Article ID: 815144 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
This step-by-step article describes how to audit the security of an ASP.NET Web Application or an ASP.NET Web Service.
The security of a system decreases as new elements are added to the system’s ideal configuration. New application installations, software updates, temporary configuration changes, and troubleshooting change aspects of a system’s security configuration. Whether intentional or unintentional, these changes may cause the system to no longer meet security requirements. To reduce this effect, perform regular audits of the system security configuration. Document and evaluate any changes to the security configuration that have been introduced to the system. When necessary, reverse these changes.
This article describes the key configuration settings that affect an ASP.NET application. Document these settings when you first configure your system in its clean state. Perform regular audits to compare the current settings against the original settings. These audits help you to prevent the system’s security from degrading over time. This article does not describe how to configure these settings.
For additional information about auditing security configuration items that are related to .NET Framework applications and are not ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/815143/EN-US/ )HOW TO: Audit the Security of a .NET Framework Configuration
The .NET Framework uses a hierarchy of files to determine the policy that is applied to an application. The following file contains the default configuration settings:
\System Root\Microsoft.NET\Framework\Version\CONFIG\Machine.configThese settings may be overridden in the application’s root folder (or any subfolder) by a file named Web.config or ApplicationName.config. You must audit all these files to accurately assess an application’s security configuration. The following are the important elements of the config file:
To easily audit the file permissions for a large number of files, use the Cacls.exe command-line utility to write the permissions to a text file. Each time that you perform an audit, compare this text file to the file that you created when the system was clean, and then note any changes.
To write all file permissions that are associated with the C:\inetpub\wwwroot\ folder and all subfolders to a file named Output.txt, run the following command at a command prompt:
CACLS C:\inetpub\wwwroot\* /T > output.txt
Audit SQL Server Configuration Items
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/315736/EN-US/ )HOW TO: Secure an ASP.NET Application by Using Windows Security
(http://support.microsoft.com/kb/315588/EN-US/ )HOW TO: Secure an ASP.NET Application Using Client-Side Certificates
Contact us for more help