abcprep.com - your onestop GMAT, GRE, PMP hub
.NET FAQs Unleashed!
Skip Navigation Links
Home
Articles
SQL Interview QuestionsExpand SQL Interview Questions
Whats the difference betweenExpand Whats the difference between
Questions on OOPSExpand Questions on OOPS
Questions on .NET FrameworkExpand Questions on .NET Framework
ASP.NET Interview QuestionsExpand ASP.NET Interview Questions
ASP.NET 2.0 Interview QuestionsExpand ASP.NET 2.0 Interview Questions
C# Interview QuestionsExpand C# Interview Questions
ADO.NET Interview QuestionsExpand ADO.NET Interview Questions
ASP.NET Security QuestionsExpand ASP.NET Security Questions
.NET Interview One Liners Expand .NET Interview One Liners
Ajax Interview Questions
Design Pattern Questions
Acronyms in .NET
SQL Connection Strings
Open Source
Discussion Board
About



MY ARCHIVED SITES
Moredotnet
Aspnetinfo



Click here to join dotnetuncle
Click to join dotnetuncle

 
    



    



Free Website Security tools by Microsoft; Securing web applications through web.config Settings

By Vishal Khanna (1st Jan, 2009)

It’s a cold New Year morning and I’m back on my system, writing some tips on securing your all important emotionally attached website(s). Wish you all a hacker-safe highly secure New Year ahead!

Well, as all know, Microsoft keeps on coming up with one or the other tool every other day, in this article; I’m going to touch-base upon some commonly used security tools provided by Microsoft to make sure your website is secure, safe and guarded from all sorts of malicious attacks. I’ll also talk about the best practices for configuration settings to be implemented in the web.config file of your ASP.NET application.

To begin with, let me talk about the most common types of hacker attacks.

·         SQL Injections – this attack involves injection of SQL code in the input fields of websites that may harm the database, wipe the database or cause the website to behave abruptly.

·         XSS Attacks – or in other words, Cross Site Scripting Attacks is nothing but injection of malicious code into web pages. It may be an HTML code, or a client side script (like javascript) being injected in the input fields of websites. The intention could be to harm the website, or to capture a visitor’s information.

Now to overcome all these dangerous threats, Microsoft has come up with a set of free tools that you may look into.

·         Microsoft Threat Analysis and Modeling Tool – This application allows web developers to analyze their application in terms of risk management. Running the tool, it generates information like Data access control matrix, Component access control matrix, Subject-object matrix, Data Flow, Call Flow, Trust Flow, Attack Surface, Focused Reports. The tool may be downloaded from the following location:

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en

 

Here is one beautiful article by Steve Orr on the threat analysis tool:

http://steveorr.net/articles/Threat-Analysis.aspx

 

·         Source Code Analysis Tool for SQL Injection – This tool allows developers to test their asp based website(s) for threats arising from SQL injections. The tool goes through the source code, and checks it for vulnerabilities by generating warnings with first order and second order levels of SQL Injection vulnerabilities. As a good thing, the tool provides tips in the form of annotations so that source code may be improved and made more secure. Want to try out the tool, may download it from the following location:

 

http://www.microsoft.com/downloads/details.aspx?familyid=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en

 

·         XSS Detect Beta Code Analysis Tool – This tool detects vulnerabilities in code in terms of cross site scripting attacks. It can analyze compiled code built using C#, VB.NET or J#. The results will return the data flow paths, right from user interface to the probable vulnerable output describing it in a report. In case input fields have been secured enough, the tool will ignore that interactive path. Below is a link from where the tool may be downloaded and further explored:

 

http://www.microsoft.com/downloads/details.aspx?familyid=19A9E348-BDB9-45B3-A1B7-44CCDCB7CFBE&displaylang=en

 

Here is one link that is a must read, for all those who really care about their website(s) and want to make sure that it is hack free http://download.microsoft.com/download/d/8/c/d8c02f31-64af-438c-a9f4-e31acb8e3333/Threats_Countermeasures.pdf

 

Tips to secure an ASP.NET web application through the web.config file:

 

1 – Disable Cookie-less Authentication – Instead of using a request URL for passing an authentication token, disable cookie-less authentication. Rather, make the use of cookies for saving the tokens of authentication. Otherwise, a hacker can easily get over the session using a network monitoring tool, act like the actual user and misuse the web application with a malicious intent. To enable such a setting, you may use the following in web.config file:

<configuration><system.web> <authentication mode="Forms">

<forms cookieless="UseCookies">

Note: Avoid using <forms cookieless="UseUri">

2 – Set the requireSSL attribute of the Forms element to true – Secure Sockets Layer (SSL) is a protocol that is used by web application to encrypt data, whenever it travels between the browser and the web server. This makes sure that the data being passed is encrypted in the form of characters that make no sense when read. To enable such a setting, you may use the following in web.config file:

<configuration> <system.web> <authentication mode="Forms">

<forms requireSSL="true">

Note: Avoid using <forms requireSSL="false">

3 – Remove the credentials element from the web.config in the production environment – This tag is normally used by developers and testers who work on the application on development and test servers for easy authentication. However, it is very important and crucial for the application Release Engineers to remove the credentials element from the web.config file when it is deployed on the production environment. Otherwise, anyone having read access to the web.config file may get to know about the all important credentials. The credentials element is meant only for development environment, not for production. Here is how it looks like in web.config.

<system.web> <authentication mode="Forms"> <forms>

<credentials>

 <!-- Make sure this part is removed during deployment to production server -->

<user name="vishal" password="khanna1234$"/>

</credentials>

</forms>

If you forget wiping this off, big hacker daddy will give you a tight spanking … Ouch!

4 – Set the slidingExpiration attribute to false – This is important so that the default time of 30 minutes set in asp.net web applications becomes applicable. So even at an instance where an authentication token is hacked, the hacker will have only this much amount of time to perform the malicious activity. This method raises the level of security through the session expiration mechanism. Here is how the code in web.config should look like:

<configuration> <system.web> <authentication mode="Forms">

<forms slidingExpiration="false">

 5 – Use unique cookies using GUIDs -  When a web server contains multiple web sites using cookie based authentication, there is a scope of duplication in the cookie names, because the name attribute of the forms tag contains the default value of “.aspxauth”. In order to avoid a duplicate  cookie on a web server, make use of a GUID value in the ‘name’  attribute of the forms element. A GUID is a global unique identifier which can never be duplicate. Here is what you may use in your web.config file:

<configuration> <system.web> <authentication mode="Forms">

<forms name="<GUID Value Here>">

6 – Disable Tracing – While deploying an application on the production or the live server, make sure that tracing is disabled. This is done as follows:

<configuration> <system.web> <trace enabled="false" localOnly="true">

If you forget to disable this, any one can visit the trace.axd file of your application and view the most recent requests on the site, along with a lot more other details.

7 – Disable Debugging – This is one of the most important things to do while deploying a web application on production. Set the following in web.config:

<configuration> <system.web> <compilation debug="false">

8 – Set customErrors attribute to RemoteOnly – When an application is deployed, it is very important to make this setting, otherwise any user may view the source code of the actual application, in an event of an error. If a hacker gets a chance to view the website’s source code, it becomes more vulnerable to attacks. So beware. Here is what should be done in web.config:

<configuration><system.web><customErrors mode="RemoteOnly">

9 – Set httpOnlyCookies attribute to true – When this property is set to true, the value of the cookies are accessible only through the server side code, and not by using client-side script like javascript. This enhances security in terms of preventing XSS attacks.

There might be a scenario where a hacker tries to enter a javascript code like document.cookie in the input field. Now if cookies are accessible from the browser, the hacker may be able to get the value of this all important cookie. That’s why its advisable to set the httpOnlyCookies attribute to true. When this is done, all the cookies of the application are globally set to be accessible only from server side. Use this setting in web.config:

<configuration><system.web><httpCookies httpOnlyCookies="true">

 

Following these simple rules will definitely help the cause of securing a web application. There may be other security mechanisms as well, as the list can never be exhaustive. Hope these steps and tips help you securing your web applications to a great extent.

Happy Reading.

Cheers!

 

 








Know Your Breath, Know Your Life!!!