.NET Website Security Guidelines Checklist

.NET Website Security Guidelines Checklist

Lead: Become proficient with security aspects before a web application goes live over the Internet.

Web applications typically have been produced to perform virtually every useful function we could possibly implement online, such as Banking, Online shopping, Social Networking, Web mails, and Auctions. As with any new class of technology introduces, web applications have brought a couple of new ranges of security vulnerabilities. Sophisticated attacks have been conceived that were not considered when existing applications were developed. New technologies have been developed that have presented a variety of new possibilities for exploitation. High-profile compromises of this kind continue to occur frequently.

The most critical attacks against web applications are those that uncover sensitive data or gain unrestricted access to the back-end systems on which the application is running. By some measure, web application security is today the most significant battleground between attackers and those with computer resources and data to protect, and it is likely to remain so for the foreseeable future. Web applications, typically, launch into the production environment after employing numerous back-end technologies so that security must be hardened indeed along with the Web API, to make a full-proof, secure application.

However, developers would rather focus on developing attractive applications to meet the end-user requirements and unfortunately avoid implementing essential security initiatives; this leads web applications into havoc. Generally, it is not assumed that developers could ensure comprehensive web framework protection due to the variety of implicit ingredients working behinds the scene. Therefore, this paper unveils some of the security aspects in terms of quick guidelines that can be confirmed before a web application goes live over the Internet, to ease the undertaking of developer by means of ensuing protection to some extent.

Website Design

The following guidelines will help you construct a website that is as safe as it is attractive.

  • Website design must be extensive, feasible, and viable by partitioning it into layers so that each could handle presentation, logic, and database related manipulation separately.
  • The website should be composed of restricted and public zones and you should make sure navigation between these zones does not allow sensitive information to flow.
  • Sensitive information belongs to websites, and it must be converted into encrypted form.
  • Input validation should be performed by assimilating both client side and server side validation rather than rely on client side validation expressly.
  • The production and database server should be placed into a secure DMZ and only accessed by a privileged personal.
  • User and Web controls should be separated into individual assembly files.
  • The website contains both directories and files that should be authorized in granular fashion.
  • Accurate exception handling mechanism should be ensured at each corresponding website source code file.</>
  • A secure mechanism must be identified to handle sensitive information transmission across the network.

Website Authentication

Security Parameters Alignment Damage Magnitude (if No)


Confirm SSL is implemented to protect sensitive credentials. Severe

Confirm Cookies is encrypted by setting Protection=All. Severe  
Confirm Form Authentication cookies are restricted to HTTPS by using the secure or requireSSL attribute. Severe

Confirm strong password policy is applied. Severe

Confirm cookies time-out by slidingExpiration, in case SSL is not used. Moderate

Confirm the persistence level of cookies. Moderate

Confirm Anonymous or Basic authentication is not applied. Severe

Confirm impersonation credentials are hashed. Severe

Confirm sensitive credentials are not stored in an XML file in clear text. Severe

Confirm that unsuccessful sign-in activity is logged. Moderate

Resource Authorization

Security Parameters Alignment Damage Magnitude (if No)


Confirm Windows Authentication is applied for File authorization. Moderate

Confirm Role check is initiated for particular resource access. Severe

Confirm page and directory are accessed via URL authorization. Severe

Confirm Principal permission demand is applied in classes and members in source code. Severe

Confirm role based authorization is happening by User.Identity.IsInRole. Moderate

Input Validation

Security Parameters Alignment Damage Magnitude (if No)


Confirm the input range is checked at Form textbox controls. Severe

Confirm RequiredFieldValidator is implemented. Severe

Confirm RegularExpressionValidator is implemented. Severe

Confirm RangeValidator is implemented. Severe

Textbox is properly validating the input length and type to thwart SQL injection attack. Severe

Confirm cookies and query strings are being validated by the Regex class. Moderate

Confirm Free form input is sanitized to thwart LFI or RFI attacks. Severe

Confirm the HttpOnly cookie option is applied to defend from an XSS attack. Severe

Confirm output is encoded with urlEncode and HtmlEncode. Moderate

Parameters Handling

Security Parameters Alignment Damage Magnitude (if No)


Confirm query strings data are encrypted. Severe

Confirm form viewstate is encrypted. Severe

Confirm Page.ViewStateUserKey is implemented to defend against one-click attacks. Moderate

Session Data Handling

Security Parameters Alignment Damage Magnitude (if No)


Confirm redundant session services are disabled. Low

Confirm connections strings are encrypted. Severe

Confirm session cookies data are hashed. Severe

Confirm session state service is running with least privileges. Moderate

Sensitive Data Protection

Security Parameters Alignment Damage Magnitude (if No)


Confirm SSL is applied to protect communication. Severe

Confirm output caching is disabled of sensitive encrypted data. Severe

Confirm sensitive data does not reside in cookies, query strings, and hidden forms fields. Severe

Confirm server side state management is applied for clear text passing of data across the pages. Severe

Confirm sensitive data is not stored in web.config file in plain text. Severe

Web Services

Security Parameters Alignment Damage Magnitude (if No)


Confirm redundant Web service protocols, including HTTP GET and HTTP POST, are disabled. Severe

Confirm XML input data is substantiated based on an agreed-upon schema. Severe

Confirm Input to Web methods is validated for, length, type, range, and format. Severe

Confirm SOAP messages are passed only in encrypted form over communication channels. Severe

Confirm only basic authentication is used for encrypted communication. Severe

Confirm Web service running with least-privileged process account. Severe

Confirm Messages are digitally signed to certify that they cannot be tampered by malicious parameter manipulation. Severe

Confirm publicly accessible Web methods are restricted by using declarative principle permission demands. Severe

Exception Handling Management

Security Parameters Alignment

Damage Magnitude (if No)


Confirm every occurred exception is recorded on the server. Moderate

Confirm structure exception handling is applied to each code file. Severe

Confirm Page level exception handling is applied. Severe

Confirm application level exception handling is applied. Severe

Confirm generic error page is configured for unexpected error occurrences. Moderate

Web.Config File Administration

Security Parameters Alignment

Damage Magnitude (if No)


Confirm enableViewState is disabled, if application doesn’t rely on view state. Moderate

Confirm enableViewStateMac is enabled, if application uses view state. Severe

Confirm httpMaxLength to prevent users from being able to upload a large-sized file. Moderate

Confirm ASP.NET account is running with least privilege by this setting.

<processModel userName=”Machine” password=”AutoGenerate” />


Confirm the secure form authentication is enabled by this property.

<forms loginUrl=”Restrictedlogin.aspx” protection=”All” requireSSL=”true” timeout=”10″ name=”AppNameCookie” path=”/FormsAuth” slidingExpiration=”true” />


Confirm customErrors option is enabled. Severe

Confirm automatic generation of WSDL is disabled. Severe

Confirm application is forced to use authentication by allowOverrride to false. Severe

Confirm unused file type handlers is mapped to Forbidden handler. Moderate

If session state is used, then confirm are they stored in encrypted forms. Moderate

Privilege Management

Security Parameters Alignment

Damage Magnitude (if No)


Confirm ASP.NET process account has Read permission to system root directory (%windirSystem32). Severe

Confirm impersonate account has Read permission to GAC (%windirassembly). Severe

Confirm process account has Read and Execute permission to solution content directory. Severe

Confirm ASP.NET process account has Read and execute permission to Framework directory (%windirMicrosoft.NETFramework). Moderate

Confirm process account has Full control permission to Temporary files (%windir%Microsoft.NETFramework{version}Temporary ASP.NET Files) Moderate


Security Parameters Alignment

Damage Magnitude (if No)


Confirm debug compilation is disabled. Severe

Confirm trace is disabled. Severe

Confirm access is denied by authentication configuration removed. Severe

Confirm Bin directory doesn’t have read or write permission. Severe

Confirm Bin directory doesn’t have directory browsing permission. Severe

Final Note

This rare cheat sheet provides developers a quick snapshot about essential configuration with concentrated guidance on building a secure web application. Website programmers can reference this cheat sheet while applying security initiatives in quick movement rather than dwell on detailed security settings. We have seen various significant ASP.NET security configurations that could be beneficial for both developers and penetration testers.

More by Author

Must Read