Security configurations for MVC application & IIS

1. Make sure web content is on non-system partition.
2. Remove or rename well-known urls.
   %systemdrive%\inetpub\AdminScripts
   %systemdrive%\inetpub\scripts\IISSamples
   http://localhost/iissamples
   http://localhost/iishelp
   http://localhost/printers
   http://localhost/iisadmpwd
3. Require a host headers on all sites. Don’t bind http:/*:80 to any site.
4. Disable directory browsing
5. Set default application pool identity to least privilege principal.
6. Ensure application pools run under unique identities, and unique application pools for different sites.
7. Config anonymous user identity to use application pool identity, this will greatly reduce the number of accounts needed for websites.
   open applicationHost.config and make sure you set the userName attribute of the anonymousAuthentication tag is set to a blank string.

<system.webServer> <security> <authentication> <anonymousAuthentication userName = ""/> </authentication> </security> </system.webServer>

8. Configure authentications,
   a. Ensure sensitive site features is restricted to authenticated principals only.

<system.webServer> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" roles="administrators" /> </authorization> </security> </system.webServer> </configuration>

b. Require SSL in forms authentications and configure forms authentication to use cookies.

<system.web> <authentication> <forms cookieless="UseCookies" requireSSL="true" /> </authentication> </system.web>

c. Configure cookie protection mode for forms authentication.

<system.web> <authentication> <forms cookieless="UseCookies" protection="All" /> </authentication> </system.web>

d. Never save password in clear format!!
8. Asp.net configurations.
   a. Set deployment method to retail, modify machine.config

<system.web>   <deployment retail="true" /> </system.web> When the retail attribute is set to true, ASP.NET disables trace output, disables debug capabilities, and disables detailed system-generated error messages for remote users. For applications that have a customErrors element in the application Web.config file, the mode attribute is forced to On. These settings override any settings that are made in application Web.config files. Note that you should continue to set the debug attribute to false in application’s Web.config files that are deployed to the server. The debug setting disables request execution timeout, and this is not overridden by the retail setting.

b. Turn debug off.

<system.web> <compilation debug="false" /> </system.web> </configuration>

c. Ensure custom error messages are not off.

<customErrors mode="RemoteOnly"/> or <customErrors mode = "On"/>

d. Ensure failed request tracing is not enabled.
– Open IIS.
– Go to Connections pane, select server connection, site, application or directory.
– In actions pane, click failed request tracing… make sure the checkbox is not checked.
e. Configure to use cookies mode for session state in web.config

<system.web> <sessionState cookieless="UseCookies" /> </system.web>

f. Ensure cookies are set with HttpOnly attribute in web.config. This will stop client side script access to cookies.

<configuration> <system.web> <httpCookies httpOnlyCookies="true" /> </system.web> </configuration>

g. Set global .NET trust level. Open IIS, in the features view, double click .NET Trust Levels.
9. Request filtering & restrictions in web.config, set maxAllowedContentLength, maxUrl, maxQueryStringallowHighBitCharacters (setting to dis-allow non-ASCII characters) & allowDoubleEscaping.

<system.webServer> <security> <requestFiltering allowHighBitCharacters="false" allowDoubleEscaping = "false"> <requestLimits  maxAllowedContentLength="30000000" maxUrl="4096" maxQueryString="1024" /> </requestFiltering> </security> </system.webServer> </configuration>

11. Disallow unlisted file extensions in web.config.

For MVC applications, Extensionless URLs that were introduced in ASP.NET 4. To allow extensionless addresses, add <add fileExtension="." allowed="true" /> to your web.config as below: <system.webServer> <security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension="." allowed="true"/> <!--<add fileExtension=".asp" allowed="true"/> <add fileExtension=".aspx" allowed="true"/> <add fileExtension=".html" allowed="true"/>--> </fileExtensions> </requestFiltering> </security> </system.webServer> </configuration> It will allow only controller(extensionless) and block all other(any extens). The *. handler is specific to ASP.NET 4.0 and is added when you install ASP.NET 4.0. This handler is there to provide support for extensionless URLs.

12. Enable advanced iis logging

https://www.iis.net/downloads/microsoft/advanced-logging

13. Enable dynamic ip restication

https://www.iis.net/downloads/microsoft/dynamic-ip-restrictions

14.  To prevent HTTP TRACE requests to your server
In the Deny Verb dialog box, enter the HTTP verb that you wish to block, and then click OK. 

<system.webServer>
<security>
<requestFiltering allowHighBitCharacters="false" allowDoubleEscaping="false"> <requestLimits maxAllowedContentLength="30000000" maxUrl="4096" maxQueryString="2048" /> <fileExtensions allowUnlisted="false"> <add fileExtension=".aspx" allowed="true" /> <add fileExtension=".axd" allowed="true" /> <add fileExtension=".css" allowed="true" /> <add fileExtension=".csv" allowed="true" /> <add fileExtension=".qif" allowed="true" /> <add fileExtension=".ofx" allowed="true" /> <add fileExtension=".doc" allowed="true" /> <add fileExtension=".docx" allowed="true" /> <add fileExtension=".eot" allowed="true" /> <add fileExtension=".gif" allowed="true" /> <add fileExtension=".htm" allowed="true" /> <add fileExtension=".html" allowed="true" /> <add fileExtension=".jpg" allowed="true" /> <add fileExtension=".js" allowed="true" /> <add fileExtension=".ico" allowed="true" /> <add fileExtension=".mp3" allowed="true" /> <add fileExtension=".mp4" allowed="true" /> <add fileExtension=".m4v" allowed="true" /> <add fileExtension=".ogg" allowed="true" /> <add fileExtension=".ogv" allowed="true" /> <add fileExtension=".oga" allowed="true" /> <add fileExtension=".otf" allowed="true" /> <add fileExtension=".pdf" allowed="true" /> <add fileExtension=".png" allowed="true" /> <add fileExtension=".spx" allowed="true" /> <add fileExtension=".svc" allowed="true" /> <add fileExtension=".svg" allowed="true" /> <add fileExtension=".svgz" allowed="true" /> <add fileExtension=".txt" allowed="true" /> <add fileExtension=".ttf" allowed="true" /> <add fileExtension=".webm" allowed="true" /> <add fileExtension=".woff" allowed="true" /> <add fileExtension=".woff2" allowed="true" /> <add fileExtension=".xls" allowed="true" /> <add fileExtension=".xlsx" allowed="true" /> <add fileExtension=".xml" allowed="true" /> <add fileExtension="." allowed="true" /> </fileExtensions> <verbs> <add verb="TRACE" allowed="false" /> </verbs> </requestFiltering> </security>

  </system.webServer>

------------------------------------------------------------------------------------------

Encrypt Decrypt connectionstring in Web.Config easily

To Encrypt Connection string in Web.Config files, We can follow these steps.

1. Open C:\Windows\System32\CMD.exe As Administrator
2. In CMD type CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319
3. In CMD type aspnet_regiis.exe -pef connectionStrings “Path of the Folder containing the Web.Config file”
   Ex: aspnet_regiis.exe -pef “connectionStrings” “D://PROJECTS/SAMPLE_PROJECT”
4. Set to identity impersonate false for project web.config
   <system.web>
<identity impersonate="true" />
</system.web>

For Decryption, you can use the below command.

1. Open C:\Windows\System32\CMD.exe As Administrator
2. In CMD type CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319
3. In CMD type aspnet_regiis.exe -pdf “connectionStrings” “Path of the Folder containing the Web.Config file”
   Ex: aspnet_regiis.exe -pdf “connectionStrings” “D://PROJECTS/SAMPLE_PROJECT”

Cross-Site Request Forgery (CSRF)

A CSRF vulnerability allows an attacker to force a validated and logged in user to perform actions without their consent or unknowingly.

Solution:

Add @Html.AntiForgeryToken()

Cross-Site Scripting (XSS) attacks

Solution: 

1. [ValidateInput(false)]
2. [AllowHtml]
3. [RegularExpressionAttribute]
4. AntiXSS Library

List of Regular Expression to Use.

Alphabets and Space

[a-zA-Z ]+$

Alphabets

^[A-z]+$

Numbers

^[0-9]+$

Alphanumeric

^[a-zA-Z0-9]*$

Email

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

Mobile no.

^([7-9]{1})([0-9]{9})$

Date Format( mm/dd/yyyy | mm-dd-yyyy | mm.dd.yyyy)

/^(0[1-9]|1[012])[- /.](0[1-9]|[12][0-9]|3[01])[- /.](19|20)\\d\\d+$/

Website URL

^http(s)?://([\\w-]+.)+[\\w-]+(/[\\w- ./?%&=])?$

Credit Card Numbers

Visa

^4[0-9]{12}(?:[0-9]{3})?$

MasterCard

^5[1-5][0-9]{14}$

American Express

^3[47][0-9]{13}$

Decimal number

((\\d+)((\\.\\d{1,2})?))$