HOW TO: Secure Applications That Are Built on the .NET Framework (818014)

SUMMARY

This step-by-step article describes important considerations for securing applications that are built on the .NET Framework. This article is one of a series of articles that provide detailed information for applications that are built on the .NET Framework.

The articles in this series include the following: back to the top

Adjust .NET Framework Security on a Zone-by-Zone Basis

The .NET Framework assigns trust levels to managed assemblies. These assignments are based, in part, on the zone where the assembly runs. The standard zones are My Computer, Local Intranet, Internet, Trusted Sites, and Untrusted Sites. You may have to increase or decrease the trust level that is associated with one of these zones. The .NET Framework includes tools for adjusting these settings.

For additional information about adjusting the trust assigned to a zone, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Adjust the Level of Trust That You Give to a .NET Framework Assembly

The .NET Framework includes many ways to determine the level of trust that you should grant to an assembly. However, you can make exceptions to the rules to enable a specific assembly to receive a higher level of trust than it would typically receive based on the evidence provided to the common language runtime. The .NET Framework provides a wizard tool specifically for this purpose.

For additional information about how to adjust the trust levels for an assembly, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Restore Policy Levels That Have Been Customized

As an Administrator, you have complete control over the access that you grant to assemblies that run at the various trust levels. If you customize trust levels, you may experience problems when you run an application that typically runs under a standard trust level. However, you can quickly restore policy levels to their default settings.

For additional information about how to restore policy levels to their default settings, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Evaluate the Permissions That Are Granted to an Assembly

When you have enterprise, machine, and user security configuration policies, and customizable trust levels, it can be difficult to assess the permissions that have been granted to a managed assembly. The .NET Framework Configuration tool includes a simple method to evaluate these permissions.

For additional information about how to evaluate permissions that have been granted to an assembly, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Audit the Security of .NET-Connected Applications

During upgrades, testing, and troubleshooting, the configuration of production systems may to change in unintentional ways. For example, an administrator might grant administrative credentials to a user while determining whether an error is related to access rights. If that administrator forgets to revoke those elevated credentials after completing the troubleshooting process, the integrity of the system is compromised.

Because system security can be degraded over time by this type of action, it is a good idea to perform regular audits. To do this, document key aspects of a pristine system to create a baseline measure. Compare these settings against the baseline over time to determine if any problems have developed that might significantly reduce the level of vulnerability.

For additional information about specific configuration items that you should audit for .NET-connected applications, or specifically for ASP.NET applications, click the following article numbers to view the articles in the Microsoft Knowledge Base: back to the top

Configure a .NET-Connected Application and Microsoft SQL Server to Use an Alternate Port Number for Network Communications

Many automated tools identify available services and vulnerabilities by querying well known port numbers. These tools include both legitimate security assessment tools and tools that malicious users might use.

One way to reduce the exposure to these types of tools is to change the port number that the applications use. You can apply this method to .NET-connected applications that rely on a back-end Microsoft SQL Server database. This method works if both the server and the client are correctly configured.

For additional information about how to change the port number a .NET-connected application uses to communicate with a computer running SQL Server, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Lock Down an ASP.NET Web Application or Web Service

There are many ways to increase the security of ASP.NET Web applications and Web services. For example, you can use packet filtering, firewalls, restrictive file permissions, the URL Scan ISAPI filter, and carefully controlled SQL Server privileges. It is a good idea to review these different methods to provide security-in-depth for ASP.NET applications.

For additional information about how to increase ASP.NET-application security at multiple layers, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Configure NTFS File Permissions to Increase Security of ASP.NET Applications

NTFS file permissions continue to be an important layer of security for Web applications. ASP.NET applications include many more file types than previous Web application environments. The files that anonymous user accounts must have access to is not obvious.

For additional information about the minimum file permissions that common ASP.NET file types must have, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Configure SQL Server Security for Applications That Are Built on the .NET Framework

By default, SQL Server does not grant users the ability to query or update databases. This rule also applies to ASP.NET applications and the ASPNET user account. To enable ASP.NET applications to gain access to data that is stored in a SQL Server database, the database administrator must grant rights to the ASPNET account.

For additional information about how to configure SQL Server to allow queries and updates from ASP.NET applications, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Configure URLScan to Increase Protection of ASP.NET Web Applications

When you install URLScan on an Internet Information Services 5.0 (IIS 5.0) server, it is configured to allow ASP 3.0 applications to run. However, when you install the .NET Framework, the URLScan configuration is not updated to include the new ASP.NET file types. If you want the added security of the URLScan ISAPI filter for your ASP.NET applications, adjust the URLScan configuration.

For additional information about how to modify the URLScan configuration to increase security for ASP.NET applications, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Require Authentication for ASP.NET Web Applications

Many ASP.NET applications do not allow anonymous access. An ASP.NET application that requires authentication can use one of the following three methods: Forms authentication, Microsoft .NET Passport authentication, and Windows authentication. Each authentication method requires a different configuration technique.

back to the top

Restrict Specific Users from Gaining Access to Specified Web Resources

ASP.NET includes Forms authentication. This is a unique way to authenticate users without creating Windows accounts. ASP.NET also includes the ability to grant or deny these users access to different Web resources.

For additional information about how to control access to Web resources on a per-user basis, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Limit the Web Services Protocols That a Server Permits

By default, ASP.NET supports three ways for Web services clients to issue requests to Web services: SOAP, HTTP GET, and HTTP PUT. However, most applications require only one of these three methods. It is a good idea to reduce the attack surface by disabling any unused protocols.

For additional information about how to disable unused Web services protocols, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Do Not Permit Browser Access to .NET-Connected Web Services

ASP.NET Web services provide a browser-friendly interface to make it easier for developers to create Web services clients. This friendly interface permits anyone who can reach the Web service to view the complete details of the methods that are available and any required parameters. This access is useful for public Web services that include only publicly available methods. However, it may decrease the security of private Web services.

For additional information about how to control access to Web resources on a per-user basis, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Use ASP.NET to Protect File Types

The structure of ASP.NET applications causes many private files to be stored with files that end-users request. ASP.NET protects these files by intercepting requests for the files and returning an error. You can extend this type of protection to any file type by using configuration settings. If your application includes unusual file types that should remain private, you can use ASP.NET file protection to protect those files.

For additional information about how to configure ASP.NET to protect nonstandard file types, click the following article number to view the article in the Microsoft Knowledge Base: back to the top