.NET Website Security Guidelines Checklist
Lead: Become proficient with security aspects before a web application goes live over the Internet.
Web applications typically have been produced to perform virtually every useful function we could possibly implement online, such as Banking, Online shopping, Social Networking, Web mails, and Auctions. As with any new class of technology introduces, web applications have brought a couple of new ranges of security vulnerabilities. Sophisticated attacks have been conceived that were not considered when existing applications were developed. New technologies have been developed that have presented a variety of new possibilities for exploitation. High-profile compromises of this kind continue to occur frequently.
The most critical attacks against web applications are those that uncover sensitive data or gain unrestricted access to the back-end systems on which the application is running. By some measure, web application security is today the most significant battleground between attackers and those with computer resources and data to protect, and it is likely to remain so for the foreseeable future. Web applications, typically, launch into the production environment after employing numerous back-end technologies so that security must be hardened indeed along with the Web API, to make a full-proof, secure application.
However, developers would rather focus on developing attractive applications to meet the end-user requirements and unfortunately avoid implementing essential security initiatives; this leads web applications into havoc. Generally, it is not assumed that developers could ensure comprehensive web framework protection due to the variety of implicit ingredients working behinds the scene. Therefore, this paper unveils some of the security aspects in terms of quick guidelines that can be confirmed before a web application goes live over the Internet, to ease the undertaking of developer by means of ensuing protection to some extent.
Website Design
The following guidelines will help you construct a website that is as safe as it is attractive.
- Website design must be extensive, feasible, and viable by partitioning it into layers so that each could handle presentation, logic, and database related manipulation separately.
- The website should be composed of restricted and public zones and you should make sure navigation between these zones does not allow sensitive information to flow.
- Sensitive information belongs to websites, and it must be converted into encrypted form.
- Input validation should be performed by assimilating both client side and server side validation rather than rely on client side validation expressly.
- The production and database server should be placed into a secure DMZ and only accessed by a privileged personal.
- User and Web controls should be separated into individual assembly files.
- The website contains both directories and files that should be authorized in granular fashion.
- Accurate exception handling mechanism should be ensured at each corresponding website source code file.</>
- A secure mechanism must be identified to handle sensitive information transmission across the network.
Website Authentication
Security Parameters Alignment | Damage Magnitude (if No) |
Status |
Confirm SSL is implemented to protect sensitive credentials. | Severe |
☐ |
Confirm Cookies is encrypted by setting Protection=All. | Severe | |
Confirm Form Authentication cookies are restricted to HTTPS by using the secure or requireSSL attribute. | Severe |
☐ |
Confirm strong password policy is applied. | Severe |
☐ |
Confirm cookies time-out by slidingExpiration, in case SSL is not used. | Moderate |
☐ |
Confirm the persistence level of cookies. | Moderate |
☐ |
Confirm Anonymous or Basic authentication is not applied. | Severe |
☐ |
Confirm impersonation credentials are hashed. | Severe |
☐ |
Confirm sensitive credentials are not stored in an XML file in clear text. | Severe |
☐ |
Confirm that unsuccessful sign-in activity is logged. | Moderate |
☐ |
Resource Authorization
Security Parameters Alignment | Damage Magnitude (if No) |
Status |
Confirm Windows Authentication is applied for File authorization. | Moderate |
☐ |
Confirm Role check is initiated for particular resource access. | Severe |
☐ |
Confirm page and directory are accessed via URL authorization. | Severe |
☐ |
Confirm Principal permission demand is applied in classes and members in source code. | Severe |
☐ |
Confirm role based authorization is happening by User.Identity.IsInRole. | Moderate |
☐ |
Input Validation
Security Parameters Alignment | Damage Magnitude (if No) |
Status |
Confirm the input range is checked at Form textbox controls. | Severe |
☐ |
Confirm RequiredFieldValidator is implemented. | Severe |
☐ |
Confirm RegularExpressionValidator is implemented. | Severe |
☐ |
Confirm RangeValidator is implemented. | Severe |
☐ |
Textbox is properly validating the input length and type to thwart SQL injection attack. | Severe |
☐ |
Confirm cookies and query strings are being validated by the Regex class. | Moderate |
☐ |
Confirm Free form input is sanitized to thwart LFI or RFI attacks. | Severe |
☐ |
Confirm the HttpOnly cookie option is applied to defend from an XSS attack. | Severe |
☐ |
Confirm output is encoded with urlEncode and HtmlEncode. | Moderate |
☐ |
Parameters Handling
Security Parameters Alignment | Damage Magnitude (if No) |
Status |
Confirm query strings data are encrypted. | Severe |
☐ |
Confirm form viewstate is encrypted. | Severe |
☐ |
Confirm Page.ViewStateUserKey is implemented to defend against one-click attacks. | Moderate |
☐ |
Session Data Handling
Security Parameters Alignment | Damage Magnitude (if No) |
Status |
Confirm redundant session services are disabled. | Low |
☐ |
Confirm connections strings are encrypted. | Severe |
☐ |
Confirm session cookies data are hashed. | Severe |
☐ |
Confirm session state service is running with least privileges. | Moderate |
☐ |
Sensitive Data Protection
Security Parameters Alignment | Damage Magnitude (if No) |
Status |
Confirm SSL is applied to protect communication. | Severe |
☐ |
Confirm output caching is disabled of sensitive encrypted data. | Severe |
☐ |
Confirm sensitive data does not reside in cookies, query strings, and hidden forms fields. | Severe |
☐ |
Confirm server side state management is applied for clear text passing of data across the pages. | Severe |
☐ |
Confirm sensitive data is not stored in web.config file in plain text. | Severe |
☐ |
Web Services
Security Parameters Alignment | Damage Magnitude (if No) |
Status |
Confirm redundant Web service protocols, including HTTP GET and HTTP POST, are disabled. | Severe |
☐ |
Confirm XML input data is substantiated based on an agreed-upon schema. | Severe |
☐ |
Confirm Input to Web methods is validated for, length, type, range, and format. | Severe |
☐ |
Confirm SOAP messages are passed only in encrypted form over communication channels. | Severe |
☐ |
Confirm only basic authentication is used for encrypted communication. | Severe |
☐ |
Confirm Web service running with least-privileged process account. | Severe |
☐ |
Confirm Messages are digitally signed to certify that they cannot be tampered by malicious parameter manipulation. | Severe |
☐ |
Confirm publicly accessible Web methods are restricted by using declarative principle permission demands. | Severe |
☐ |
Exception Handling Management
Security Parameters Alignment |
Damage Magnitude (if No) |
Status |
Confirm every occurred exception is recorded on the server. | Moderate |
☐ |
Confirm structure exception handling is applied to each code file. | Severe |
☐ |
Confirm Page level exception handling is applied. | Severe |
☐ |
Confirm application level exception handling is applied. | Severe |
☐ |
Confirm generic error page is configured for unexpected error occurrences. | Moderate |
☐ |
Web.Config File Administration
Security Parameters Alignment |
Damage Magnitude (if No) |
Status |
Confirm enableViewState is disabled, if application doesn’t rely on view state. | Moderate |
☐ |
Confirm enableViewStateMac is enabled, if application uses view state. | Severe |
☐ |
Confirm httpMaxLength to prevent users from being able to upload a large-sized file. | Moderate |
☐ |
Confirm ASP.NET account is running with least privilege by this setting. <processModel userName=”Machine” password=”AutoGenerate” /> |
Severe |
☐ |
Confirm the secure form authentication is enabled by this property. <forms loginUrl=”Restrictedlogin.aspx” protection=”All” requireSSL=”true” timeout=”10″ name=”AppNameCookie” path=”/FormsAuth” slidingExpiration=”true” /> |
Severe |
☐ |
Confirm customErrors option is enabled. | Severe |
☐ |
Confirm automatic generation of WSDL is disabled. | Severe |
☐ |
Confirm application is forced to use authentication by allowOverrride to false. | Severe |
☐ |
Confirm unused file type handlers is mapped to Forbidden handler. | Moderate |
☐ |
If session state is used, then confirm are they stored in encrypted forms. | Moderate |
☐ |
Privilege Management
Security Parameters Alignment |
Damage Magnitude (if No) |
Status |
Confirm ASP.NET process account has Read permission to system root directory (%windirSystem32). | Severe |
☐ |
Confirm impersonate account has Read permission to GAC (%windirassembly). | Severe |
☐ |
Confirm process account has Read and Execute permission to solution content directory. | Severe |
☐ |
Confirm ASP.NET process account has Read and execute permission to Framework directory (%windirMicrosoft.NETFramework). | Moderate |
☐ |
Confirm process account has Full control permission to Temporary files (%windir%Microsoft.NETFramework{version}Temporary ASP.NET Files) | Moderate |
☐ |
Deployment
Security Parameters Alignment |
Damage Magnitude (if No) |
Status |
Confirm debug compilation is disabled. | Severe |
☐ |
Confirm trace is disabled. | Severe |
☐ |
Confirm access is denied by authentication configuration removed. | Severe |
☐ |
Confirm Bin directory doesn’t have read or write permission. | Severe |
☐ |
Confirm Bin directory doesn’t have directory browsing permission. | Severe |
☐ |
Final Note
This rare cheat sheet provides developers a quick snapshot about essential configuration with concentrated guidance on building a secure web application. Website programmers can reference this cheat sheet while applying security initiatives in quick movement rather than dwell on detailed security settings. We have seen various significant ASP.NET security configurations that could be beneficial for both developers and penetration testers.