Recommendations for ASP.NET security settings

Introduction

This document contains general recommendations for ASP.NET-related security settings, to be used as a checklist after installing an EPiServer website. Below you will find recommendations for some common ASP.NET-related security areas, and how to manage these for EPiServer websites.

Weak password account lockout policy and password change functionality

EPiServer uses standard ASP.NET mechanisms for password handling, which allows things like password complexity policies to be configured. It is also possible to configure EPiServer to use Windows or Active Directory for authentication, meaning that password changes and lock-out policy is delegated. 

It is always recommended to have strong password complexity requirements on user accounts, and to ensure that any changes to user accounts always involves the user’s current password. There is also a possibility to use a different Membership provider for EPiServer, that does not allow for password change. Either subclassing the SqlServerMembershipProvider or using the ActiveDirectoryMembership provider will both work equally well.

Refer to the Microsoft references below for more information on how to manage membership accounts.

• Storage of membership information
• Password evaluation and complexity
• Account lockout policy

Cross-site request forgery (CSRF) and reflected cross-site scripting

In EPiServer, issues with CSRF can be addressed by using an HTTPS/SSL layer since this will block anyone else from being able to replay a request, as they do not have access to its contents. 

Ineffective session termination

EPiServer uses standard ASP.NET mechanisms for authentication which does not support active logout, and it is basically sessionless. It might be possible to extend ASP.NET, but that is not a feature provided by EPiServer. The recommendation here is to use HTTPS for secure communication, since this will not allow for third parties to sniff the session token.

It is possible to extend ASP.NET's FormsAuthentication ticket with active logout, but that is not a feature provided by EPiServer out-of-the-box.

Header disclosure

Through the use of IIS and ASP.NET, some informational HTTP headers will be added to a response, which might expose security-releated information like ASP.NET and IIS versions.This can be modified using standard ASP.NET techniques and is not specific to EPiServer. It should be dealt with as part of standard application hardening. The X-AspNetMvc-Version header may be removed with a simple set of the MvcHandler.DisableMvcResponseHeader property.

Refer to the blog post Removing HTTP Headers for ASP.NET sites for information on how to avoid disclosing server software information through HTTP headers.

Disabling of autocomplete

The recommendation is to build a custom login page with auto-complete disabled, replacing the default login page. Forms containing user names and passwords or other sensitive information, should have the autocomplete option disabled on both the form and the sensitive fields.

Vulnerability to clickjacking attacks

You can avoid clickjacking attacks on websites by ensuring that content is not embedded into other sites using frames. The X-Frame-Options HTTP response header should be used to defend against clickjacking attacks. This header indicates that the current page should not be loaded in a frame, and through code you can blank the contents of the page if it is framed by another domain.

Refer to the recommendations described in the article The X-Frame-Options response header.

See also

• Security
• Authentication and authorization
• Configuring active directory membership provider

Last updated: Feb 23, 2015