RE: Harden ASP.NET Configuration

From: Henry Sieff <hsieff(at)orthodon.com>
Date: Tue May 13 2003 - 15:13:22 EDT

Like the prior mappings, each one of those mappings would only be necessary if the application being deployed had files which ended in those extensions, so the first step in locking them down is to look at the app to be deployed and to make note of the ones you actually use in your applications. In most cases this will be .aspx and .asmx

However, for each of those mappings, make sure you don't use it, because if you do have files in a publically accessible directory and you remove the mapping, source code is made visible. For example, most likely your asp.net app has some .vb files lying around. With the script mapping, if I request a .vb page, I get a big fat "Can't do that, Dave". Without it, IIS happily shows me the source code.

Also, you can block use of extensions in web.config for an app as well, and in machine.config for the whole machine.

The most important thing to remember about asp.net is that security is going to be in the application itself. Although the buffer overruns we've seen in the past are still possible, asp.net apps, by default, run under lower privelege than localsystem (unlessed otherwise specified, they will run as LoaclMachine\ASPNET). The bigger issue is getting your developers to do input scrubbing on all exposed applications.

My $.02.

Henry

> -----Original Message-----

---

• Wireless LAN Policies for Security & Management - NEW White Paper ***

Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-focus-ms

---

Received on Tue May 13 16:28:51 2003