Security Checklist: ASP.NET 2.0

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Microsoft Corporation

August 2005

Applies To

  • ASP.NET version 2.0

Summary

This checklist presents a set of consolidated security guidelines for ASP.NET version 2.0 applications. The answers and recommendations presented in this module are designed to supplement the companion modules and additional guidance. The guidelines are organized by various categories that represent those areas where mistakes are most often made.

Contents

How to Use This Module
Design Considerations
Application Categories Considerations

How to Use This Module

This checklist is a companion to Security Guidelines: ASP.NET 2.0. Use "Security Guidelines: ASP.NET 2.0" to browse the ASP.NET 2.0 guidelines and learn what to do, why, and how. Use this checklist to help you secure your ASP.NET 2.0 application.

Design Considerations

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Security decisions should not rely on client-side validations; they are made on the server side.
Ff648269.z02bthcm01(en-us,PandP.10).gif The Web site is partitioned into public access areas and restricted areas that require authentication access. Navigation between these areas should not flow sensitive credentials information.
Ff648269.z02bthcm01(en-us,PandP.10).gif The identities used to access remote resources from ASP.NET Web applications are clearly identified.
Ff648269.z02bthcm01(en-us,PandP.10).gif Mechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores.
Ff648269.z02bthcm01(en-us,PandP.10).gif A secure approach to exception management is identified. The application fails securely in the event of exceptions.
Ff648269.z02bthcm01(en-us,PandP.10).gif The site has granular authorization checks for pages and directories.
Ff648269.z02bthcm01(en-us,PandP.10).gif Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security.

Application Categories Considerations

Auditing and Logging

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Health monitoring is used for logging and auditing events.
Ff648269.z02bthcm01(en-us,PandP.10).gif Application is instrumented for user management events such as authentication success and failures, password resets, password changes, and account lockout.
Ff648269.z02bthcm01(en-us,PandP.10).gif Application is instrumented for unusual activity such as multiple login attempts and replayed authentication tickets.
Ff648269.z02bthcm01(en-us,PandP.10).gif Access to significant business logic is instrumented.
Ff648269.z02bthcm01(en-us,PandP.10).gif Access to audit and log files are restricted, with application accounts having write access, administrative accounts having full access, and operators have read access.
Ff648269.z02bthcm01(en-us,PandP.10).gif Application and audit events are logged on separate protected server.
Ff648269.z02bthcm01(en-us,PandP.10).gif Events are logged with appropriate levels of information to reconstruct system activity.
Ff648269.z02bthcm01(en-us,PandP.10).gif High volume, per-request events are captured with performance counters.

Authentication–Forms

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Membership providers are used instead of custom authentication.
Ff648269.z02bthcm01(en-us,PandP.10).gif SSL is used to protect user credentials and authentication cookies.
Ff648269.z02bthcm01(en-us,PandP.10).gif If using SSL is not possible, the SlidingExpiration attribute is set to false and limited authentication cookie time-outs are used.
Ff648269.z02bthcm01(en-us,PandP.10).gif User login information is validated using the Regex class and/or your custom validation code.
Ff648269.z02bthcm01(en-us,PandP.10).gif Hashed password format is specified in provider configuration.
Ff648269.z02bthcm01(en-us,PandP.10).gif Passwords are not stored directly in the user store; password digests with salt are stored instead.
Ff648269.z02bthcm01(en-us,PandP.10).gif Strong passwords policies are enforced.
Ff648269.z02bthcm01(en-us,PandP.10).gif Access to the credential store is limited to application account.
Ff648269.z02bthcm01(en-us,PandP.10).gif Authentication cookies are not persisted.
Ff648269.z02bthcm01(en-us,PandP.10).gif Authentication cookie is encrypted and integrity checked.
Ff648269.z02bthcm01(en-us,PandP.10).gif Authentication cookies are restricted to HTTPS connections only by using the requireSSL attribute.
Ff648269.z02bthcm01(en-us,PandP.10).gif Site is partitioned to restricted areas and public areas.
Ff648269.z02bthcm01(en-us,PandP.10).gif Absolute URLs are used for navigation where the site is partitioned with secure and non-secure folders.
Ff648269.z02bthcm01(en-us,PandP.10).gif httpOnlyCookies attribute is set to true on authentication cookie to prevent client side script from accessing the cookie.
Ff648269.z02bthcm01(en-us,PandP.10).gif Unique cookie names and paths are used.

Authentication–Windows

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Windows authentication is used where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gif Strong passwords policies are enforced.
Ff648269.z02bthcm01(en-us,PandP.10).gif Impersonation is used only when original caller's security context is required for downstream tier for auditing or authorization.
Ff648269.z02bthcm01(en-us,PandP.10).gif Impersonation token is not created by using LogonUser API.
Ff648269.z02bthcm01(en-us,PandP.10).gif Protocol transition is used when multiple identities need to access downstream resources.

Authorization

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif URL authorization is used for page and directory access control.
Ff648269.z02bthcm01(en-us,PandP.10).gif File authorization is used with Windows authentication.
Ff648269.z02bthcm01(en-us,PandP.10).gif Appropriate ACLs are configured on Web site files.
Ff648269.z02bthcm01(en-us,PandP.10).gif Role manager, instead of custom code, is used for roles authorization.
Ff648269.z02bthcm01(en-us,PandP.10).gif Role caching is used if role store lookup is too costly.
Ff648269.z02bthcm01(en-us,PandP.10).gif If role caching is used, authorization cookie is restricted to HTTPS connections by using the requireSSL attribute.
Ff648269.z02bthcm01(en-us,PandP.10).gif If using SSL is not possible, the cookieSlidingExpiration attribute is set to false and limited authentication cookie time-outs are used.
Ff648269.z02bthcm01(en-us,PandP.10).gif The authorization cookie is not persisted on user machine by setting the createPersistentCookie attribute to false.
Ff648269.z02bthcm01(en-us,PandP.10).gif Authorization cookie is protected for tampering and reading information.

Code Access Security

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Code access security is used when applications need to be isolated from each other.
Ff648269.z02bthcm01(en-us,PandP.10).gif The chosen trust level does not exceed your application's requirement.
Ff648269.z02bthcm01(en-us,PandP.10).gif If your application needs additional permissions, a custom trust policy is used.
Ff648269.z02bthcm01(en-us,PandP.10).gif Applications are isolated using Medium trust in hosted environments.
Ff648269.z02bthcm01(en-us,PandP.10).gif Attribute allowOverride is set to false in the machine-level Web.config file to ensure developers cannot change the trust level of their application.

Data Access

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Connection strings are encrypted in configuration files using the Aspnet_regiis utility and Protected Configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gif Connection string information is encrypted using strong encryption (for example, 3DES).
Ff648269.z02bthcm01(en-us,PandP.10).gif Connection to database is used with least-privileged service account.
Ff648269.z02bthcm01(en-us,PandP.10).gif Windows authentication is used when connecting to SQL Server.
Ff648269.z02bthcm01(en-us,PandP.10).gif Trusted service accounts are used to connect to SQL Server.
Ff648269.z02bthcm01(en-us,PandP.10).gif Mirrored local accounts are considered as an alternative if domain accounts cannot be used.
Ff648269.z02bthcm01(en-us,PandP.10).gif Strong passwords are used and enforced.
Ff648269.z02bthcm01(en-us,PandP.10).gif If SQL Server authentication is used, the credentials are secured over the network by using IPSec or SSL, or by installing a database server certificate.
Ff648269.z02bthcm01(en-us,PandP.10).gif Credentials in SQL connection strings are protected in configuration files.
Ff648269.z02bthcm01(en-us,PandP.10).gif RSA Protected Configuration provider is used to protect connection strings in a Web farm environment.
Ff648269.z02bthcm01(en-us,PandP.10).gif Untrusted input passed to data access methods is validated.
Ff648269.z02bthcm01(en-us,PandP.10).gif SQL queries use parameterized stored procedures and type-safe SQL parameters.
Ff648269.z02bthcm01(en-us,PandP.10).gif Dynamic queries that accept user input are used only if stored procedures cannot be used.

Exception Management

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Structured exception handling is used.
Ff648269.z02bthcm01(en-us,PandP.10).gif Generic error pages with harmless messages are returned to the client.
Ff648269.z02bthcm01(en-us,PandP.10).gif Global error handlers are used to catch unhandled exceptions.
Ff648269.z02bthcm01(en-us,PandP.10).gif Set mode attribute in customErrors to On to prevent displaying detailed error messages to the caller.
Ff648269.z02bthcm01(en-us,PandP.10).gif Exception details are logged on the server.

Input/Data Validation

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Free form input is sanitized to clean malicious data.
Ff648269.z02bthcm01(en-us,PandP.10).gif Application does not rely only on request validation.
Ff648269.z02bthcm01(en-us,PandP.10).gif All the input is validated for length, range, format, and type. Input is checked for known valid and safe data and then for malicious, dangerous data.
Ff648269.z02bthcm01(en-us,PandP.10).gif Input from all the sources including query strings, cookies, and HTML controls is validated using the Regex class and/or your custom validation code.
Ff648269.z02bthcm01(en-us,PandP.10).gif Application does not rely on only client-side validation.
Ff648269.z02bthcm01(en-us,PandP.10).gif Application avoids file name and path input from user where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gif If input file names are required, they are well formed and are verifiably valid within the application context.
Ff648269.z02bthcm01(en-us,PandP.10).gif Untrusted output is not directly echoed back to the user.
Ff648269.z02bthcm01(en-us,PandP.10).gif Output that contains untrusted data is encoded with HtmlEncode and UrlEncode.

Impersonation/Delegation

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Tradeoffs associated with use of impersonation are fully understood.
Ff648269.z02bthcm01(en-us,PandP.10).gif Use of LogonUser is avoided where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gif Programmatic impersonation is avoided where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gif Threading issues have been considered if impersonation is used. If impersonation token is to be passed to newly created threads, the ASPNET.config is configured correctly.
Ff648269.z02bthcm01(en-us,PandP.10).gif Impersonation is reverted by using finally blocks.
Ff648269.z02bthcm01(en-us,PandP.10).gif Exceptions while impersonating are not allowed to propagate.

Parameter Manipulation

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Security decisions are not made based on client parameters.
Ff648269.z02bthcm01(en-us,PandP.10).gif All the input parameters are validated for type, length, format, and range.
Ff648269.z02bthcm01(en-us,PandP.10).gif Sensitive data is not stored in view state.
Ff648269.z02bthcm01(en-us,PandP.10).gif View state is encrypted if it does contain sensitive data.
Ff648269.z02bthcm01(en-us,PandP.10).gif Page.ViewStateUserKey is used to counter one-click attacks.
Ff648269.z02bthcm01(en-us,PandP.10).gif Query strings with server secrets are hashed.

Sensitive Data

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Plaintext passwords are not used in configuration files (Web.config and Machine.config).
Ff648269.z02bthcm01(en-us,PandP.10).gif Sensitive data that is stored in .config files are encrypted using Protected Configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gif Platform features are used and custom key management is avoided.
Ff648269.z02bthcm01(en-us,PandP.10).gif Sensitive data is not passed across pages; it is maintained using server-side state management.
Ff648269.z02bthcm01(en-us,PandP.10).gif Sensitive data passed over wire is secured using SSL or IPSec where appropriate.
Ff648269.z02bthcm01(en-us,PandP.10).gif Sensitive data is not cached.
Ff648269.z02bthcm01(en-us,PandP.10).gif Sensitive data is not stored in cookies, hidden form fields, or query strings.
Ff648269.z02bthcm01(en-us,PandP.10).gif Output caching for pages that contain sensitive data is turned off.
Ff648269.z02bthcm01(en-us,PandP.10).gif Sensitive data is encrypted in the database.

Session Management

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Application does not rely on client-side state management options.
Ff648269.z02bthcm01(en-us,PandP.10).gif Windows authentication is used to connect to Microsoft SQL Server state database.
Ff648269.z02bthcm01(en-us,PandP.10).gif Session state connection strings are encrypted using protected configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gif Out-of-process state service is protected.
Ff648269.z02bthcm01(en-us,PandP.10).gif Access to state data is restricted.
Ff648269.z02bthcm01(en-us,PandP.10).gif SQL Server session state is protected.
Ff648269.z02bthcm01(en-us,PandP.10).gif The session cookie is protected using SSL on all pages that require authenticated access.
Ff648269.z02bthcm01(en-us,PandP.10).gif The session state service is disabled if not used.
Ff648269.z02bthcm01(en-us,PandP.10).gif The session state service (if used) runs using a least-privileged account.
Ff648269.z02bthcm01(en-us,PandP.10).gif The communication channel to state store is encrypted (IPSec or SSL).
Ff648269.z02bthcm01(en-us,PandP.10).gif Session state port is changed from default of 42424.

Deployment Considerations

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Least-privileged service account is used for running ASP.NET applications.
Ff648269.z02bthcm01(en-us,PandP.10).gif Configuration sections that contain sensitive data are encrypted using protected configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gif Keys are stored in machine-level key store for application on dedicated server or multiple applications that run under the same identity.
Ff648269.z02bthcm01(en-us,PandP.10).gif Keys are stored in user-level key store for applications running in a shared hosting environment.
Ff648269.z02bthcm01(en-us,PandP.10).gif Protected file types are blocked using HttpForbiddenHandler.
Ff648269.z02bthcm01(en-us,PandP.10).gif The same machine keys are used consistently across all servers in a Web farm.
Ff648269.z02bthcm01(en-us,PandP.10).gif Configuration settings are locked by setting allowOverride to false where appropriate to enforce policy settings.
Ff648269.z02bthcm01(en-us,PandP.10).gif Set mode attribute in customErrors to On to prevent displaying detailed error messages to the caller.

Communication Security

Check Description
Ff648269.z02bthcm01(en-us,PandP.10).gif Appropriate mechanism of secure communication (IPSec or SSL) is used, depending on application requirement.
Ff648269.z02bthcm01(en-us,PandP.10).gif For communication between Web browser and Web server, SSL is used when pages need to be encrypted and you need to guarantee that the server to which you send the data is the server that you expect.
Ff648269.z02bthcm01(en-us,PandP.10).gif For communication between servers, IPSec is used when secure server-to-server communication is required.
Ff648269.z02bthcm01(en-us,PandP.10).gif For communication between servers, SSL is used when an application does not trust other applications on a server.
Ff648269.z02bthcm01(en-us,PandP.10).gif Pages that use SSL are optimized.

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, please visit the Microsoft Product Support Web site at http://support.microsoft.com.

Community and Newsgroups

Community support is provided in the forums and newsgroups:

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.

Contributors and Reviewers

  • External Contributors and Reviewers: Jason Taylor, Security Innovation; Rudolph Araujo, Foundstone Professional Services
  • Microsoft Contributors and Reviewers: Wade Mascia, Tom Christian, Adam Semel, Stefan Schackow
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.