While working with enterprise grade asp.net applications, maintaining security is a key goal. And today’s development world its not about confirming standards or practices, its also needed to confirming compliance requirement and ultimately leads to a good key to selling product.
In this particular post I am about to point out few solution of the vulnerability test specific for mcafeesecure compliance, but if you take a close look its nothing to do with a specific vendor compliance, but must do items for any asp.net web application.
ASP.NET DEBUG Method Enabled Security Issue Vulnerability
ASP.NET debugging is enabled on the host. An attacker can send debug statements to the remote ASP scripts.
Disable debugging. From web.config of the target web application modify the debug attribute to false
Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability
<system.web> <httpRuntime enableVersionHeader="false" /> </system.web>
MvcHandler.DisableMvcResponseHeader = true;
Remote Management Service Accepting Unencrypted Credentials Detected
A remote management service(Telnet, FTP) accepts unencrypted credentials.A malicious user/bot can easily intercept unencrypted passwords during transmission and gain unauthorized access.
Use alternate services that provide encryption. Most of the common case of using ftp service within IIS. Solution to this problem is using SFTP instead of FTP.