
    > </SNIP>
    >
    >
    > [.net Application Mappings]
    >
    > .asax
    > .ascx
    > .ashx
    > .asmx
    > .aspx
    > .axd
    > .vsdisco
    > .rem
    > .soap
    > .config
    > .cs
    > .csproj
    > .vb
    > .vbproj
    > .webinfo
    > .licx
    > .resx
    > .resources
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: 6.5.8ckt http://www.ipgpp.com/
    >
    > iQA/AwUBPsDvOPM1kDfiKwBGEQKzjwCg44YHnqND5bJNE6/C50xfDROq5VUAoKgr
    > XoZOU2RkNDca5jS9RxQcUqgX
    > =HD6r
    > -----END PGP SIGNATURE-----
    >
    >
    >
    > --------------------------------------------------------------
    > ---------------
    > FastTrain has your solution for a great CISSP Boot Camp. The
    > industry`s most
    > recognized corporate security certification track, provides a
    > comprehensive
    > prospectus based upon the core principle concepts of
    > security. This ALL INCLUSIVE curriculum utilizes lectures,
    > case studies and true hands-on utilization
    > of pertinent security tools. For a limited time you can enter
    > for a chance
    > to win one of the latest technological innovations, the SEGWAY HT.
    > Log onto http://www.securityfocus.com/FastTrain-focus-ms
    > --------------------------------------------------------------
    > ----------------
    >

    -----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-focus-ms
    ------------------------------------------------------------------------------

  • Next message: Marc Fossi: "Article Announcement: U.S. Information Security Law, Part 3"

    Relevant Pages

    • RE: Harden ASP.NET Configuration
      ... I'm trying to find explanations for each of these application mappings ... which get installed with .net framework. ... Knock the efforts MS has put into security recently I can't help feeling ... for .net enabled by default (after the framework install) and providing ...
      (Focus-Microsoft)
    • RE: Harden ASP.NET Configuration
      ... Like the prior mappings, each one of those mappings would only be necessary ... The most important thing to remember about asp.net is that security is going ... > which get installed with .net framework. ... > deployment of the .net framework to a live internet environment, ...
      (Focus-Microsoft)
    • RE: Harden ASP.NET Configuration
      ... Robert W. Baird & Co. is required by regulation to review and store ... or solicitation of an offer to buy or sell any security ... which get installed with .net framework. ...
      (Focus-Microsoft)
    • Black Hat class: Advanced Asp.Net Exploits and Countermeasures
      ... Advanced exploitation techniques will be presented together with low-level technical analysis of the .Net Framework. ... Security principles and .NET Framework Architecture ... Guerrilla Threat Modeling and Exploiting Asp.Net Applications ... Exploiting Full Trust and Partial Trust Asp.Net Environments ...
      (microsoft.public.dotnet.security)
    • Re: CAN STRONG NAMES BE CRACKED?
      ... > and I believe the tools that Microsoft and the .NET framework offer us ... > and the security features it can now embody have been made available. ... > Personally im happy with the trade off. ... > point and the amount of time and effort it takes to crack your code. ...
      (microsoft.public.dotnet.languages.vb)