Secure your ASP.NET Viewstate

2016-01-262016-01-13 Andy BurnsSecurity, ViewstateLeave a comment

This is just a short reminder for myself – when configuring ASP.NET websites, don’t forget to Secure the viewstate. If you don’t, then the ViewState is just base64 encoded – and can be decoded.

Securing this involves:

Setting a machine key in the web.config. In a load balanced environment, this machine key should be the same on all front-end servers; it’s used in encryption and decryption of the viewstate, and so has to be the same on all webservers. If it is not, and a user’s session skips to another server, then decryption of the viewstate will fail.
Make sure the the validation algorithm is set to ‘AES’
Make sure that the ‘decryption’ algorithm is set to auto.

That seems to be it. I did see instructions that said that I should:

On the <pages> node, add the attribute viewStateEncryptionMode=”Always”

… ~~but I didn’t seem to have to do this~~. Actually, in the end I did have to set this too.

Edit: How to generate your machineKey easily

Lock down your HTTP Verbs

2016-01-222015-12-16 Andy BurnsHTTP, IIS, SecurityLeave a comment

Something that has come up in some of our testing recently is that some of our websites have HTTP verbs allowed that probably should be blocked – and with IIS they can be.

To recap, we’re use to the idea of GET or POST requests, but there are a lot more… Continue reading “Lock down your HTTP Verbs” →

Lockdown Sitecore Administration

2016-01-152015-12-15 Andy BurnsIIS, SecurityLeave a comment

The Sitecore security hardening guide 6.0 (or version 7.5 here) describes:

You should prevent anonymous users from accessing the following folders:

/App_Config

/sitecore/admin

/sitecore/debug

/sitecore/shell/WebService

And then goes on to describe removing anonymous access to those areas in IIS.

The version 7.5 document goes on to say… Continue reading “Lockdown Sitecore Administration” →

Configuring a Content-Security-Policy

2016-01-072015-12-09 Andy BurnsContentSecurityPolicy, HTTP, HTTPHeaders, IIS, SecurityLeave a comment

I’ve talked about how to how to remove HTTP Headers that you don’t need from IIS – but there are some that you probably will want. This particular post is about the Content Security Policy (CSP).

I’m not going to describe what one is. @Scott_Helme has already described what a Content Security Policy is far better than I can. Rather, I’m going to describe how to figure out what your policy should be… Continue reading “Configuring a Content-Security-Policy” →

Removing Chatty IIS Headers

2016-01-062015-12-09 Andy BurnsHTTP, HTTPHeaders, IIS, SecurityLeave a comment

IIS is, by default, a bit too damn chatty, which isn’t what you want if you’re trying to harden your server:

You can check this with a site like SecurityHeaders.io, which will review all your HTTP Headers for you. It’s very good, I recommend it.

Why would I need to tell the world what ASP version, webserver, etc. that I’m using? Isn’t this just helping potential attackers? Well, yes. How do you remove these headers, though? Continue reading “Removing Chatty IIS Headers” →

Configuring SSL/TLs made easy

2015-12-182015-12-17 Andy BurnsSecurity, SSL, TLSLeave a comment

I’ll admit, I find the configuration of SSL and TLS something of a mystery – I like to leave that stuff to the admin guys and get on with the coding. It’s something of a black art, and there seem to be so many obscurely named vulnerabilities that it’s a bit difficult to handle without being a specialist. (Heartbleed? Bar Mitzvah? Lucky 13? Poodle? I mean, seriously, POODLE?)

However, I was recently given a PowerShell script and told to ‘fix these servers’ – and it was very easy. Continue reading “Configuring SSL/TLs made easy” →

Results of Penetration Test on SharePoint system

2012-08-012014-11-30 Andy Burnsclickjacking, login, penetration, Security, SP2010 Admin, SP2010 DevelopmentLeave a comment

One of our customers had a penetration test performed on their SharePoint system. I think it’s fairly standard, but it could have a custom login form. In fact, given some of the errors, I think it must have been – but I had little involvement, so I’m not sure. Heck, it could even have been a SharePoint 2007 system, or a new login form that we didn’t write.

Either way, I thought it would be interesting (and a good reminder) to look at some of the issues it threw up… Continue reading “Results of Penetration Test on SharePoint system” →

RSA SecurID and SharePoint

2008-09-162014-11-30 Andy BurnsRSA, Security, SP2007 Architecture, SP2007 Development2 Comments

I’d an interesting question from a customer the other day – they wanted Forms Authentication on extranet access to SharePoint, but using two factor authentication. The product mentioned was RSA SecurID, and this means that to authenticate yourself you need:

Your Username
A hardware device that shows a pseudo-randomly generated PIN number which changes every minute or so.

‘Cos the PIN is a pseudo-random sequence, if the token and a server are in sync, you can validate that someone has read that token inside the last minute. It’s an expensive technology – but neat!

The idea is the same as, say, a credit card. More than just saying who I am and that I have some piece of knowledge (e.g. my PIN number), I also have to have a physical object which is hard to duplicate (my credit card). This should make my identity more certain.

Anyway, how does this fit with SharePoint? Continue reading “RSA SecurID and SharePoint” →

When will a page run inline code in SharePoint?

2008-06-092014-11-30 Andy BurnsSecurity, SharePoint 2007 Development, SP2007 Development1 Comment

Previously, I’ve detailed my attempts to show a query string parameter in a page. This should be a simple enough to do as inline code, but as my previous attempts recorded, when I tried:

<%= Request.QueryString.ToString() %>

I got the error “code blocks are not allowed in this file”. This makes sense, as otherwise anyone with SharePoint Designer could put arbitrary code into a page and get it to run. Clearly, as this would let business users enter code, this would not be very secure.

Now, you can turn off this security restriction using Page Parser Paths, but this reduces the security of the system – again, anyone with SharePoint Designer could put code in without review/authorisation. Again, less than ideal.

Well, one of the things I learnt last week was that uncustomised pages (or ‘ghosted pages‘ for the oldies) will run inline code. Fantastic! After all, we’re going to want to package up our code for deployment from Development to Testing and Production systems, right? (Well, you should be, dammit!)

For those of you who don’t know, uncustomised pages are ones that are stored on the server’s hard drive, rather than in the database. To get onto the hard drive, someone has to install them, which means that someone has to review and approve the code. With SharePoint designer, this isn’t the case, and SharePoint Designer can only create pages that are Customized (or Ghosted), and so exist only in the database.

So overall, the process would probably become:

On a development system use PageParserPaths to enable inline code. As this is a dev system, security is less of an issue, and business users won’t be making changes.
Develop your pages that use inline code. You can do this in SharePoint Designer.
When the pages are complete, copy them out and package into a feature. Make sure that your page that you’ve written in installed Ghosted – still the terminology they use in features.
Install and activate the feature. As your page is now uncustomised (or ‘ghosted’), it will now run inline code without PageParserPaths being configured.

That’s a pretty tidy developer story!

Threat Modelling at Microsoft – an example

2007-10-012014-11-30 Andy BurnsCoding, SecurityLeave a comment

Interesting – Larry Osterman explains how MS do threat analysis (in lots of parts). Found on Bruce Schneier’s Blog. Worth a read – certainly it’s made me think about the stuff I’ve written.

Parts 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

Andy Burns' Blog

Whatever I'm working on

Security