HOW TO: Audit the Security of an ASP.NET Web Application or Web Service

This step-by-step article describes how to audit the security of an ASP.NET Web Application or an ASP.NET Web Service.

The security of a system decreases as new elements are added to the system’s ideal configuration. New application installations, software updates, temporary configuration changes, and troubleshooting change aspects of a system’s security configuration. Whether intentional or unintentional, these changes may cause the system to no longer meet security requirements. To reduce this effect, perform regular audits of the system security configuration. Document and evaluate any changes to the security configuration that have been introduced to the system. When necessary, reverse these changes.

This article describes the key configuration settings that affect an ASP.NET application. Document these settings when you first configure your system in its clean state. Perform regular audits to compare the current settings against the original settings. These audits help you to prevent the system’s security from degrading over time. This article does not describe how to configure these settings.

For additional information about auditing security configuration items that are related to .NET Framework applications and are not ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:

.NET Framework Configuration Items

The .NET Framework uses a hierarchy of files to determine the policy that is applied to an application. The following file contains the default configuration settings: These settings may be overridden in the application’s root folder (or any subfolder) by a file named Web.config or ApplicationName.config. You must audit all these files to accurately assess an application’s security configuration. The following are the important elements of the config file:

• <trace> (specifically, the enabled attribute and the localOnly attribute)
• <processModel>
• <customErrors>
• <authentication> (and any elements that are contained in it)
• <identity>
• <authorization>
• <securityPolicy>
• <machineKey>
• <httpHandlers>
• <processModel> (specifically the enable attribute, the username attribute, and the password attribute)
• <protocols> configuration element in the <webServices> element

File Permissions

Include the NTFS file permissions that are associated with ASP.NET files and folders in your audit. These may be inherited from the parent folders, or they may be defined uniquely for each file.

To easily audit the file permissions for a large number of files, use the Cacls.exe command-line utility to write the permissions to a text file. Each time that you perform an audit, compare this text file to the file that you created when the system was clean, and then note any changes.

To write all file permissions that are associated with the C:\inetpub\wwwroot\ folder and all subfolders to a file named Output.txt, run the following command at a command prompt:

IIS Configuration Items

Windows 2000 systems support ASP.NET applications by using Internet Information Services (IIS) 5.0. When you install the .NET Framework, IIS is automatically configured to support ASP.NET. Audit the following settings in IIS regularly:

• Application mappings
  To view application mappings settings, follow these steps:
  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Internet Services Manager.
  3. Right-click the virtual server or the virtual folder that contains your ASP.NET application, and then click Properties.
  4. Click the Home Directory tab (or the Directory tab).
  5. Under Application Settings, click Configuration.
  6. Note the file name extensions that are mapped to the Aspnet_isapi.dll file.
• Execute permissions
  To view the execute permissions settings, follow these steps:
  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Internet Services Manager.
  3. Right-click the virtual server or the virtual folder that contains your ASP.NET application, and then click Properties.
  4. Click the Home Directory tab (or the Directory tab).
  5. Note whether the Script Source Access, Read, Write and Directory Browsing check boxes are selected. Also note the Execute Permissions setting.

SQL Server Configuration Items

Microsoft SQL Server contains its own security mechanisms that function separately from the .NET Framework configuration, IIS, and NTFS file permissions. Overly permissive SQL Server rights might create a vulnerability in an ASP.NET application that might be used to compromise private data. You can view all aspects of the security configuration for SQL Server as it relates to ASP.NET access by using the SQL Enterprise Manager.

Audit SQL Server Configuration Items

1. Click Start, point to Programs, point to Microsoft SQL Server, and then click SQL Enterprise Manager.
2. Expand your database server, expand Security, and then click Logins.
3. If the ASPNET user account exists, right-click ASPNET, and then click Properties.
4. In SQL Server Login Properties, click the Database Access tab.
5. Note the databases and the roles where the account has been granted access permissions.
6. For each database where the ASPNET account has access permissions, do the following:
   1. Expand the database, and then click Users.
   2. Right-click ASPNET, and then click Properties.
   3. In Database User Properties, click Permissions, and then note the permissions that the ASPNET user has on all tables and views.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base: