Udostępnij za pośrednictwem


CAT.NET configuration rules

Syed Aslam Basha here from the Information Security Tools Team.

This blog posts idea and information about configuration rules of CAT.NET. The following table describes the CAT.NET configuration rules;

Rule Name

Title

Description

Resolution

PagesValidateRequestDisabledRule

Avoid disabling request validation using <pages> element

The validateRequest attribute value set in the configuration file for an ASP.NET application enables ASP.NET to examine input from the browser for dangerous values. For more information on this attribute please check https://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.validaterequest.aspx.

Set validateRequest attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages validateRequest="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11001:PagesValidateRequestDisabledRule")] in your code.

CompilationDebugEnabledRule

Avoid enabling debug attribute in <compilation> element

In web.config <![CDATA[<configuration><system.web><compilation debug="true">]]> causes extra information in the binary which is not required for normal execution of the program.

Set debug attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><compilation debug="false" /></system.web></configuration>]]>. If debugging is required then suppress this warning using SupressMessageAttribute: [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11002:CompilationDebugEnabledRule")]

FormsAuthenticationRequireSSLRule

Avoid disabling requireSSL attribute in <forms> element

The requireSSL attribute value set in the configuration file for an ASP.NET application determines whether SSL (Secure Sockets Layer) is required to return the forms-authentication cookie. For more information on this attribute please check https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl.aspx.

Set requireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authentication><forms requireSSL="true" /></authentication></system.web></configuration>]]>. If SSL cannot be used suppress this warning using SupressMessageAttribute then place this in [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11003:FormsAuthenticationRequireSSLRule")] your code.

PagesViewstateEncryptionModeRule

Set viewstate encryption mode to Always in <pages> element

The viewStateEncryptionMode attribute value set in the configuration file for an ASP.NET application enables the view-state information in a Page object to be encrypted. For more information on this attribute please check https://msdn.microsoft.com/en-us/library/system.web.ui.viewstateencryptionmode.aspx.

Set viewstateEncryptionMode attribute to Always in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages viewstateEncryptionMode="Always" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("WebSecurity.Configuration","WebConfig:PagesViewstateEncryptionMode")] in your code.

PagesEnableViewStateRule

Avoid disabling viewstate using <pages> element

The enableViewState attribute set in the configuration specifies whether view state is enabled and maintained across page requests.

Set enableViewState attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableViewState="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11005:PagesEnableViewStateRule")] in your code.

PagesEnableViewStateMacRule

Avoid disabling enableViewStateMac using <pages> element

The enableViewStateMac attribute set in the configuration specifies whether ASP.NET should run a message authentication code (MAC) on the view state for the page when the page is posted back from the client. If True, the encrypted view state is checked to verify that it has not been tampered with on the client.

Set enableViewStateMac attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableViewStateMac="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11006:PagesEnableViewStateMacRule")] in your code.

PagesEnableEventValidationRule

Avoid disabling enableEventValidation using <pages> element

The enableEventValidation attribute set in the configuration specifies whether pages and controls validate postback and callback events.

Set enableEventValidation attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableEventValidation="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11007:PagesEnableEventValidationRule")] in your code.

AnonymousIdentificationCookielessRule

Avoid using URI to store session identifiers using <anonymousIdentification> element

The cookieless attribute of anonymousIdentification element specifies whether to use cookies for a Web application. The HttpCookieMode enumeration is used to specify the value for this attribute in the configuration section. It is used by all features that support cookieless authentication. When the AutoDetect value is specified, ASP.NET queries the browser or device to determine whether it supports cookies. If the browser or device supports cookies, cookies are used to persist user data; otherwise, an identifier is used in the query string. More information can be found at https://msdn.microsoft.com/en-us/library/91ka2e6a.aspx.

Set cookieless attribute to UseCookies in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieless="UseCookies" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11008:AnonymousIdentificationCookielessRule")] in your code.

AnonymousIdentificationCookieProtectionRule

Avoid disabling anonymous identification cookie protection in <anonymousIdentification> element

The cookieProtection attribute of anonymousIdentification element specifies the cookie protection scheme. More information can be found at https://msdn.microsoft.com/en-us/library/91ka2e6a.aspx.

Set cookieProtection to All in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieProtection="All" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11009:AnonymousIdentificationCookieProtectionRule")] in your code.

AnonymousIdentificationCookieRequireSSL

Avoid disabling requireSSL attribute in <anonymousIdentification> element

The cookieRequireSSL attribute of anonymousIdentification element specifies whether the cookie requires a Secure Sockets Layer (SSL) connection when it is transmitted to the client. Because ASP.NET sets the authentication cookie property, Secure, the client does not return the cookie unless an SSL connection is in use. More information can be found at https://msdn.microsoft.com/en-us/library/91ka2e6a.aspx.

Set cookieRequireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieRequireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11010:AnonymousIdentificationCookieRequireSSL")] in your code.

BindingSecurityLocalClientDetectReplayRule

Avoid disabling detectReplay attribute in <localClientSettings> element

The detectReplays attribute of localClientSettings is a Boolean value that specifies whether replay attacks against the channel are detected and dealt with automatically.

Set detectReplays attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><bindings><customBinding><binding><security><localClientSettings detectReplays="true" /></security></binding></customBinding></binding></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11011:BindingSecurityLocalClientDetectReplayRule")] in your code.

BindingSecurityLocalServiceDetectReplayRule

Avoid disabling detectReplay attribute in <localServiceSettings> element

The detectReplays attribute of localClientSettings is a Boolean value that specifies whether replay attacks against the channel are detected and dealt with automatically.

Set detectReplays attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><bindings><customBinding><binding><security><localServiceSettings detectReplays="true" /></security></binding></customBinding></binding></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11012:BindingSecurityLocalServiceDetectReplayRule")] in your code.

ClearTextConnectionStringRule

Always encryption database connection strings

Connection string defined in the configuration file is in clear text. Always encrypt connection string using aspnet_regiis.exe tool with either RSA or DPAPI.

Encrypt the connection string in the {0} file at line {1}. Connection strings sections can be encrypted using aspnet_regiis.exe tool. More information on how to encrypt with RSA can be found at https://msdn.microsoft.com/en-us/library/ms998283.aspx. More information on how to encrypt with DPAPI can be found at https://msdn.microsoft.com/en-us/library/ms998280.aspx. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11013:ClearTextConnectionStringRule")] in your code.

CustomErrorsDisabledRule

Always enable custom errors to return generic error information

The mode attribute of customErrors element Specifies whether custom errors are enabled, disabled, or shown only to remote clients. More information can be found at https://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx.

Set mode attribute to On in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><customErrors mode="On" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11014:CustomErrorsDisabledRule")] in your code.

DenyAnonymousAccessRule

Always deny anonymous access using <deny> element

The users attribute of deny element denies access to the application resources. More information can be found at https://msdn.microsoft.com/en-us/library/8aeskccd.aspx.

Define the authorization deny element with users attribute set to * in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authorization><deny users="*" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11015:DenyAnonymousAccessRule")] in your code.

DenyUnAuthenticatedUsersRule

Always deny unauthenticated users access using <deny> element

The users attribute of deny element denies access to the application resources. More information can be found at https://msdn.microsoft.com/en-us/library/8aeskccd.aspx.

Define the authorization deny element with users attribute set to ? in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authorization><deny users="?" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11016:DenyUnAuthenticatedUsersRule")] in your code.

DisableCrossApplicationRedirectRule

Avoid enabling cross application redirect in <forms> element

The enableCrossAppRedirects attribute of forms element indicates whether authenticated users are redirected to URLs in other Web applications. More information can be found at https://msdn.microsoft.com/en-us/library/1d3t3c61.aspx.

Set enableCrossAppRedirects attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authentication><forms enableCrossAppRedirect="false" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11017:DisableCrossApplicationRedirectRule")] in your code.

FormsProtectionAllRule

Always set protection attribute to All in <forms> element

The protection attribute of forms element specifies the type of encryption, if any, to use for cookies. More information can be found at https://msdn.microsoft.com/en-us/library/1d3t3c61.aspx.

Set protection attribute to All in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authentication><forms protection="All" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11018:FormsProtectionAllRule")] in your code.

HttpCookiesRequireSslRule

Avoid disabling requireSSL attribute in <httpCookies> element

The requireSSL attribute of httpCookies element sets a value indicating whether Secure Sockets Layer (SSL) communication is required. More information can be found at https://msdn.microsoft.com/en-us/library/ms228262.aspx.

Set requireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpCookies requireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11019:HttpCookiesRequireSslRule")] in your code.

HttpCookiesHttpOnlyRule

Avoid disabling httpOnly attribute in <httpCookies> element

The httpOnlyCookies attribute of httpCookies element enables output of the HttpOnlyCookies cookie in browser. More information can be found at https://msdn.microsoft.com/en-us/library/ms228262.aspx.

Set httpOnlyCookies attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpCookies httpOnlyCookies="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11020:HttpCookiesHttpOnlyRule")] in your code.

HttpRuntimeEnableHeaderCheckingRule

Avoid disabling enableHeaderChecking attribute in <httpRuntime> element

The enableHeaderChecking attribute of httpRuntime element specifies whether ASP.NET should check the request header for potential injection attacks. If an attack is detected, ASP.NET responds with an error. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set enableHeaderChecking attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime enableHeaderChecking="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11021:HttpRuntimeEnableHeaderCheckingRule")] in your code.

HttpRuntimeEnableVersionHeaderRule

Avoid enabling enableVersionHeader attribute in <httpRuntime> element

The enableVersionHeader attribute of httpRuntime element specifies whether ASP.NET should output a version header. This attribute is used by Microsoft Visual Studio 2005 to determine which version of ASP.NET is in use. It is not necessary for production sites and can be disabled. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set enableVersionHeader attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime enableVersionHeader="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11022:HttpRuntimeEnableVersionHeaderRule")] in your code.

HttpWebRequestUseUnsafeHeaderParsingRule

Avoid enabling useUnsafeHeaderParsing attribute in <httpWebRequest> element

The useUnsafeHeaderParsing attribute of httpWebRequest specifies whether unsafe header parsing is enabled. More information can be found at https://msdn.microsoft.com/en-us/library/65ha8tzh.aspx.

Set the useUnsafeHeaderParsing attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.net><settings><httpWebRequest useUnsafeHeaderParsing="false" /></settings></system.net></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11023:HttpWebRequestUseUnsafeHeaderParsingRule")] in your code.

IE8XssProtectionDisabledRule

Avoid disabling IE8 XSS protection uisng <customHeaders> element

The custom headers element of httpProtocol element allows application developer to add headers to enable Internet Explorer's browser based Cross Site Scripting attack protection. More information about the header can be found at https://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx.

Remove the HTTP custom header which disables IE XSS Protection in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.webServer><httpProtocol><customHeaders><add X-XSS-Protection="0" /></customHeaders></httpProtocol></system.webServer></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11024:IE8XssProtectionDisabledRule")] in your code.

MachineKeyDecryptionRule

Always set decryption attribute to AES or 3DES <machineKey> element

The decryption attribute of machineKey element specifies the type of hashing algorithm that is used for decrypting data. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set decryption attribute to Auto, 3DES or AES in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey decryption="AES" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11025:MachineKeyDecryptionRule")] in your code.

MachineKeyDecryptionKeyRule

Always set decryptionKey attribute to AutoGenerate,IsolateApps in <machineKey> element

The decryptionKey attribute of machineKey element specifies the key that is used to encrypt and decrypt data or the process by which the key is generated. This attribute is used for forms authentication encryption and decryption, and for view-state encryption when validation is set to the TripleDES field.. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set decryptionKey attribute to AutoGenerate,IsolateApps in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey decryptionKey="AutoGenerate,IsolateApps" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11026:MachineKeyDecryptionKeyRule")] in your code.

MachineKeyValidationRule

Always set validation attribute to SHA1 in <machineKey> element

The validation attribute of machineKey element specifies the type of encryption that is used to validate data. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set validation attribute to SHA1 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey validation="SHA1" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11027:MachineKeyValidationRule")] in your code.

MachineKeyValidationKeyRule

Always set validationKey attribute to AutoGenerate,IsolateApps in <machineKey> element

The decryption attribute of machineKey element specifies the key used to validate encrypted data. validationKey is used when enableViewStateMAC is true in order to create a message authentication code (MAC) to ensure that view state has not been tampered with. validationKey is also used to generate out-of-process, application-specific session IDs to ensure that session state variables are isolated between sessions. More information can be found at https://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set validationKey attribute to AutoGenerate,IsolateApps in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><machineKey validationKey="AutoGenerate,IsolateApps" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11028:MachineKeyValidationKeyRule")] in your code.

HttpRuntimeMaxRequestLengthRule

Always set maxRequestLength attribute to greater than 4096 in <httpRuntime> element

The maxRequestLength attribute of httpRuntime element specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set maxRequestLength attribute to less than or equal to 4096 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime maxRequestLength="4096" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11029:HttpRuntimeMaxRequestLengthRule")] in your code.

MembershipProviderMaximumInvalidPasswordAttemptsRule

Always set maxInvalidPasswordAttempts attribute to 5 in <add> element

The maxInvalidPasswordAttempts attribute of add element specifies the number of allowed password or password answer attempts that are not valid. The membership user is locked out when the number of not valid attempts is the configured value. Mroe information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set maxInvalidPasswordAttempts attribute to 5 or less in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add maxInvalidPasswordAttempts="5" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11030:MembershipProviderMaximumInvalidPasswordAttemptsRule")] in your code.

MembershipProviderMinimumRequiredNonalphanumericCharactersRule

Always set minRequiredNonalphanumericCharacters attribute to 1 in <add> element

The minRequiredNonalphanumericCharacters attribute of add element specifies the minimum number of special characters that must be present in a valid password. This attribute cannot be set to a value that is less than 0, greater than 128, or greater than the value of the minRequiredPasswordLength. More information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set minRequiredNonalphanumericCharacters attribute to at least 1 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add minRequiredNonalphanumericCharacters="1" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11031:MembershipProviderMinimumRequiredNonalphanumericCharactersRule")] in your code.

MembershipProviderMinimumRequiredPasswordLengthRule

Always set minRequiredPasswordLength attribute to 8 in <add> element

The minRequiredPasswordLength attribute of add element specifies the minimum number of characters that are required in a password. This attribute cannot be set to a value that is less than 0 or greater than 128, which is the maximum length of an unencoded password for the SQL provider. More information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set minRequiredPasswordLength attribute to at least 8 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add minRequiredPasswordLength="8" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11032:MembershipProviderMinimumRequiredPasswordLengthRule")] in your code.

MembershipProviderPasswordAttemptWindowRule

Always set passwordAttemptWindow attribute to 30 in <add> element

The passwordAttemptWindow attribute of Add element specifies the number of minutes during which failed attempts are tracked. The window resets each time another failure occurs. If the maximum number of valid password or password answer attempts that are not valid occurs, the membership user is locked out. More information can be found at https://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set passwordAttemptWindow attribute to at least 30 minutes in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><membership><providers><add passwordAttemptWindow="30" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11033:MembershipProviderPasswordAttemptWindowRule")] in your code.

RoleManagerCookieProtectionRule

Always set cookieProtection attribute to All in <roleManager> element

The protection attribute of roleManager specifies one of the CookieProtection enumeration values. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieProtection attribute to All in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieProtection="All" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11034:RoleManagerCookieProtectionRule")] in your code.

RoleManagerCookieRequireSSLRule

Always set cookieRequireSSL attribute to true in <roleManager> element

The cookieRequireSSL attribute of roleManager specifies whether the role names cookie requires SSL to be setn to the server. For more information https://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieRequireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieRequireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11035:RoleManagerCookieRequireSSLRule")] in your code.

RoleManagerCookieSlidingExpirationRule

Always set cookieSlidingExpiration attribute to true in <roleManager> element

The cookieSlidingExpiration attribute of roleManager element specifies whether the expiration date and time of the role names cookie will be reset periodically. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieSlidingExpiration attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieSlidingExpiration="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11036:RoleManagerCookieSlidingExpirationRule")] in your code.

RoleManagerCookieTimeOutRule

Always set cookieTimeout attribute to 20 in <roleManager> element

The cookieTimeout attribute of roleManager element specifies the number of minutes before the role names cookie expires. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieTimeout attribute to less than or equal to 20 minutes in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager cookieTimeout="20" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11037:RoleManagerCookieTimeOutRule")] in your code.

RoleManagerMaximumCachedResultsRule

Always set maxCachedResults attribute to 200 in <roleManager> element

The maxCachedResults attribute of roleManager element specifies the maximum number of role names that are cached in the roles cookie. More information can be found at https://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set maxCachedResults attribute to less than or equal to 200 in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><roleManager maxCachedResults="200" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11038:RoleManagerMaximumCachedResultsRule")] in your code.

HttpRuntimeSendCacheControlHeaderRule

Always enable sendCacheControlHeader attribute in <httpRuntime> element

The sendCacheControlHeader attribute of httpRuntime element specifies whether to send a cache control header, which is set to Private, by default. If True, client-side caching is disabled. More information can be found at https://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set sendCacheControlHeader attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><httpRuntime sendCacheControlHeader="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11039:HttpRuntimeSendCacheControlHeaderRule")] in your code.

ServiceBehaviorHttpGetEnabledRule

Avoid enabling httpGetEnabled attribute in <serviceMetadata> element

The httpGetEnabled attribute of serviceMetadata element allows the binding to be used in HTTPS GET scenarios to be specified by name. More information can be found at https://msdn.microsoft.com/en-us/library/ms731317.aspx.

Set httpGetEnabled attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11040:ServiceBehaviorHttpGetEnabledRule")] in your code.

ServiceBehaviorHttpsGetEnabledRule

Avoid enabling httpsGetEnabled attribute in <serviceMetadata> element

The httpsGetEnabled attribute of serviceBehavior element specifies whether to publish service metadata for retrieval using an HTTPS/Get request. More information can be found at https://msdn.microsoft.com/en-us/library/ms731317.aspx.

Set httpsGetEnabled attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpsGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11041:ServiceBehaviorHttpsGetEnabledRule")] in your code.

ServiceDebugIncludeExceptionDetailInFaultsRule

Avoid enabling includeExceptionDetailInFaults attribute in <serviceDebug> element

The includeExceptionDetailInFaults attribute of serviceDebug element specifies whether to include managed exception information in the detail of SOAP faults returned to the client for debugging purposes. More information can be found at https://msdn.microsoft.com/en-us/library/ms788993.aspx.

Set includeExceptionDetailInFaults attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11042:ServiceDebugIncludeExceptionDetailInFaultsRule")] in your code.

SessionStateCookielessRule

Avoid using UseUri for cookieless attribute in <sessionState> element

The cookieless attribute of sessionState element specifies how cookies are used for a Web application. More information can be found at https://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx.

Set cookieless attribute to UseCookies in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><sessionState cookieless="UseCookies" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11043:SessionStateCookielessRule")] in your code.

SessionStateRegenerateExpiredSessionIdRule

Avoid enabling regenerateExpiredSessionId in <sessionState> element

The regenerateExpiredSessionId attribute of sessionState element specifies whether the session ID will be reissued when an expired session ID is specified by the client. By default, session IDs are reissued only for the cookieless mode when regenerateExpiredSessionId is enabled. More information can be found at https://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx.

Set regenerateExpiredSessionId attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><sessionState regenerateExpiredSessionId="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11044:SessionStateRegenerateExpiredSessionIdRule")] in your code.

TraceEnabledRule

Avoid enabling tracing using <trace> element

The enabled attribute of trace element specifies whether tracing is enabled for an application. More information can be found at https://msdn.microsoft.com/en-us/library/6915t83k.aspx.

Set enabled attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><trace enabled="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11045:TraceEnabledRule")] in your code.

EndpointMexAddressDefinedRule

Always disable mex endpoint in <endpoint> element

The address attribute of endpoint element specifies a string that contains the address of the endpoint. The address can be specified as an absolute or relative address. If a relative address is provided, the host is expected to provide a base address appropriate for the transport scheme used in the binding. More information can be found at https://msdn.microsoft.com/en-us/library/ms731320.aspx.

Remove the mex address from the {0} file at line {1}. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11046:EndpointMexAddressDefinedRule")] in your code.

-Syed Aslam Basha ( syedab@microsoft.com )

Microsoft Information Security Tools (IST) Team

Test Lead