This step-by-step article describes how to lock down an
ASP.NET Web Application or Web Service. Web applications are frequently the
target for malicious attacks.
There are many steps that you can take to reduce
the risk that is associated with hosting a Web application. At a high level, ASP.NET
applications benefit from the same security measures as conventional Web
applications. However, the ASP.NET file name extensions and the use of security require
special consideration. This article describes several key mechanisms for
securing ASP.NET Web applications.
For more information about security,
visit the following Microsoft Web site:
ASP.NET requires no special consideration when you configure
networking equipment or firewall programs for port-based packet filtering. Internet
Information Server (IIS) defines the
TCP port numbers that ASP.NET uses for communications. By default, ASP.NET uses TCP port 80 for standard HTTP, and uses TCP
port 443 for HTTP with SSL encryption.
Application Layer Firewalls
Application layer firewalls, such as Microsoft Internet Security
and Acceleration Server, can analyze the details of incoming Web
requests, including the HTTP command that is issued and the file that is requested.
Depending on the application, different file types may be requested. An ASP.NET client might legitimately request files that have any of the
following file name extensions,
depending on the application functionality:
Files that are included in
an ASP.NET application can use the following file name extensions. However, a firewall should never forward such files to end users. Depending on the development environment, developers may issue
Web requests for these extensions:
You must configure the firewall to restrict the types of HTTP
commands that can be submitted to an ASP.NET application. Specifically, you must permit only
GET, HEAD, and POST commands from end-user browsers.
Developers may have to gain access to other HTTP commands, also.
You can effectively reduce
the risk of private information being compromised. To do this, restrict the NTFS file permissions. By
default, the ASP.NET applications run in the context of the ASPNET user account. For more security,
you can configure appropriate permissions for ASPNET user account.
For additional information about configuring NTFS file permissions, click the following article number to view the article in the Microsoft Knowledge Base:
HOW TO: Configure NTFS file permissions for security of ASP.NET applications
URLScan is a Microsoft ISAPI filter that is designed to provide more detailed
filtering of incoming Web requests on IIS 5.0 servers. URLScan provides many
capabilities of an Application Layer firewall, and can filter requests based on
file name, path, and request type. For more information about the URLScan security
tool, visit the following Microsoft Web site:
For additional information about URLScan, click the following article number to view the article in the Microsoft Knowledge Base:
HOW TO: Configure URLScan to protect ASP.NET Web applications
Configure SQL Server Security
Many ASP.NET applications communicate with a Microsoft SQL Server
database. It is common for malicious attacks against a database to use an
ASP.NET application, and then take the advantage of the permissions that the database
administrator has granted to the application. To offer the greatest level of
protection against such attacks, configure your database permissions to limit the permissions that you grant to ASP.NET. Grant only the minimum permissions that the application must have to function.
example, limit ASP.NET to Read permissions for only those views, tables, rows,
and columns that the application must have access to. Where the application does
not directly update a table, do not grant to ASP.NET the permission to
submit updates. For more security, configure appropriate permissions for
the ASPNET user account.
For additional information about configuring SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:
HOW TO: Configure SQL Server security for .NET applications
For more information, visit the following Microsoft
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
HOW TO: Secure applications that are built on the .NET Framework