CAT.NET configuration rules
Syed Aslam Basha here from the Information Security Tools Team.
This blog posts idea and information about configuration rules of CAT.NET. The following table describes the CAT.NET configuration rules;
Rule Name |
Title |
Description |
Resolution |
PagesValidateRequestDisabledRule |
Avoid disabling request validation using <pages> element |
The validateRequest attribute value set in the configuration file for an ASP.NET application enables ASP.NET to examine input from the browser for dangerous values. For more information on this attribute please check https://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.validaterequest.aspx. |
Set validateRequest attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages validateRequest="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11001:PagesValidateRequestDisabledRule")] in your code. |
CompilationDebugEnabledRule |
Avoid enabling debug attribute in <compilation> element |
In web.config <![CDATA[<configuration><system.web><compilation debug="true">]]> causes extra information in the binary which is not required for normal execution of the program. |
Set debug attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><compilation debug="false" /></system.web></configuration>]]>. If debugging is required then suppress this warning using SupressMessageAttribute: [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11002:CompilationDebugEnabledRule")] |
FormsAuthenticationRequireSSLRule |
Avoid disabling requireSSL attribute in <forms> element |
The requireSSL attribute value set in the configuration file for an ASP.NET application determines whether SSL (Secure Sockets Layer) is required to return the forms-authentication cookie. For more information on this attribute please check https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl.aspx. |
Set requireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authentication><forms requireSSL="true" /></authentication></system.web></configuration>]]>. If SSL cannot be used suppress this warning using SupressMessageAttribute then place this in [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11003:FormsAuthenticationRequireSSLRule")] your code. |
PagesViewstateEncryptionModeRule |
Set viewstate encryption mode to Always in <pages> element |
The viewStateEncryptionMode attribute value set in the configuration file for an ASP.NET application enables the view-state information in a Page object to be encrypted. For more information on this attribute please check https://msdn.microsoft.com/en-us/library/system.web.ui.viewstateencryptionmode.aspx. |
Set viewstateEncryptionMode attribute to Always in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages viewstateEncryptionMode="Always" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("WebSecurity.Configuration","WebConfig:PagesViewstateEncryptionMode")] in your code. |
PagesEnableViewStateRule |
Avoid disabling viewstate using <pages> element |
The enableViewState attribute set in the configuration specifies whether view state is enabled and maintained across page requests. |
Set enableViewState attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableViewState="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11005:PagesEnableViewStateRule")] in your code. |
PagesEnableViewStateMacRule |
Avoid disabling enableViewStateMac using <pages> element |
The enableViewStateMac attribute set in the configuration specifies whether ASP.NET should run a message authentication code (MAC) on the view state for the page when the page is posted back from the client. If True, the encrypted view state is checked to verify that it has not been tampered with on the client. |
Set enableViewStateMac attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableViewStateMac="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11006:PagesEnableViewStateMacRule")] in your code. |
PagesEnableEventValidationRule |
Avoid disabling enableEventValidation using <pages> element |
The enableEventValidation attribute set in the configuration specifies whether pages and controls validate postback and callback events. |
Set enableEventValidation attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableEventValidation="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11007:PagesEnableEventValidationRule")] in your code. |
AnonymousIdentificationCookielessRule |
Avoid using URI to store session identifiers using <anonymousIdentification> element |
The cookieless attribute of anonymousIdentification element specifies whether to use cookies for a Web application. The HttpCookieMode enumeration is used to specify the value for this attribute in the configuration section. It is used by all features that support cookieless authentication. When the AutoDetect value is specified, ASP.NET queries the browser or device to determine whether it supports cookies. If the browser or device supports cookies, cookies are used to persist user data; otherwise, an identifier is used in the query string. More information can be found at https://msdn.microsoft.com/en-us/library/91ka2e6a.aspx. |
Set cookieless attribute to UseCookies in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieless="UseCookies" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11008:AnonymousIdentificationCookielessRule")] in your code. |
AnonymousIdentificationCookieProtectionRule |
Avoid disabling anonymous identification cookie protection in <anonymousIdentification> element |
The cookieProtection attribute of anonymousIdentification element specifies the cookie protection scheme. More information can be found at https://msdn.microsoft.com/en-us/library/91ka2e6a.aspx. |
Set cookieProtection to All in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieProtection="All" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11009:AnonymousIdentificationCookieProtectionRule")] in your code. |
AnonymousIdentificationCookieRequireSSL |
Avoid disabling requireSSL attribute in <anonymousIdentification> element |
The cookieRequireSSL attribute of anonymousIdentification element specifies whether the cookie requires a Secure Sockets Layer (SSL) connection when it is transmitted to the client. Because ASP.NET sets the authentication cookie property, Secure, the client does not return the cookie unless an SSL connection is in use. More information can be found at https://msdn.microsoft.com/en-us/library/91ka2e6a.aspx. |
Set cookieRequireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieRequireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11010:AnonymousIdentificationCookieRequireSSL")] in your code. |
BindingSecurityLocalClientDetectReplayRule |
Avoid disabling detectReplay attribute in <localClientSettings> element |
The detectReplays attribute of localClientSettings is a Boolean value that specifies whether replay attacks against the channel are detected and dealt with automatically. |
Set detectReplays attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><bindings><customBinding><binding><security><localClientSettings detectReplays="true" /></security></binding></customBinding></binding></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11011:BindingSecurityLocalClientDetectReplayRule")] in your code. |
BindingSecurityLocalServiceDetectReplayRule |
Avoid disabling detectReplay attribute in <localServiceSettings> element |
The detectReplays attribute of localClientSettings is a Boolean value that specifies whether replay attacks against the channel are detected and dealt with automatically. |
Set detectReplays attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><bindings><customBinding><binding><security><localServiceSettings detectReplays="true" /></security></binding></customBinding></binding></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11012:BindingSecurityLocalServiceDetectReplayRule")] in your code. |
ClearTextConnectionStringRule |
Always encryption database connection strings |
Connection string defined in the configuration file is in clear text. Always encrypt connection string using aspnet_regiis.exe tool with either RSA or DPAPI. |
Encrypt the connection string in the {0} file at line {1}. Connection strings sections can be encrypted using aspnet_regiis.exe tool. More information on how to encrypt with RSA can be found at https://msdn.microsoft.com/en-us/library/ms998283.aspx. More information on how to encrypt with DPAPI can be found at https://msdn.microsoft.com/en-us/library/ms998280.aspx. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11013:ClearTextConnectionStringRule")] in your code. |
CustomErrorsDisabledRule |
Always enable custom errors to return generic error information |
The mode attribute of customErrors element Specifies whether custom errors are enabled, disabled, or shown only to remote clients. More information can be found at https://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx. |
Set mode attribute to On in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><customErrors mode="On" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11014:CustomErrorsDisabledRule")] in your code. |
DenyAnonymousAccessRule |
Always deny anonymous access using <deny> element |
The users attribute of deny element denies access to the application resources. More information can be found at https://msdn.microsoft.com/en-us/library/8aeskccd.aspx. |
Define the authorization deny element with users attribute set to * in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authorization><deny users="*" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11015:DenyAnonymousAccessRule")] in your code. |
DenyUnAuthenticatedUsersRule |
Always deny unauthenticated users access using <deny> element |
The users attribute of deny element denies access to the application resources. More information can be found at https://msdn.microsoft.com/en-us/library/8aeskccd.aspx. |
Define the authorization deny element with users attribute set to ? in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authorization><deny users="?" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11016:DenyUnAuthenticatedUsersRule")] in your code. |
DisableCrossApplicationRedirectRule |
Avoid enabling cross application redirect in <forms> element |
The enableCrossAppRedirects attribute of forms element indicates whether authenticated users are redirected to URLs in other Web applications. More information can be found at https://msdn.microsoft.com/en-us/library/1d3t3c61.aspx. |
Set enableCrossAppRedirects attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authentication><forms enableCrossAppRedirect="false" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11017:DisableCrossApplicationRedirectRule")] in your code. |
FormsProtectionAllRule |
Always set protection attribute to All in <forms> element |
The protection attribute of forms element specifies the type of encryption, if any, to use for cookies. More information can be found at https://msdn.microsoft.com/en-us/library/1d3t3c61.aspx. |
Set protection attribute to All in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authentication><forms protection="All" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11018:FormsProtectionAllRule")] in your code. |
HttpCookiesRequireSslRule |
Avoid disabling requireSSL attribute in <httpCookies> element |
The requireSSL attribute of httpCookies element sets a value indicating whether Secure Sockets Layer (SSL) communication is required. More information can be found at https://msdn.microsoft.com/en-us/library/ms228262.aspx. |
Set requireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpCookies requireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11019:HttpCookiesRequireSslRule")] in your code. |
HttpCookiesHttpOnlyRule |
Avoid disabling httpOnly attribute in <httpCookies> element |
The httpOnlyCookies attribute of httpCookies element enables output of the HttpOnlyCookies cookie in browser. More information can be found at https://msdn.microsoft.com/en-us/library/ms228262.aspx. |
Set httpOnlyCookies attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpCookies httpOnlyCookies="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11020:HttpCookiesHttpOnlyRule")] in your code. |
HttpRuntimeEnableHeaderCheckingRule |
Avoid disabling enableHeaderChecking attribute in <httpRuntime> element |
The enableHeaderChecking attribute of httpRuntime element specifies whether ASP.NET should check the request header for potential injection attacks. If an attack is detected, ASP.NET responds with an error. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx. |
Set enableHeaderChecking attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime enableHeaderChecking="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11021:HttpRuntimeEnableHeaderCheckingRule")] in your code. |
HttpRuntimeEnableVersionHeaderRule |
Avoid enabling enableVersionHeader attribute in <httpRuntime> element |
The enableVersionHeader attribute of httpRuntime element specifies whether ASP.NET should output a version header. This attribute is used by Microsoft Visual Studio 2005 to determine which version of ASP.NET is in use. It is not necessary for production sites and can be disabled. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx. |
Set enableVersionHeader attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime enableVersionHeader="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11022:HttpRuntimeEnableVersionHeaderRule")] in your code. |
HttpWebRequestUseUnsafeHeaderParsingRule |
Avoid enabling useUnsafeHeaderParsing attribute in <httpWebRequest> element |
The useUnsafeHeaderParsing attribute of httpWebRequest specifies whether unsafe header parsing is enabled. More information can be found at https://msdn.microsoft.com/en-us/library/65ha8tzh.aspx. |
Set the useUnsafeHeaderParsing attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.net><settings><httpWebRequest useUnsafeHeaderParsing="false" /></settings></system.net></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11023:HttpWebRequestUseUnsafeHeaderParsingRule")] in your code. |
IE8XssProtectionDisabledRule |
Avoid disabling IE8 XSS protection uisng <customHeaders> element |
The custom headers element of httpProtocol element allows application developer to add headers to enable Internet Explorer's browser based Cross Site Scripting attack protection. More information about the header can be found at https://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx. |
Remove the HTTP custom header which disables IE XSS Protection in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.webServer><httpProtocol><customHeaders><add X-XSS-Protection="0" /></customHeaders></httpProtocol></system.webServer></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11024:IE8XssProtectionDisabledRule")] in your code. |
MachineKeyDecryptionRule |
Always set decryption attribute to AES or 3DES <machineKey> element |
The decryption attribute of machineKey element specifies the type of hashing algorithm that is used for decrypting data. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx. |
Set decryption attribute to Auto, 3DES or AES in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey decryption="AES" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11025:MachineKeyDecryptionRule")] in your code. |
MachineKeyDecryptionKeyRule |
Always set decryptionKey attribute to AutoGenerate,IsolateApps in <machineKey> element |
The decryptionKey attribute of machineKey element specifies the key that is used to encrypt and decrypt data or the process by which the key is generated. This attribute is used for forms authentication encryption and decryption, and for view-state encryption when validation is set to the TripleDES field.. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx. |
Set decryptionKey attribute to AutoGenerate,IsolateApps in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey decryptionKey="AutoGenerate,IsolateApps" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11026:MachineKeyDecryptionKeyRule")] in your code. |
MachineKeyValidationRule |
Always set validation attribute to SHA1 in <machineKey> element |
The validation attribute of machineKey element specifies the type of encryption that is used to validate data. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx. |
Set validation attribute to SHA1 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey validation="SHA1" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11027:MachineKeyValidationRule")] in your code. |
MachineKeyValidationKeyRule |
Always set validationKey attribute to AutoGenerate,IsolateApps in <machineKey> element |
The decryption attribute of machineKey element specifies the key used to validate encrypted data. validationKey is used when enableViewStateMAC is true in order to create a message authentication code (MAC) to ensure that view state has not been tampered with. validationKey is also used to generate out-of-process, application-specific session IDs to ensure that session state variables are isolated between sessions. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx. |
Set validationKey attribute to AutoGenerate,IsolateApps in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey validationKey="AutoGenerate,IsolateApps" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11028:MachineKeyValidationKeyRule")] in your code. |
HttpRuntimeMaxRequestLengthRule |
Always set maxRequestLength attribute to greater than 4096 in <httpRuntime> element |
The maxRequestLength attribute of httpRuntime element specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx. |
Set maxRequestLength attribute to less than or equal to 4096 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime maxRequestLength="4096" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11029:HttpRuntimeMaxRequestLengthRule")] in your code. |
MembershipProviderMaximumInvalidPasswordAttemptsRule |
Always set maxInvalidPasswordAttempts attribute to 5 in <add> element |
The maxInvalidPasswordAttempts attribute of add element specifies the number of allowed password or password answer attempts that are not valid. The membership user is locked out when the number of not valid attempts is the configured value. Mroe information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx. |
Set maxInvalidPasswordAttempts attribute to 5 or less in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add maxInvalidPasswordAttempts="5" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11030:MembershipProviderMaximumInvalidPasswordAttemptsRule")] in your code. |
MembershipProviderMinimumRequiredNonalphanumericCharactersRule |
Always set minRequiredNonalphanumericCharacters attribute to 1 in <add> element |
The minRequiredNonalphanumericCharacters attribute of add element specifies the minimum number of special characters that must be present in a valid password. This attribute cannot be set to a value that is less than 0, greater than 128, or greater than the value of the minRequiredPasswordLength. More information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx. |
Set minRequiredNonalphanumericCharacters attribute to at least 1 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add minRequiredNonalphanumericCharacters="1" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11031:MembershipProviderMinimumRequiredNonalphanumericCharactersRule")] in your code. |
MembershipProviderMinimumRequiredPasswordLengthRule |
Always set minRequiredPasswordLength attribute to 8 in <add> element |
The minRequiredPasswordLength attribute of add element specifies the minimum number of characters that are required in a password. This attribute cannot be set to a value that is less than 0 or greater than 128, which is the maximum length of an unencoded password for the SQL provider. More information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx. |
Set minRequiredPasswordLength attribute to at least 8 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add minRequiredPasswordLength="8" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11032:MembershipProviderMinimumRequiredPasswordLengthRule")] in your code. |
MembershipProviderPasswordAttemptWindowRule |
Always set passwordAttemptWindow attribute to 30 in <add> element |
The passwordAttemptWindow attribute of Add element specifies the number of minutes during which failed attempts are tracked. The window resets each time another failure occurs. If the maximum number of valid password or password answer attempts that are not valid occurs, the membership user is locked out. More information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx. |
Set passwordAttemptWindow attribute to at least 30 minutes in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add passwordAttemptWindow="30" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11033:MembershipProviderPasswordAttemptWindowRule")] in your code. |
RoleManagerCookieProtectionRule |
Always set cookieProtection attribute to All in <roleManager> element |
The protection attribute of roleManager specifies one of the CookieProtection enumeration values. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx. |
Set cookieProtection attribute to All in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieProtection="All" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11034:RoleManagerCookieProtectionRule")] in your code. |
RoleManagerCookieRequireSSLRule |
Always set cookieRequireSSL attribute to true in <roleManager> element |
The cookieRequireSSL attribute of roleManager specifies whether the role names cookie requires SSL to be setn to the server. For more information https://msdn.microsoft.com/en-us/library/ms164660.aspx. |
Set cookieRequireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieRequireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11035:RoleManagerCookieRequireSSLRule")] in your code. |
RoleManagerCookieSlidingExpirationRule |
Always set cookieSlidingExpiration attribute to true in <roleManager> element |
The cookieSlidingExpiration attribute of roleManager element specifies whether the expiration date and time of the role names cookie will be reset periodically. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx. |
Set cookieSlidingExpiration attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieSlidingExpiration="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11036:RoleManagerCookieSlidingExpirationRule")] in your code. |
RoleManagerCookieTimeOutRule |
Always set cookieTimeout attribute to 20 in <roleManager> element |
The cookieTimeout attribute of roleManager element specifies the number of minutes before the role names cookie expires. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx. |
Set cookieTimeout attribute to less than or equal to 20 minutes in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieTimeout="20" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11037:RoleManagerCookieTimeOutRule")] in your code. |
RoleManagerMaximumCachedResultsRule |
Always set maxCachedResults attribute to 200 in <roleManager> element |
The maxCachedResults attribute of roleManager element specifies the maximum number of role names that are cached in the roles cookie. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx. |
Set maxCachedResults attribute to less than or equal to 200 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager maxCachedResults="200" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11038:RoleManagerMaximumCachedResultsRule")] in your code. |
HttpRuntimeSendCacheControlHeaderRule |
Always enable sendCacheControlHeader attribute in <httpRuntime> element |
The sendCacheControlHeader attribute of httpRuntime element specifies whether to send a cache control header, which is set to Private, by default. If True, client-side caching is disabled. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx. |
Set sendCacheControlHeader attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime sendCacheControlHeader="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11039:HttpRuntimeSendCacheControlHeaderRule")] in your code. |
ServiceBehaviorHttpGetEnabledRule |
Avoid enabling httpGetEnabled attribute in <serviceMetadata> element |
The httpGetEnabled attribute of serviceMetadata element allows the binding to be used in HTTPS GET scenarios to be specified by name. More information can be found at https://msdn.microsoft.com/en-us/library/ms731317.aspx. |
Set httpGetEnabled attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11040:ServiceBehaviorHttpGetEnabledRule")] in your code. |
ServiceBehaviorHttpsGetEnabledRule |
Avoid enabling httpsGetEnabled attribute in <serviceMetadata> element |
The httpsGetEnabled attribute of serviceBehavior element specifies whether to publish service metadata for retrieval using an HTTPS/Get request. More information can be found at https://msdn.microsoft.com/en-us/library/ms731317.aspx. |
Set httpsGetEnabled attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpsGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11041:ServiceBehaviorHttpsGetEnabledRule")] in your code. |
ServiceDebugIncludeExceptionDetailInFaultsRule |
Avoid enabling includeExceptionDetailInFaults attribute in <serviceDebug> element |
The includeExceptionDetailInFaults attribute of serviceDebug element specifies whether to include managed exception information in the detail of SOAP faults returned to the client for debugging purposes. More information can be found at https://msdn.microsoft.com/en-us/library/ms788993.aspx. |
Set includeExceptionDetailInFaults attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11042:ServiceDebugIncludeExceptionDetailInFaultsRule")] in your code. |
SessionStateCookielessRule |
Avoid using UseUri for cookieless attribute in <sessionState> element |
The cookieless attribute of sessionState element specifies how cookies are used for a Web application. More information can be found at https://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx. |
Set cookieless attribute to UseCookies in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><sessionState cookieless="UseCookies" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11043:SessionStateCookielessRule")] in your code. |
SessionStateRegenerateExpiredSessionIdRule |
Avoid enabling regenerateExpiredSessionId in <sessionState> element |
The regenerateExpiredSessionId attribute of sessionState element specifies whether the session ID will be reissued when an expired session ID is specified by the client. By default, session IDs are reissued only for the cookieless mode when regenerateExpiredSessionId is enabled. More information can be found at https://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx. |
Set regenerateExpiredSessionId attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><sessionState regenerateExpiredSessionId="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11044:SessionStateRegenerateExpiredSessionIdRule")] in your code. |
TraceEnabledRule |
Avoid enabling tracing using <trace> element |
The enabled attribute of trace element specifies whether tracing is enabled for an application. More information can be found at https://msdn.microsoft.com/en-us/library/6915t83k.aspx. |
Set enabled attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><trace enabled="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11045:TraceEnabledRule")] in your code. |
EndpointMexAddressDefinedRule |
Always disable mex endpoint in <endpoint> element |
The address attribute of endpoint element specifies a string that contains the address of the endpoint. The address can be specified as an absolute or relative address. If a relative address is provided, the host is expected to provide a base address appropriate for the transport scheme used in the binding. More information can be found at https://msdn.microsoft.com/en-us/library/ms731320.aspx. |
Remove the mex address from the {0} file at line {1}. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11046:EndpointMexAddressDefinedRule")] in your code. |
-Syed Aslam Basha ( syedab@microsoft.com )
Microsoft Information Security Tools (IST) Team
Test Lead