Authentication
Anonymous : Use only when there is not secure content on website such as public facing internet sites.
Windows:Must use if you have windows AD infrastructure
Forms: If do not have windows AD infrastructure or need to use SSO
Federated , SSO and Enterprise SSO
ASP.Net Authentication Providers
Forms Authentication Provider
Windows Authentication Provider
Authorization
URL Authorization : Support user level , role based and verb based authorization.
ACL Based Authorization : Uses file system based ACLs
ASP.NET Impersonation : Can be used to propagate credentials of requesting user.
Sitemap Trimming : Prevent unauthorized use to see your site pages.
Cookie Security
Replay Attack
Cookie tempering attack
HTTP Only Cookie
View State Security
MAC Protection
View State Encryption
Control State Encryption
Per-user View State Encoding
Web Config Encryption
Worker Process Identity
Common ASP.Net Security Attacks
SQL & Script Injection :
This is most common exploit is asp.net security vulnerability.
Most common preventive measures are
Request Validation that can be done even at per control level
Output encoding
Attribute encoding
CSS encoding
JavaScript Encode
Phishing Attack
DOS Attack by posting large form data
Request Validation
Cross Site Scripting
Cross-site request forgery (CSRF) Attack: Letest version of ASP.Net project by default support CSRF protection
Security Best Practices
Do not trust any user input always validate user input and encode any text before being displayed on the page.
WindowsTokenRoleProvider : If we are using windows authentication then we should try to use built in configuration (web.config) based authorization instead of explicitly using WindowsTokenRoleProvider Class
Mark your Cookie HTTP Only : Always Mark your cookie HTTP only so that it can be accessed via HTTP only not by some script.
Always turn off tracing in production environment.
Always turn on custom error in production environment
The <deployment retail=”true”/> Switch in Maching.config
Always use ASP.Net Request Validation
Keep Max Request Limit reasonable to Prevent DOS attack
Prefer turning off UseUnsafeHeaderParsing that prevent script injection attack
Prefer Setting the SlidingExpiration property to false that can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.
Do not prefer Cookie less authentication (i.e. url based auth code) it can lead to replay attack.
Protect your Cookie by turning protection mode =Encryption and Validation.
If required Explicitly use attribute encoding because not all the properties in ASP.Net controls are encoded
Use Anti-Cross Site Scripting Library
Prefer using X- Frame Option (XFO) set to SAMEORIGIN this prevent click jacking
Prefer using Trusted Connection (Windows Authentication) in place of User Name/Pw in connection strings
Always verify Securing Elmah logging libs in ASP.NET website failing to this can expose several sensitive information
Do not ever set EnableViewStateMac to false, because it may break application in future as MS is planning to deprecate it.
Related Tools
http://nwebsec.codeplex.com/ a tool that helps securing your asp.net website by manipulating various security options.
https://asafaweb.com a site that dynamically test your websites form most common type of security venerability
Further Discussion
How authorization differs in IIS6 VS IIS7
URL authorization do not work for static content by default
How to use role based security with forms authentication
How can we explicitly configure membership providers
How can we explicitly configure Role providers
Where we defined to secure the cookie (Role Manager)