OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Henry Sieff (hsieff_at_orthodon.com)
Date: Fri Oct 25 2002 - 18:39:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    No, sadly. Part of the problem is that the technology isn't mature yet, the
    other part is that .net really puts the burden for security on the the
    application design.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
    authaspdotnet.asp discusses authentication in a .net environment.

    http://www.dotnetjunkies.com/tutorials.aspx?tutorialid=396 gives a nice
    overview of how IIS, Windows, and .NET work together. One of the articles he
    references is
    http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx, which is
    also not bad.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
    l/cpconsecuringyourapplication.asp

    When this topic came up earlier, somebody mentioned this article:
    http://tiberi.us/view_article.aspx?article_id=27, not bad.

    But none of them speak exactly to what you're asking, which is what every
    admin who needs to support .net is going to be asking, which is "Exactly
    what do I do to make sure the server itself is as secure as possible?"

    Again, the two factors previously mentioned are responsible: once you've
    done the locking down of IIS, you need to move onto setting security on the
    Web services themselves, things like code access (remember, the whole idea
    behind .net is to expose executable code to the world via http:
    WHOOOOOO-HOOOOOOOO). Also, auhtentication to specific apps. And unlike the
    best practices for securing IIS, all of the BP's stuff I've read is really
    geared towards developers or focuses on securing access to the components.

    At this point, we are not using ASP.NET for remotely accessible
    applications. We definitely will, but not until me and the developers at my
    Co. can figure out what we need to do.

    Anyways, sorry for the ramble; this issue has come up here before, and I
    watched hoping for someone to come up with a white paper. Then I did some
    searching; I found no comprehensive guide, but a lot of good resources. At
    this point, you, me, and everyone else tasked with deploying .net based apps
    will have to formulate our own best practices based on careful study of the
    basic info out there.

    Henry
    > -----Original Message-----
    > From: Tyler Davis [mailto:tdavissonicdev.com]
    > Sent: Friday, October 25, 2002 1:58 AM
    > To: focus-mssecurityfocus.com
    > Subject: Securing ASP.NET for Hosting
    >
    >
    > Anyone got a link to any sites or whitepapers with info on securing
    > asp.net in a hosting environment?
    > Ive already got win2k and iis5 locked down, just need some info on
    > asp.net
    >
    > Thanks,
    > Tyler
    >