Security Checklist: ASP.NET 2.0

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Microsoft Corporation

August 2005

Applies To

  • ASP.NET version 2.0


This checklist presents a set of consolidated security guidelines for ASP.NET version 2.0 applications. The answers and recommendations presented in this module are designed to supplement the companion modules and additional guidance. The guidelines are organized by various categories that represent those areas where mistakes are most often made.


How to Use This Module
Design Considerations
Application Categories Considerations

How to Use This Module

This checklist is a companion to Security Guidelines: ASP.NET 2.0. Use "Security Guidelines: ASP.NET 2.0" to browse the ASP.NET 2.0 guidelines and learn what to do, why, and how. Use this checklist to help you secure your ASP.NET 2.0 application.

Design Considerations

Ff648269.z02bthcm01(en-us,PandP.10).gifSecurity decisions should not rely on client-side validations; they are made on the server side.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe Web site is partitioned into public access areas and restricted areas that require authentication access. Navigation between these areas should not flow sensitive credentials information.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe identities used to access remote resources from ASP.NET Web applications are clearly identified.
Ff648269.z02bthcm01(en-us,PandP.10).gifMechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores.
Ff648269.z02bthcm01(en-us,PandP.10).gifA secure approach to exception management is identified. The application fails securely in the event of exceptions.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe site has granular authorization checks for pages and directories.
Ff648269.z02bthcm01(en-us,PandP.10).gifWeb controls, user controls, and resource access code are all partitioned in their own assemblies for granular security.

Application Categories Considerations

Auditing and Logging

Ff648269.z02bthcm01(en-us,PandP.10).gifHealth monitoring is used for logging and auditing events.
Ff648269.z02bthcm01(en-us,PandP.10).gifApplication is instrumented for user management events such as authentication success and failures, password resets, password changes, and account lockout.
Ff648269.z02bthcm01(en-us,PandP.10).gifApplication is instrumented for unusual activity such as multiple login attempts and replayed authentication tickets.
Ff648269.z02bthcm01(en-us,PandP.10).gifAccess to significant business logic is instrumented.
Ff648269.z02bthcm01(en-us,PandP.10).gifAccess to audit and log files are restricted, with application accounts having write access, administrative accounts having full access, and operators have read access.
Ff648269.z02bthcm01(en-us,PandP.10).gifApplication and audit events are logged on separate protected server.
Ff648269.z02bthcm01(en-us,PandP.10).gifEvents are logged with appropriate levels of information to reconstruct system activity.
Ff648269.z02bthcm01(en-us,PandP.10).gifHigh volume, per-request events are captured with performance counters.


Ff648269.z02bthcm01(en-us,PandP.10).gifMembership providers are used instead of custom authentication.
Ff648269.z02bthcm01(en-us,PandP.10).gifSSL is used to protect user credentials and authentication cookies.
Ff648269.z02bthcm01(en-us,PandP.10).gifIf using SSL is not possible, the SlidingExpiration attribute is set to false and limited authentication cookie time-outs are used.
Ff648269.z02bthcm01(en-us,PandP.10).gifUser login information is validated using the Regex class and/or your custom validation code.
Ff648269.z02bthcm01(en-us,PandP.10).gifHashed password format is specified in provider configuration.
Ff648269.z02bthcm01(en-us,PandP.10).gifPasswords are not stored directly in the user store; password digests with salt are stored instead.
Ff648269.z02bthcm01(en-us,PandP.10).gifStrong passwords policies are enforced.
Ff648269.z02bthcm01(en-us,PandP.10).gifAccess to the credential store is limited to application account.
Ff648269.z02bthcm01(en-us,PandP.10).gifAuthentication cookies are not persisted.
Ff648269.z02bthcm01(en-us,PandP.10).gifAuthentication cookie is encrypted and integrity checked.
Ff648269.z02bthcm01(en-us,PandP.10).gifAuthentication cookies are restricted to HTTPS connections only by using the requireSSL attribute.
Ff648269.z02bthcm01(en-us,PandP.10).gifSite is partitioned to restricted areas and public areas.
Ff648269.z02bthcm01(en-us,PandP.10).gifAbsolute URLs are used for navigation where the site is partitioned with secure and non-secure folders.
Ff648269.z02bthcm01(en-us,PandP.10).gifhttpOnlyCookies attribute is set to true on authentication cookie to prevent client side script from accessing the cookie.
Ff648269.z02bthcm01(en-us,PandP.10).gifUnique cookie names and paths are used.


Ff648269.z02bthcm01(en-us,PandP.10).gifWindows authentication is used where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gifStrong passwords policies are enforced.
Ff648269.z02bthcm01(en-us,PandP.10).gifImpersonation is used only when original caller's security context is required for downstream tier for auditing or authorization.
Ff648269.z02bthcm01(en-us,PandP.10).gifImpersonation token is not created by using LogonUser API.
Ff648269.z02bthcm01(en-us,PandP.10).gifProtocol transition is used when multiple identities need to access downstream resources.


Ff648269.z02bthcm01(en-us,PandP.10).gifURL authorization is used for page and directory access control.
Ff648269.z02bthcm01(en-us,PandP.10).gifFile authorization is used with Windows authentication.
Ff648269.z02bthcm01(en-us,PandP.10).gifAppropriate ACLs are configured on Web site files.
Ff648269.z02bthcm01(en-us,PandP.10).gifRole manager, instead of custom code, is used for roles authorization.
Ff648269.z02bthcm01(en-us,PandP.10).gifRole caching is used if role store lookup is too costly.
Ff648269.z02bthcm01(en-us,PandP.10).gifIf role caching is used, authorization cookie is restricted to HTTPS connections by using the requireSSL attribute.
Ff648269.z02bthcm01(en-us,PandP.10).gifIf using SSL is not possible, the cookieSlidingExpiration attribute is set to false and limited authentication cookie time-outs are used.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe authorization cookie is not persisted on user machine by setting the createPersistentCookie attribute to false.
Ff648269.z02bthcm01(en-us,PandP.10).gifAuthorization cookie is protected for tampering and reading information.

Code Access Security

Ff648269.z02bthcm01(en-us,PandP.10).gifCode access security is used when applications need to be isolated from each other.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe chosen trust level does not exceed your application's requirement.
Ff648269.z02bthcm01(en-us,PandP.10).gifIf your application needs additional permissions, a custom trust policy is used.
Ff648269.z02bthcm01(en-us,PandP.10).gifApplications are isolated using Medium trust in hosted environments.
Ff648269.z02bthcm01(en-us,PandP.10).gifAttribute allowOverride is set to false in the machine-level Web.config file to ensure developers cannot change the trust level of their application.

Data Access

Ff648269.z02bthcm01(en-us,PandP.10).gifConnection strings are encrypted in configuration files using the Aspnet_regiis utility and Protected Configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gifConnection string information is encrypted using strong encryption (for example, 3DES).
Ff648269.z02bthcm01(en-us,PandP.10).gifConnection to database is used with least-privileged service account.
Ff648269.z02bthcm01(en-us,PandP.10).gifWindows authentication is used when connecting to SQL Server.
Ff648269.z02bthcm01(en-us,PandP.10).gifTrusted service accounts are used to connect to SQL Server.
Ff648269.z02bthcm01(en-us,PandP.10).gifMirrored local accounts are considered as an alternative if domain accounts cannot be used.
Ff648269.z02bthcm01(en-us,PandP.10).gifStrong passwords are used and enforced.
Ff648269.z02bthcm01(en-us,PandP.10).gifIf SQL Server authentication is used, the credentials are secured over the network by using IPSec or SSL, or by installing a database server certificate.
Ff648269.z02bthcm01(en-us,PandP.10).gifCredentials in SQL connection strings are protected in configuration files.
Ff648269.z02bthcm01(en-us,PandP.10).gifRSA Protected Configuration provider is used to protect connection strings in a Web farm environment.
Ff648269.z02bthcm01(en-us,PandP.10).gifUntrusted input passed to data access methods is validated.
Ff648269.z02bthcm01(en-us,PandP.10).gifSQL queries use parameterized stored procedures and type-safe SQL parameters.
Ff648269.z02bthcm01(en-us,PandP.10).gifDynamic queries that accept user input are used only if stored procedures cannot be used.

Exception Management

Ff648269.z02bthcm01(en-us,PandP.10).gifStructured exception handling is used.
Ff648269.z02bthcm01(en-us,PandP.10).gifGeneric error pages with harmless messages are returned to the client.
Ff648269.z02bthcm01(en-us,PandP.10).gifGlobal error handlers are used to catch unhandled exceptions.
Ff648269.z02bthcm01(en-us,PandP.10).gifSet mode attribute in customErrors to On to prevent displaying detailed error messages to the caller.
Ff648269.z02bthcm01(en-us,PandP.10).gifException details are logged on the server.

Input/Data Validation

Ff648269.z02bthcm01(en-us,PandP.10).gifFree form input is sanitized to clean malicious data.
Ff648269.z02bthcm01(en-us,PandP.10).gifApplication does not rely only on request validation.
Ff648269.z02bthcm01(en-us,PandP.10).gifAll the input is validated for length, range, format, and type. Input is checked for known valid and safe data and then for malicious, dangerous data.
Ff648269.z02bthcm01(en-us,PandP.10).gifInput from all the sources including query strings, cookies, and HTML controls is validated using the Regex class and/or your custom validation code.
Ff648269.z02bthcm01(en-us,PandP.10).gifApplication does not rely on only client-side validation.
Ff648269.z02bthcm01(en-us,PandP.10).gifApplication avoids file name and path input from user where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gifIf input file names are required, they are well formed and are verifiably valid within the application context.
Ff648269.z02bthcm01(en-us,PandP.10).gifUntrusted output is not directly echoed back to the user.
Ff648269.z02bthcm01(en-us,PandP.10).gifOutput that contains untrusted data is encoded with HtmlEncode and UrlEncode.


Ff648269.z02bthcm01(en-us,PandP.10).gifTradeoffs associated with use of impersonation are fully understood.
Ff648269.z02bthcm01(en-us,PandP.10).gifUse of LogonUser is avoided where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gifProgrammatic impersonation is avoided where possible.
Ff648269.z02bthcm01(en-us,PandP.10).gifThreading issues have been considered if impersonation is used. If impersonation token is to be passed to newly created threads, the ASPNET.config is configured correctly.
Ff648269.z02bthcm01(en-us,PandP.10).gifImpersonation is reverted by using finally blocks.
Ff648269.z02bthcm01(en-us,PandP.10).gifExceptions while impersonating are not allowed to propagate.

Parameter Manipulation

Ff648269.z02bthcm01(en-us,PandP.10).gifSecurity decisions are not made based on client parameters.
Ff648269.z02bthcm01(en-us,PandP.10).gifAll the input parameters are validated for type, length, format, and range.
Ff648269.z02bthcm01(en-us,PandP.10).gifSensitive data is not stored in view state.
Ff648269.z02bthcm01(en-us,PandP.10).gifView state is encrypted if it does contain sensitive data.
Ff648269.z02bthcm01(en-us,PandP.10).gifPage.ViewStateUserKey is used to counter one-click attacks.
Ff648269.z02bthcm01(en-us,PandP.10).gifQuery strings with server secrets are hashed.

Sensitive Data

Ff648269.z02bthcm01(en-us,PandP.10).gifPlaintext passwords are not used in configuration files (Web.config and Machine.config).
Ff648269.z02bthcm01(en-us,PandP.10).gifSensitive data that is stored in .config files are encrypted using Protected Configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gifPlatform features are used and custom key management is avoided.
Ff648269.z02bthcm01(en-us,PandP.10).gifSensitive data is not passed across pages; it is maintained using server-side state management.
Ff648269.z02bthcm01(en-us,PandP.10).gifSensitive data passed over wire is secured using SSL or IPSec where appropriate.
Ff648269.z02bthcm01(en-us,PandP.10).gifSensitive data is not cached.
Ff648269.z02bthcm01(en-us,PandP.10).gifSensitive data is not stored in cookies, hidden form fields, or query strings.
Ff648269.z02bthcm01(en-us,PandP.10).gifOutput caching for pages that contain sensitive data is turned off.
Ff648269.z02bthcm01(en-us,PandP.10).gifSensitive data is encrypted in the database.

Session Management

Ff648269.z02bthcm01(en-us,PandP.10).gifApplication does not rely on client-side state management options.
Ff648269.z02bthcm01(en-us,PandP.10).gifWindows authentication is used to connect to Microsoft SQL Server state database.
Ff648269.z02bthcm01(en-us,PandP.10).gifSession state connection strings are encrypted using protected configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gifOut-of-process state service is protected.
Ff648269.z02bthcm01(en-us,PandP.10).gifAccess to state data is restricted.
Ff648269.z02bthcm01(en-us,PandP.10).gifSQL Server session state is protected.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe session cookie is protected using SSL on all pages that require authenticated access.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe session state service is disabled if not used.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe session state service (if used) runs using a least-privileged account.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe communication channel to state store is encrypted (IPSec or SSL).
Ff648269.z02bthcm01(en-us,PandP.10).gifSession state port is changed from default of 42424.

Deployment Considerations

Ff648269.z02bthcm01(en-us,PandP.10).gifLeast-privileged service account is used for running ASP.NET applications.
Ff648269.z02bthcm01(en-us,PandP.10).gifConfiguration sections that contain sensitive data are encrypted using protected configuration providers.
Ff648269.z02bthcm01(en-us,PandP.10).gifKeys are stored in machine-level key store for application on dedicated server or multiple applications that run under the same identity.
Ff648269.z02bthcm01(en-us,PandP.10).gifKeys are stored in user-level key store for applications running in a shared hosting environment.
Ff648269.z02bthcm01(en-us,PandP.10).gifProtected file types are blocked using HttpForbiddenHandler.
Ff648269.z02bthcm01(en-us,PandP.10).gifThe same machine keys are used consistently across all servers in a Web farm.
Ff648269.z02bthcm01(en-us,PandP.10).gifConfiguration settings are locked by setting allowOverride to false where appropriate to enforce policy settings.
Ff648269.z02bthcm01(en-us,PandP.10).gifSet mode attribute in customErrors to On to prevent displaying detailed error messages to the caller.

Communication Security

Ff648269.z02bthcm01(en-us,PandP.10).gifAppropriate mechanism of secure communication (IPSec or SSL) is used, depending on application requirement.
Ff648269.z02bthcm01(en-us,PandP.10).gifFor communication between Web browser and Web server, SSL is used when pages need to be encrypted and you need to guarantee that the server to which you send the data is the server that you expect.
Ff648269.z02bthcm01(en-us,PandP.10).gifFor communication between servers, IPSec is used when secure server-to-server communication is required.
Ff648269.z02bthcm01(en-us,PandP.10).gifFor communication between servers, SSL is used when an application does not trust other applications on a server.
Ff648269.z02bthcm01(en-us,PandP.10).gifPages that use SSL are optimized.


Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, please visit the Microsoft Product Support Web site at

Community and Newsgroups

Community support is provided in the forums and newsgroups:

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.

Contributors and Reviewers

  • External Contributors and Reviewers: Jason Taylor, Security Innovation; Rudolph Araujo, Foundstone Professional Services
  • Microsoft Contributors and Reviewers: Wade Mascia, Tom Christian, Adam Semel, Stefan Schackow
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.