Checklist: Securing ASP.NET


Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • ASP.NET version 1.1

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.


How to Use This Checklist Design Considerations Application Categories Considerations Configuration File Settings

How to Use This Checklist

This checklist is a companion to Chapter 10, "Building Secure ASP.NET Pages and Controls," Chapter 19, "Securing Your ASP.NET Application and Web Services," and Chapter 20, "Hosting Multiple Web Applications." Use it to help you secure an ASP.NET application and also as a snapshot of the corresponding chapters.

Design Considerations

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Security decisions should not rely on client-side validations; they are made on the server side.
Ff648236.z02bthcm01(en-us,PandP.10).gif The Web site is partitioned into public access areas and restricted areas that require authentication access. Navigation between these areas should not flow sensitive credentials information.
Ff648236.z02bthcm01(en-us,PandP.10).gif The identities used to access remote resources from ASP.NET Web applications are clearly identified.
Ff648236.z02bthcm01(en-us,PandP.10).gif Mechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores.
Ff648236.z02bthcm01(en-us,PandP.10).gif A secure approach to exception management is identified. The application fails securely in the event of exceptions.
Ff648236.z02bthcm01(en-us,PandP.10).gif The site has granular authorization checks for pages and directories.
Ff648236.z02bthcm01(en-us,PandP.10).gif Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security.

Application Categories Considerations

Input Validation

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif User input is validated for type, length, format, and range. Input is checked for known valid and safe data and then for malicious, dangerous data.
Ff648236.z02bthcm01(en-us,PandP.10).gif String form field input is validated using regular expressions (for example, by the RegularExpressionValidator control.)
Ff648236.z02bthcm01(en-us,PandP.10).gif Regular HTML controls, query strings, cookies, and other forms of input are validated using the Regex class and/or your custom validation code.
Ff648236.z02bthcm01(en-us,PandP.10).gif The RequiredFieldValidator control is used where data must be entered.
Ff648236.z02bthcm01(en-us,PandP.10).gif Range checks in server controls are checked by RangeValidator controls.
Ff648236.z02bthcm01(en-us,PandP.10).gif Free form input is sanitized to clean malicious data.
Ff648236.z02bthcm01(en-us,PandP.10).gif Input file names are well formed and are verifiably valid within the application context.
Ff648236.z02bthcm01(en-us,PandP.10).gif Output that includes input is encoded with HtmlEncode and UrlEncode.
Ff648236.z02bthcm01(en-us,PandP.10).gif MapPath restricts cross-application mapping where appropriate.
Ff648236.z02bthcm01(en-us,PandP.10).gif Character encoding is set by the server (ISO-8859-1 is recommended).
Ff648236.z02bthcm01(en-us,PandP.10).gif The ASP.NET version 1.1 validateRequest option is enabled.
Ff648236.z02bthcm01(en-us,PandP.10).gif URLScan is installed on the Web server.
Ff648236.z02bthcm01(en-us,PandP.10).gif The HttpOnly cookie option is used for defense in depth to help prevent cross-site scripting. (This applies to Internet Explorer 6.1 or later.)
Ff648236.z02bthcm01(en-us,PandP.10).gif SQL parameters are used in data access code to validate length and type of data and to help prevent SQL injection.


Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Site is partitioned to restricted areas and public areas.
Ff648236.z02bthcm01(en-us,PandP.10).gif Absolute URLs are used for navigation where the site is partitioned with secure and non-secure folders.
Ff648236.z02bthcm01(en-us,PandP.10).gif Secure Sockets Layer (SSL) is used to protect credentials and authentication cookies.
Ff648236.z02bthcm01(en-us,PandP.10).gif The slidingExpiration attribute is set to "false" and limited authentication cookie time-outs are used where the cookie is not protected by using SSL.
Ff648236.z02bthcm01(en-us,PandP.10).gif The forms authentication cookie is restricted to HTTPS connections by using the requireSSL attribute or the Secure cookie property.
Ff648236.z02bthcm01(en-us,PandP.10).gif The authentication cookie is encrypted and integrity checked (protection="All").
Ff648236.z02bthcm01(en-us,PandP.10).gif Authentication cookies are not persisted.
Ff648236.z02bthcm01(en-us,PandP.10).gif Application cookies have unique path/name combinations.
Ff648236.z02bthcm01(en-us,PandP.10).gif Personalization cookies are separate from authentication cookies.
Ff648236.z02bthcm01(en-us,PandP.10).gif Passwords are not stored directly in the user store; password digests with salt are stored instead.
Ff648236.z02bthcm01(en-us,PandP.10).gif The impersonation credentials (if using a fixed identity) are encrypted in the configuration file by using Aspnet_setreg.exe.
Ff648236.z02bthcm01(en-us,PandP.10).gif Strong password policies are implemented for authentication.
Ff648236.z02bthcm01(en-us,PandP.10).gif The <credentials> element is not used inside <forms> element for Forms authentication (use it for testing only).


Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif URL authorization is used for page and directory access control.
Ff648236.z02bthcm01(en-us,PandP.10).gif File authorization is used with Windows authentication.
Ff648236.z02bthcm01(en-us,PandP.10).gif Principal permission demands are used to secure access to classes and members.
Ff648236.z02bthcm01(en-us,PandP.10).gif Explicit role checks are used if fine-grained authorization is required.

Configuration Management

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Configuration file retrieval is blocked by using HttpForbiddenHandler.
Ff648236.z02bthcm01(en-us,PandP.10).gif A least-privileged account is used to run ASP.NET.
Ff648236.z02bthcm01(en-us,PandP.10).gif Custom account credentials (if used) are encrypted on the <processModel> element by using Aspnet_setreg.exe.
Ff648236.z02bthcm01(en-us,PandP.10).gif To enforce machine-wide policy, Web.config settings are locked by using allowOveride="false" in Machine.config.

Sensitive Data

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif SSL is used to protect sensitive data on the wire.
Ff648236.z02bthcm01(en-us,PandP.10).gif Sensitive data is not passed across pages; it is maintained using server-side state management.
Ff648236.z02bthcm01(en-us,PandP.10).gif Sensitive data is not stored in cookies, hidden form fields, or query strings.
Ff648236.z02bthcm01(en-us,PandP.10).gif Do not cache sensitive data. Output caching is off by default.
Ff648236.z02bthcm01(en-us,PandP.10).gif Plain text passwords are avoided in Web.config and Machine.config files. (Aspnet_setreg.exe is used to encrypt credentials.)

Session Management

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif The session cookie is protected using SSL on all pages that require authenticated access.
Ff648236.z02bthcm01(en-us,PandP.10).gif The session state service is disabled if not used.
Ff648236.z02bthcm01(en-us,PandP.10).gif The session state service (if used) runs using a least-privileged account.
Ff648236.z02bthcm01(en-us,PandP.10).gif Windows authentication is used to connect to Microsoft® SQL Server® state database.
Ff648236.z02bthcm01(en-us,PandP.10).gif Access to state data in the SQL Server is restricted.
Ff648236.z02bthcm01(en-us,PandP.10).gif Connection strings are encrypted by using Aspnet_setreg.exe.
Ff648236.z02bthcm01(en-us,PandP.10).gif The communication channel to state store is encrypted (IPSec or SSL).

Parameter Manipulation

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif View state is protected using message authentication codes (MACs).
Ff648236.z02bthcm01(en-us,PandP.10).gif Query strings with server secrets are hashed.
Ff648236.z02bthcm01(en-us,PandP.10).gif All input parameters are validated.
Ff648236.z02bthcm01(en-us,PandP.10).gif Page.ViewStateUserKey is used to counter one-click attacks.

Exception Management

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Structured exception handling is used.
Ff648236.z02bthcm01(en-us,PandP.10).gif Exception details are logged on the server.
Ff648236.z02bthcm01(en-us,PandP.10).gif Generic error pages with harmless messages are returned to the client.
Ff648236.z02bthcm01(en-us,PandP.10).gif Page-level or application-level error handlers are implemented.
Ff648236.z02bthcm01(en-us,PandP.10).gif The application distinguishes between errors and exception conditions.

Auditing and Logging

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Application event sources are created at installation time. If unable to create event sources at installation time, the administrator manually creates new event sources entry in the registry.

The ASP.NET process is not allowed to create new event sources by configuring ACL in the registry.

Configuration File Settings

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif <trace/>

Tracing is not enabled on the production servers.

<trace enabled="false">
Ff648236.z02bthcm01(en-us,PandP.10).gif <globalization>

Request and response encoding is appropriately configured.

Ff648236.z02bthcm01(en-us,PandP.10).gif <httpRuntime>

maxRequestLength is configured to prevent users from uploading very large files (optional).

Ff648236.z02bthcm01(en-us,PandP.10).gif <compilation>

Debug compiles are not enabled on the production servers by setting debug="false"

<compilation debug="false" . . ./>
Ff648236.z02bthcm01(en-us,PandP.10).gif <pages>

If the application does not use view state, enableViewState is set to "false".

<pages enableViewState="false" . . ./>

If the application uses view state, enableViewState is set to "true" and enableViewStateMac is set to "true" to detect view state tampering.

<pages enableViewState="true" enableViewStateMac="true" />
Ff648236.z02bthcm01(en-us,PandP.10).gif <customErrors>

Custom error pages are returned to the client and detailed exception details are prevented from being returned by setting mode="On".

<customErrors mode="On" />

A generic error page is specified by the defaultRedirect attribute.

<customErrors mode="On" defaultRedirect="/apperrorpage.htm" />
Ff648236.z02bthcm01(en-us,PandP.10).gif <authentication>

The authentication mode is appropriately configured to support application requirements. To enforce the use of a specific authentication type, a <location> element with allowOverride="false" is used.

<location path="" allowOverride="false">
    <authentication mode="Windows" />
Ff648236.z02bthcm01(en-us,PandP.10).gif <forms>

The Web site is partitioned for public and restricted access.

The Forms authentication configuration is secure:

<forms loginUrl="Restricted\login.aspx"
       slidingExpiration="true" />

The authentication cookie is encrypted and integrity checked (protection).

SSL is required for authentication cookie (requireSSL).

Sliding expiration is set to false if SSL is not used (slidingExpiration).

The session lifetime is restricted (timeout).

Cookie names and paths are unique (name and path).

The <credentials> element is not used.

Ff648236.z02bthcm01(en-us,PandP.10).gif <identity>

Impersonation identities (if used) are encrypted in the registry by using Aspnet_setreg.exe:

<identity impersonate="true"
Ff648236.z02bthcm01(en-us,PandP.10).gif <authorization>

Correct format of role names is verified.

Ff648236.z02bthcm01(en-us,PandP.10).gif <machineKey>

If multiple ASP.NET Web applications are deployed on the same Web server, the "IsolateApps" setting is used to ensure that a separate key is generated for each Web application.

<machineKey validationKey="AutoGenerate,IsolateApps"
     validation="SHA1" />

If the ASP. NET Web application is running in a Web farm, specific machine keys are used, and these keys are copied across all servers in the farm.

If the view state is enabled, the validation attribute is set to "SHA1".

The validation attribute is set to "3DES" if the Forms authentication cookie is to be encrypted for the application.

Ff648236.z02bthcm01(en-us,PandP.10).gif <sessionState>

If mode="StateServer", then credentials are stored in an encrypted form in the registry by using Aspnet_setreg.exe.

If mode="SQLServer", then Windows authentication is used to connect to the state store database and credentials are stored in an encrypted form in the registry by using Aspnet_setreg.exe.

Ff648236.z02bthcm01(en-us,PandP.10).gif <httpHandlers>

Unused file types are mapped to HttpForbiddenHandler to prevent files from being retrieved over HTTP. For example:

<add verb="*" path="*.rem"
Ff648236.z02bthcm01(en-us,PandP.10).gif <processModel>

A least-privileged account like ASPNET is used to run the ASP.NET process.

<processModel userName="Machine" password="AutoGenerate"

The system account is not used to run the ASP.NET process.

The Act as part of the operating system privilege is not granted to the process account.

Credentials for custom accounts are encrypted by using Aspnet_setreg.exe.

  processmodel\ASPNET_SETREG,password" . . ./>

If the application uses Enterprise Services, comAuthenticationLevel and comImpersonationLevel are configured appropriately.

Call level authentication is set at minimum to ensure that all method calls can be authenticated by the remote application.

PktPrivacy is used to encrypt and tamper proof the data across the wire in the absence of infrastructure channel security (IPSec).

PktIntegrity is used for tamper proofing with no encryption (Eavesdroppers with network monitors can see your data.)

Ff648236.z02bthcm01(en-us,PandP.10).gif <webServices>

Unused protocols are disabled.

Automatic generation of Web Services Description Language (WSDL) is disabled (optional).

Web Farm Considerations

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Session state. To avoid server affinity, the ASP.NET session state is maintained out of process in the ASP.NET SQL Server state database or in the out-of-process state service that runs on a remote machine.
Ff648236.z02bthcm01(en-us,PandP.10).gif Encryption and verification. The keys used to encrypt and verify Forms authentication cookies and view state are the same across all servers in a Web farm.
Ff648236.z02bthcm01(en-us,PandP.10).gif DPAPI. DPAPI cannot be used with the machine key to encrypt common data that needs to be accessed by all servers in the farm. To encrypt shared data on a remote server, use an alternate implementation, such as 3DES.

Hosting Multiple Applications

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Applications have distinct machine keys.

Use IsolateApps on <machineKey> or use per application <machineKey> elements.

<machineKey validationKey="AutoGenerate,IsolateApps"
            decryptionKey="AutoGenerate,IsolateApps" . . . />
Ff648236.z02bthcm01(en-us,PandP.10).gif Unique path/name combinations for Forms authentication cookies are enabled for each application.
Ff648236.z02bthcm01(en-us,PandP.10).gif Multiple processes (IIS 6.0 application pools) are used for application isolation on Microsoft Windows® Server 2003.
Ff648236.z02bthcm01(en-us,PandP.10).gif Multiple anonymous user accounts (and impersonation) are used for application isolation on Windows 2000.
Ff648236.z02bthcm01(en-us,PandP.10).gif Common machine keys are enabled on all servers in a Web farm.
Ff648236.z02bthcm01(en-us,PandP.10).gif Separate machine keys for each application are used when hosting multiple applications on a single server.
Ff648236.z02bthcm01(en-us,PandP.10).gif Code access security trust levels are used for process isolation and to restrict access to system resources (requires .NET Framework version 1.1).

ACLs and Permissions

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif Temporary ASP.NET files
%windir%\Microsoft.NET\Framework\{version}Temporary ASP.NET Files

ASP.NET process account and impersonated identities: Full Control

Ff648236.z02bthcm01(en-us,PandP.10).gif Temporary directory

ASP.NET process account: Full Control

Ff648236.z02bthcm01(en-us,PandP.10).gif .NET Framework directory

ASP.NET process account and impersonated identities:

Read and Execute

List Folder Contents

Ff648236.z02bthcm01(en-us,PandP.10).gif .NET Framework configuration directory

ASP.NET process account and impersonated Identities:

Read and Execute

List Folder Contents


Ff648236.z02bthcm01(en-us,PandP.10).gif Web site root

or the path that the default Web site points to

ASP.NET process account: Full Control

Ff648236.z02bthcm01(en-us,PandP.10).gif System root directory

ASP.NET process account: Read

Ff648236.z02bthcm01(en-us,PandP.10).gif Global assembly cache

Process account and impersonated identities: Read

Ff648236.z02bthcm01(en-us,PandP.10).gif Content directory

Process account:

Read and Execute

List Folder Contents


Note   With .NET Framework version 1.0, all parent directories from the content directory to the file system root directory also require the above permissions. Parent directories include:


Application Bin Directory

Check Description
Ff648236.z02bthcm01(en-us,PandP.10).gif IIS Web permissions are configured.

Bin directory does not have Read, Write, or Directory browsing permissions. Execute permissions are set to None.

Ff648236.z02bthcm01(en-us,PandP.10).gif Authentication settings are removed (so that all access is denied).

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.