.

NET Website Security Guidelines Checklist

codeguru.com/blog/net-website-security-guidelines-checklist/

February 23, 2015

HomeBlog

By Ajay Yadav
February 23, 2015

Lead: Become proficient with security aspects before a web application goes live over the
Internet.

Web applications typically have been produced to perform virtually every useful function
we could possibly implement online, such as Banking, Online shopping, Social
Networking, Web mails, and Auctions. As with any new class of technology introduces,
web applications have brought a couple of new ranges of security vulnerabilities.
Sophisticated attacks have been conceived that were not considered when existing
applications were developed. New technologies have been developed that have
presented a variety of new possibilities for exploitation. High-profile compromises of this
kind continue to occur frequently.

The most critical attacks against web applications are those that uncover sensitive data or
gain unrestricted access to the back-end systems on which the application is running. By
some measure, web application security is today the most significant battleground
between attackers and those with computer resources and data to protect, and it is likely
to remain so for the foreseeable future. Web applications, typically, launch into the
production environment after employing numerous back-end technologies so that security
must be hardened indeed along with the Web API, to make a full-proof, secure
application.

However, developers would rather focus on developing attractive applications to meet the
end-user requirements and unfortunately avoid implementing essential security initiatives;
this leads web applications into havoc. Generally, it is not assumed that developers could
ensure comprehensive web framework protection due to the variety of implicit ingredients
working behinds the scene. Therefore, this paper unveils some of the security aspects in
terms of quick guidelines that can be confirmed before a web application goes live over
the Internet, to ease the undertaking of developer by means of ensuing protection to
some extent.

Website Design

1/8
The following guidelines will help you construct a website that is as safe as it is attractive.

Website design must be extensive, feasible, and viable by partitioning it into layers
so that each could handle presentation, logic, and database related manipulation
separately.
The website should be composed of restricted and public zones and you should
make sure navigation between these zones does not allow sensitive information to
flow.
Sensitive information belongs to websites, and it must be converted into encrypted
form.
Input validation should be performed by assimilating both client side and server side
validation rather than rely on client side validation expressly.
The production and database server should be placed into a secure DMZ and only
accessed by a privileged personal.
User and Web controls should be separated into individual assembly files.
The website contains both directories and files that should be authorized in granular
fashion.
Accurate exception handling mechanism should be ensured at each corresponding
website source code file.</>
A secure mechanism must be identified to handle sensitive information transmission
across the network.

Website Authentication

Security Parameters Alignment Damage Status

Magnitude (if
No)

Confirm SSL is implemented to protect sensitive Severe ☐

credentials.

Confirm Cookies is encrypted by setting Protection=All. Severe

Confirm Form Authentication cookies are restricted to Severe ☐

HTTPS by using the secure or requireSSL attribute.

Confirm strong password policy is applied. Severe ☐

Confirm cookies time-out by slidingExpiration, in case SSL Moderate ☐

is not used.

Confirm the persistence level of cookies. Moderate ☐

Confirm Anonymous or Basic authentication is not applied. Severe ☐

Confirm impersonation credentials are hashed. Severe ☐

2/8
Confirm sensitive credentials are not stored in an XML file Severe ☐
in clear text.

Confirm that unsuccessful sign-in activity is logged. Moderate ☐

Resource Authorization

Security Parameters Alignment Damage Status

Magnitude (if
No)

Confirm Windows Authentication is applied for File Moderate ☐

authorization.

Confirm Role check is initiated for particular resource Severe ☐

access.

Confirm page and directory are accessed via URL Severe ☐

authorization.

Confirm Principal permission demand is applied in Severe ☐

classes and members in source code.

Confirm role based authorization is happening by Moderate ☐

User.Identity.IsInRole.

Input Validation

Security Parameters Alignment Damage Status

Magnitude (if No)

Confirm the input range is checked at Form textbox Severe ☐

controls.

Confirm RequiredFieldValidator is implemented. Severe ☐

Confirm RegularExpressionValidator is implemented. Severe ☐

Confirm RangeValidator is implemented. Severe ☐

Textbox is properly validating the input length and type to Severe ☐

thwart SQL injection attack.

Confirm cookies and query strings are being validated by Moderate ☐

the Regex class.

Confirm Free form input is sanitized to thwart LFI or RFI Severe ☐

attacks.

3/8
Confirm the HttpOnly cookie option is applied to defend Severe ☐
from an XSS attack.

Confirm output is encoded with urlEncode and Moderate ☐

HtmlEncode.

Parameters Handling

Security Parameters Alignment Damage Status

Magnitude (if No)

Confirm query strings data are encrypted. Severe ☐

Confirm form viewstate is encrypted. Severe ☐

Confirm Page.ViewStateUserKey is implemented to Moderate ☐

defend against one-click attacks.

Session Data Handling

Security Parameters Alignment Damage Magnitude (if Status

No)

Confirm redundant session services are disabled. Low ☐

Confirm connections strings are encrypted. Severe ☐

Confirm session cookies data are hashed. Severe ☐

Confirm session state service is running with least Moderate ☐

privileges.

Sensitive Data Protection

Security Parameters Alignment Damage Status

Magnitude (if
No)

Confirm SSL is applied to protect communication. Severe ☐

Confirm output caching is disabled of sensitive encrypted Severe ☐

data.

4/8
Confirm sensitive data does not reside in cookies, query Severe ☐
strings, and hidden forms fields.

Confirm server side state management is applied for clear Severe ☐

text passing of data across the pages.

Confirm sensitive data is not stored in web.config file in Severe ☐

plain text.

Web Services

Security Parameters Alignment Damage Status

Magnitude (if
No)

Confirm redundant Web service protocols, including HTTP Severe ☐

GET and HTTP POST, are disabled.

Confirm XML input data is substantiated based on an Severe ☐

agreed-upon schema.

Confirm Input to Web methods is validated for, length, type, Severe ☐

range, and format.

Confirm SOAP messages are passed only in encrypted form Severe ☐

over communication channels.

Confirm only basic authentication is used for encrypted Severe ☐

communication.

Confirm Web service running with least-privileged process Severe ☐

account.

Confirm Messages are digitally signed to certify that they Severe ☐

cannot be tampered by malicious parameter manipulation.

Confirm publicly accessible Web methods are restricted by Severe ☐

using declarative principle permission demands.

Exception Handling Management

Security Parameters Alignment Damage Status

Magnitude (if No)

Confirm every occurred exception is recorded on the Moderate ☐

server.

Confirm structure exception handling is applied to Severe ☐

each code file.

5/8
Confirm Page level exception handling is applied. Severe ☐

Confirm application level exception handling is applied. Severe ☐

Confirm generic error page is configured for Moderate ☐

unexpected error occurrences.

Web.Config File Administration

Security Parameters Alignment Damage Status

Magnitude
(if No)

Confirm enableViewState is disabled, if application doesn’t rely Moderate ☐

on view state.

Confirm enableViewStateMac is enabled, if application uses Severe ☐

view state.

Confirm httpMaxLength to prevent users from being able to Moderate ☐

upload a large-sized file.

Confirm ASP.NET account is running with least privilege by this Severe ☐

setting.

<processModel userName=”Machine”
password=”AutoGenerate” />

Confirm the secure form authentication is enabled by this Severe ☐

property.

<forms loginUrl=”Restrictedlogin.aspx” protection=”All”

requireSSL=”true” timeout=”10″ name=”AppNameCookie”
path=”/FormsAuth” slidingExpiration=”true” />

Confirm customErrors option is enabled. Severe ☐

Confirm automatic generation of WSDL is disabled. Severe ☐

Confirm application is forced to use authentication by Severe ☐

allowOverrride to false.

Confirm unused file type handlers is mapped to Forbidden Moderate ☐

handler.

If session state is used, then confirm are they stored in Moderate ☐

encrypted forms.

6/8
Privilege Management

Security Parameters Alignment Damage Status

Magnitude
(if No)

Confirm ASP.NET process account has Read permission to Severe ☐

system root directory (%windirSystem32).

Confirm impersonate account has Read permission to GAC Severe ☐

(%windirassembly).

Confirm process account has Read and Execute permission to Severe ☐

solution content directory.

Confirm ASP.NET process account has Read and execute Moderate ☐

permission to Framework directory
(%windirMicrosoft.NETFramework).

Confirm process account has Full control permission to Moderate ☐

Temporary files
(%windir%Microsoft.NETFramework{version}Temporary
ASP.NET Files)

Deployment

Security Parameters Alignment Damage Magnitude Status

(if No)

Confirm debug compilation is disabled. Severe ☐

Confirm trace is disabled. Severe ☐

Confirm access is denied by authentication Severe ☐

configuration removed.

Confirm Bin directory doesn’t have read or write Severe ☐

permission.

Confirm Bin directory doesn’t have directory Severe ☐

browsing permission.

Final Note
This rare cheat sheet provides developers a quick snapshot about essential configuration
with concentrated guidance on building a secure web application. Website programmers
can reference this cheat sheet while applying security initiatives in quick movement rather

7/8
than dwell on detailed security settings. We have seen various significant ASP.NET
security configurations that could be beneficial for both developers and penetration
testers.

Ajay Yadav

More by Author

8/8