Microsoft KB Archive/815145

= HOW TO: Lock Down an ASP.NET Web Application or Web Service =

Article ID: 815145

Article Last Modified on 1/11/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.0
 * Microsoft ASP.NET 1.1

-



IN THIS TASK

 * SUMMARY
 * Packet Filtering
 * Application Layer Firewalls
 * NTFS Security
 * Configure URL Scan
 * Configure SQL Server Security
 * REFERENCES



SUMMARY
This step-by-step article describes how to lock down an ASP.NET Web Application or Web Service. Web applications are frequently the target for malicious attacks.

There are many steps that you can take to reduce the risk that is associated with hosting a Web application. At a high level, ASP.NET applications benefit from the same security measures as conventional Web applications. However, the ASP.NET file name extensions and the use of security require special consideration. This article describes several key mechanisms for securing ASP.NET Web applications.

For more information about security, visit the following Microsoft Web site:

http://www.microsoft.com/security

back to the top

Packet Filtering
ASP.NET requires no special consideration when you configure networking equipment or firewall programs for port-based packet filtering. Internet Information Server (IIS) defines the TCP port numbers that ASP.NET uses for communications. By default, ASP.NET uses TCP port 80 for standard HTTP, and uses TCP port 443 for HTTP with SSL encryption.

back to the top

Application Layer Firewalls
Application layer firewalls, such as Microsoft Internet Security and Acceleration Server, can analyze the details of incoming Web requests, including the HTTP command that is issued and the file that is requested. Depending on the application, different file types may be requested. An ASP.NET client might legitimately request files that have any of the following file name extensions, depending on the application functionality:
 * .ashx
 * .aspx
 * .asmx
 * .rem
 * .soap

Files that are included in an ASP.NET application can use the following file name extensions. However, a firewall should never forward such files to end users. Depending on the development environment, developers may issue Web requests for these extensions:
 * .asax
 * .ascx
 * .asmx
 * .axd
 * .config
 * .cs
 * .csproj
 * .dll
 * .licx
 * .pdb
 * .rem
 * .resources
 * .resx
 * .soap
 * .vb
 * .vbproj
 * .vsdisco
 * .webinfo
 * .xsd
 * .xsx

You must configure the firewall to restrict the types of HTTP commands that can be submitted to an ASP.NET application. Specifically, you must permit only GET, HEAD, and POST commands from end-user browsers. Developers may have to gain access to other HTTP commands, also.

back to the top

NTFS Security
You can effectively reduce the risk of private information being compromised. To do this, restrict the NTFS file permissions. By default, the ASP.NET applications run in the context of the ASPNET user account. For more security, you can configure appropriate permissions for ASPNET user account.

For additional information about configuring NTFS file permissions, click the following article number to view the article in the Microsoft Knowledge Base:

815153 HOW TO: Configure NTFS file permissions for security of ASP.NET applications

back to the top

Configure URLScan
URLScan is a Microsoft ISAPI filter that is designed to provide more detailed filtering of incoming Web requests on IIS 5.0 servers. URLScan provides many capabilities of an Application Layer firewall, and can filter requests based on file name, path, and request type. For more information about the URLScan security tool, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/urlscan.mspx

For additional information about URLScan, click the following article number to view the article in the Microsoft Knowledge Base:

815155 HOW TO: Configure URLScan to protect ASP.NET Web applications

back to the top

Configure SQL Server Security
Many ASP.NET applications communicate with a Microsoft SQL Server database. It is common for malicious attacks against a database to use an ASP.NET application, and then take the advantage of the permissions that the database administrator has granted to the application. To offer the greatest level of protection against such attacks, configure your database permissions to limit the permissions that you grant to ASP.NET. Grant only the minimum permissions that the application must have to function.

For example, limit ASP.NET to Read permissions for only those views, tables, rows, and columns that the application must have access to. Where the application does not directly update a table, do not grant to ASP.NET the permission to submit updates. For more security, configure appropriate permissions for the ASPNET user account.

For additional information about configuring SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:

815154 HOW TO: Configure SQL Server security for .NET applications

back to the top

