Harden IIS Asp.net
Unless you are running ancient IIS asp.net this should apply to most versions.
X-Frame-Options
IIS Manager
HTTP Response Headers
X-Frame-Options SAMEORIGIN
IIS Manager
HTTP Response Headers
X-Frame-Options SAMEORIGIN
HTTP Options
IIS Manager
Request Filtering
HTTP Verbs
OPTIONS False (Deny Verb OPTIONS)
IIS Manager
Request Filtering
HTTP Verbs
OPTIONS False (Deny Verb OPTIONS)
Weak SSL Ciper
IISCrypto.exe third party tool
https://www.nartac.com/Products/IISCrypto/
Just press the 'Best Practices' button and reboot.
Autocomplete Enabled on Password Field
Edit ASP.NET Login Pages
Edit login template (may have to turn asp:Login into template to see child controls)
You would think AutoCompleteType="Disabled" would do it but ultimately I have no idea what it does.
Thankfully autocomplete="off" gets preserved if you just drop it in.
Edit ASP.NET Login Pages
Edit login template (may have to turn asp:Login into template to see child controls)
<asp:TextBox ID="Password" runat="server" AutoCompleteType="Disabled" autocomplete="off" TextMode="Password"></asp:TextBox>
You would think AutoCompleteType="Disabled" would do it but ultimately I have no idea what it does.
Thankfully autocomplete="off" gets preserved if you just drop it in.
Secure Flag on Cookies
ASP.NET Website web.config
Add these SSL attributes where needed:
I would have prefered to do this in the root Web.Config to get this to work but I could not.
For development I sometimes use:
However I would have to develop using SSL from now on to keep using this approach.
ASP.NET Website web.config
Add these SSL attributes where needed:
<system.web>
<httpCookies requireSSL="true" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Default.aspx" requireSSL="true" />
</authentication>
<anonymousIdentification enabled="true" cookieRequireSSL="true" />
<roleManager enabled="true" defaultProvider="CustomRoleProvider" cookieRequireSSL="true">
...
</roleManager>
</system.web>
I would have prefered to do this in the root Web.Config to get this to work but I could not.
For development I sometimes use:
<appSettings file="diff\config\AppSettings.config">and
<connectionStrings configSource="diff\config\Connection.config"/>in the web.config so I can have a generic web.config for both production and development.
However I would have to develop using SSL from now on to keep using this approach.