ASP.Net 2.0 Best Practices

Introduction

The Developer Solutions team is creating a Best Practice Analyzer for ASP.Net! Don't know what a Best Practice Analyzer (BPA) tool is? Check out the Microsoft Baseline Security Analyzer (http://www.microsoft.com/downloads/details.aspx?FamilyID=4B4ABA06-B5F9-4DAD-BE9D-7B51EC2E5AC9&displaylang=en) to see what a BPA tool looks like that analyzes your comptuer for possible security vulernabilities. See what we are getting at?

We are going to create a Shared Source plugin for a general purpose BPA engine and let anybody and everybody in the community modify the rules document and contribute new best practices--hence creating a community repository of "best practices" for ASP.Net configuration. Before we release though, we want to get a head start and create an awesome "version 1.0" set of rules!

What We Are Looking For

We want this wiki to be used as the sandbox where we "brew up" some best practices. We've divided up our best practices into three "scenarios" for ASP.Net 2.0 deployments: hosted sites, production sites in a non-hosted environment, and sites still under development. Think we are missing one? Add it! Think one of them should be cut? Well, don't just delete the whole section--but comment in the section and let us know!

How to Read These Rules

Each configuration node that is available in system.web that we have best practice rules for (either through the machine.config, or web.config files) is in bold. The text after the boldface word is the description of the rule. After that, most of the rules have an "N/A" followed by four values. Those four values are, the settings suggested for that particular configuration node in the (DEFAULT, HOSTED, PRODUCTION, DEVELOPMENT) scenarios, in that order. A few of the rules have multiple settings below the root node. Those multiple settings will be in bold, with the suggested values in the same format after them.

How to Write a Rule

Just plop it in! Don't worry too much about formatting-just mention the setting, what the best values should be for that setting, a brief description why-and your name-give yourself some credit!

EnableViewState EnableViewState = false. For all pages and enable when necessary. save memory and bandwidth. ViewState - Default is ON. Turn it off if not being used. If ViewState is being used there are different levels of security that need to considered which can impact the performance of the application. N/A TRUE FALSE FALSE FALSE
viewStateEncryptionMode This sets the encryption mode for ViewState information. Recommended to turn on Encryption. Options are Auto, Always, Never. Set in the Pages/viewStateEncryptionMode N/A AUTO ALWAYS ALWAYS AUTO
EnableViewStateMac Specifies whether ASP.NET should run a message authentication code (MAC) on the view state for the page when the page is posted back from the client. If True, the encrypted view state is checked to verify that it has not been tampered with on the client. N/A TRUE TRUE TRUE TRUE
CompilationMode This in the Pages/compilationMode sets whether pages should be compiled or not, Auto, Never, Always are the availably settings N/A ALWAYS AUTO AUTO ALWAYS
ConnectionStrings "It is a Best Practice to Store connection strings withing the Configuration element of the web.config file.
To encrypt connection string information stored in the Web.config file
At the Windows command line, run the ASP.NET IIS registration tool (aspnet_regiis.exe) with the following options:
The -pe option, passing it the string ""connectionStrings"" to encrypt the connectionStrings element.
The -app option, passing it the name of your application.
The aspnet_regiis.exe tool is located in the %systemroot%\Microsoft.NET\Framework\versionNumber folder.
The following example shows how to encrypt the connectionStrings section of the Web.config file for an application named SampleApplication:" N/A N/A N/A N/A N/A
EnableSessionState "EnableSessionState = false. for all pages and enable when necessary.
Session State - By default is TRUE. If session state is not maintained then the value should be changed to FALSE." N/A TRUE FALSE FALSE FALSE
Encoding Request/Response - The default is UTF-8 encoding. If the site is completely ASCII, change the option to ASCII encoder. N/A UTF-8 N/A N/A N/A
AutoEventWireup Turning off AutoEventWireup means that the page will not try and match up method names to events and hook them up (i.e. PageLoad, etc). Instead, if the application writer wishes to receive them, they need to override the methods in the base class (i.e. override OnLoad for the page load event instead of using a PageLoad method). By doing so, the page will get a slight performance boost by not having to do the extra work itself, but leaving it to the page author.REMEMBER if not setting AutoEventWireup, use Page_Load with args specified. N/A TRUE FALSE FALSE FALSE
Compilation "Compilation settings to insert debugging symbols into the compiled page. Because this affects performance, appropriatly setting this tag is important.
" "debug: Set ""true"" for development.
" FALSE FALSE FALSE TRUE
Batch: Set to "true" for production false for development (default = true) TRUE TRUE TRUE FALSE
CustomErrors The <customErrors> section enables configuration of what to do if/when an unhandled error occurs during the execution of a request. Specifically, it enables developers to configure html error pages to be displayed in place of a error stack trace. "mode: Set to RemoteOnly
" REMOTE ONLY REMOTE ONLY REMOTE ONLY OFF
defaultRedirect: Set to custom error .aspx page "" N/A N/A N/A
Deployment Set this to enforce multiple settings for the deployment environment. Set in machine.config. Too rigid for multiple project hosting machines especially where dev and production projects sit. Set only on single deployment machines. retail: Set to "true" to enforce multiple deployment settings.May be redundant but this enforces proper settings. FALSE FALSE TRUE FALSE
Location AllowOverride Application service providers or anyone responsible for running multiple Web applications on the same server should lock the trust level for all Web applications so that rogue applications cannot change this setting. allowOverride: Set to true or false to allow overriding trust level settings. Set in a location tag. Can be set anywhere. TRUE FALSE FALSE FALSE
Health Monitoring Turn this on to enable ASP.NET error reporting and health monitoring events. enabled: Set to true to enable FALSE TRUE TRUE N/A
heartbeatinterval: Set the time span for next event raised 0:00:00 NOT 00:00:00 NOT 00:00:00 NOT 00:00:00
HostingEnvironment The Application Idle Timeout feature provides hosters with a mechanism to shut down an appDomain that has been idle (meaning that it has not received a request) for a determined amount of time "idleTimeout: Sets the amount of time, in minutes, before unloading an inactive application. Default is Infinite.

" Infinite NOT Infinite N/A N/A
Trust Level Trust levels allow you to define security rules. They define what types of operations an application can perform, such as reading from disk or accessing the registry. "level: High, Medium, Low or Minimal
*With associated policy file" MEDIUM CUSTOM CUSTOM CUSTOM
Custom policy: If a custom policy is set other than the default, extract the policty file and check what security policies are being enabled. N/A N/A N/A N/A
Lockdown trust settings of applications N/A N/A N/A N/A
Garbage Collection If the number of app pools exceeds the number of Processors on the hosting machine, it may be beneficial to switch from Server GC to the WorkStation GC in the aspnet.config future consideration N/A Server GC WorkStationGC ServerGC WorkStationGC

Trace Machine or Web.config level. Tracing should be set to false in both the production and hosting scenario's (it can be used by attackers to determine information about your server) should be turned on for development "Enabled: Specifies whether tracing is enabled for an application. Tracing must be enabled in order to use the Trace.axd viewer. By default, the Trace.axd viewer is added to the httpHandlers element.

" FALSE FALSE FALSE TRUE
pageOutput: Specifies whether trace output is rendered at the end of each page. If false, trace output is accessible through the trace utility only. FALSE FALSE FALSE TRUE
mostRecent: Specifies whether the most recent application-level tracing output is displayed and older trace data beyond the limits that are indicated by the requestLimit is discarded. If false, trace data is displayed for requests until the requestLimit attribute is reached. FALSE FALSE FALSE TRUE
localOnly: Specifies whether the trace viewer (Trace.axd) is available only on the host Web server. If false, the trace viewer is available from any computer. By default, the Trace.axd viewer is added to the httpHandlers element. TRUE TRUE TRUE TRUE