Improving Web Application Security: Threats and - CGISecurity

Chapter 19: Securing Your ASP.NET Application and Web Services 571If you set validation=“3DES” on the , then page-level view state isencrypted (which also provides integrity checking) using the 3DES algorithm, even ifthe element is configured for view state MACs.Generate Keys Manually For Web FarmsIn Web farms, you must set explicit key values and use the same ones across allmachines in the Web farm. See “Web Farm Considerations” later in this chapter.DebuggingThe element controls compiler settings that are used for dynamicpage compilation, which is initiated when a client requests a Web page (.aspx file) orWeb service (.asmx file). It is important that debug builds are not used on theproduction server because debug information is valuable to attackers and can revealsource code details.This element controls the compilation process. Make sure that debug compiles aredisabled on production servers. Set debug=“false” as follows:By default, temporary files are created and compiled in the following directory:%winnt%\Microsoft.NET\Framework\{version}\Temporary ASP.NET FilesYou can specify the location on a per application basis using the tempDirectoryattribute, although this provides no security benefit.Note The ASP.NET process identity specified on the element requires Full Controlaccess rights on the temporary compilation directory.TracingMake sure you do not store debug files (with .pdb extensions) on a production serverwith your assemblies.Tracing should not be enabled on production servers because system-level traceinformation can greatly help an attacker profile an application and probe for weakspots.