Saturday, September 7, 2013

Web.Config Security Guidelines

http://www.iis.net/configreference/system.webserver/security
http://www.petefreitag.com/item/741.cfm
<configuration>
   <system.webServer>
       <httpProtocol>
         <customHeaders>
           <remove name="X-Powered-By"/>
         </customHeaders>
       </httpProtocol> 
       <security>
         <requestFiltering>
            <!-- block /CFIDE -->
            <denyUrlSequences>
               <add sequence="/CFIDE"/>
            </denyUrlSequences>
            <!-- block all file extensions except cfm,js,css,html -->
            <fileExtensions allowUnlisted="false" applyToWebDAV="true">
               <add fileExtension=".aspx" allowed="true" />
               <add fileExtension=".svc" allowed="true" />
               <add fileExtension=".cfm" allowed="true" />
               <add fileExtension=".js" allowed="true" />
               <add fileExtension=".css" allowed="true" />
               <add fileExtension=".html" allowed="true" />
            </fileExtensions>
            <!-- hide configuration dir -->
            <hiddenSegments applyToWebDAV="true">
               <add segment="configuration" />
            </hiddenSegments>
            <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
            <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
            <!-- only allow GET,POST verbs -->
            <verbs allowUnlisted="false" applyToWebDAV="true">
               <add verb="GET" allowed="true" />
               <add verb="POST" allowed="true" />
            </verbs>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
Or it could be scoped to a section of the web application.
<location path="Contoso">
   <system.webServer>
      <security>
         <authentication>
            <windowsAuthentication enabled="true" />
            <basicAuthentication enabled="false" />
            <anonymousAuthentication enabled="false" />
         </authentication>
         <access sslFlags="Ssl, SslNegotiateCert, Ssl128" />
         <requestFiltering>
            <fileExtensions>
               <add fileExtension=".inc" allowed="false" />
            </fileExtensions>
            <denyUrlSequences>
               <add sequence="_vti_bin" />
               <add sequence="_vti_cnf" />
               <add sequence="_vti_pvt" />
            </denyUrlSequences>
         </requestFiltering>
      </security>
   </system.webServer>
</location>
 
Additionally, also consider:
  1. Applying an Http Module to remove the header "Server" as this cannot be removed by a web.config.
  2. Applying an Http Module to ensure that ASP.Net does not throw an error on a custom Asp.Net error page, if it does it may disclose sensitive information.  It is cleaner to write another Http Module to catch these kind of errors and show a standard error page.
  3. Also consider prefering later versions of TLS if available. TLS 1.2 will not automatically be used and is configured off by default in windows server 2008.  See here.
  4. Encrypt viewstate.
  5. Don't ever use session id in the Url.
  6. Rescope any cookies (always prefer session cookies if possible) to your site only.
  7. Preferably allow only one user session at a time.  If the same user attempts to access the site twice, alert them, or worst case revoke their session.

1 comment:

  1. Note that applying the above settings into a web.config file can problematic and not ideal. Some settings cannot be applied if already applied by a preceding config file (machine.config), others can only be applied in the machine config. In any case its silly to only apply settings to your site if instead attacking the root will yield the same results.

    ReplyDelete