Hosting Provided By

Harden ASP.NET Configuration

From: :: gary :: <gary.bright(at)cisd.panasonic.co.uk>
Date: Tue May 13 2003 - 09:17:59 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Everyone

I'm trying to find explanations for each of these application mappings which get installed with .net framework.

I know its comes down to what the relevant application has been written for, but if I knew in what context they would get used in, I believe that would help me understand

I'll also be interested to hear of how other IIS Admins have gone about the deployment of the .net framework to a live internet environment, for example what advice they can offer me and whether of not they trimmed down the application mappings or left them as standard.

As well trying to build further on my understanding of .NET (from a security point of view) the main thing I'm scared of is it that old default settings had mappings like

.htw, .ida, .idq, .asp, .cer, .cdx, .asa, .idc, .shtm, .shtml, .stm,

Which later on Microsoft provided tools to easily disable them realising there mistake of including them by default and while I don't want to Knock the efforts MS has put into security recently I can't help feeling that they are lining themselves up for kicking have all these mappings for .net enabled by default (after the framework install) and providing very little documentation for locking down the .NET IIS Configuration (see snip from iis5.0 checklist.)

Do you need help?

I know that while it comes down to only enabling the relevant mappings for your website I just don't think MS is making that point with the .NET framework

Be Interested in what you think

Thanks for time

Best Regards

Gary

<SNIP>
Harden ASP.NET Configuration

If the .NET Framework has been installed on the system, download and install the latest version of the .NET Framework and any service packs. Review the configuration of the .NET Framework, and ASP.NET in particular, to ensure ASP.NET does not increase your vulnerability to attack. </SNIP>

[.net Application Mappings]

Do you need more help?

.asax
.ascx
.ashx
.asmx
.aspx
.axd
.vsdisco
.rem
.soap
.config
.cs
.csproj
.vb
.vbproj
.webinfo
.licx
.resx
.resources

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBPsDvOPM1kDfiKwBGEQKzjwCg44YHnqND5bJNE6/C50xfDROq5VUAoKgr XoZOU2RkNDca5jS9RxQcUqgX
=HD6r
-----END PGP SIGNATURE-----

FastTrain has your solution for a great CISSP Boot Camp. The industry`s most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-focus-ms

Received on Tue May 13 10:17:20 2003

This message: [ Message body ]
Next message: Jolyon Wharton: "RE: Harden ASP.NET Configuration"
Previous message: Harbar, Spencer: "RE: Share Point?"
Reply: Jolyon Wharton: "RE: Harden ASP.NET Configuration"
Reply: Colcord, Aaron: "RE: Harden ASP.NET Configuration"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:30 EDT