While working with enterprise grade asp.net applications, maintaining security is a key goal. And today’s development world its not about confirming standards or practices, its also needed to confirming compliance requirement and ultimately leads to a good key to selling product.
In this particular post I am about to point out few solution of the vulnerability test specific for mcafeesecure compliance, but if you take a close look its nothing to do with a specific vendor compliance, but must do items for any asp.net web application.
ASP.NET DEBUG Method Enabled Security Issue Vulnerability
Threat
ASP.NET debugging is enabled on the host. An attacker can send debug statements to the remote ASP scripts.
Solution
Disable debugging. From web.config of the target web application modify the debug attribute to false
<compilation debug=”false”/>
Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability
Threat
Asp.Net applications by default send information about the site with each response.A target host using HTTP may also be vulnerable to this issue.
Solution
In web.config
<system.web> <httpRuntime enableVersionHeader="false" /> </system.web>
In Global.ascx
MvcHandler.DisableMvcResponseHeader = true;
Remote Management Service Accepting Unencrypted Credentials Detected
Threat
A remote management service(Telnet, FTP) accepts unencrypted credentials.A malicious user/bot can easily intercept unencrypted passwords during transmission and gain unauthorized access.
Solution
Use alternate services that provide encryption. Most of the common case of using ftp service within IIS. Solution to this problem is using SFTP instead of FTP.
Tools To Check Vulnerability Issues
free online service to test configuration of any SSL web server