Misconfiguration attacks seek to exploit possible vulnerabilities in the underlying software components in a web page or application. These could target:
- web servers
- app platforms
- or frameworks
A break down in any of these areas could result in unauthorized access to a system or possibility a complete system compromise. While the exploits that we have discussed previously often dealt with issues to be addressed only by developers, prevention of misconfiguration attacks requires the support of application administrators and operators.
Maintaining a secure configuration involves:
- Insuring that software is up to date (operating system, web.or app server, database, code libraries, etc.)
- Disabling or removing unnecessary features, ports, services, pages, accounts or privileges.
- Configuring error handling to prevent stack traces.
- Understanding and properly configuring security features.
- Developing a repeatable hardening process and a process for keeping informed about latest software releases and installing them in a prompt manner.
- Implement a software architecture that maintains security between software components
- Using periodic scanning and software audits to detect misconfigurations and missing updates.
- Removing of any back door accounts, special access mechanisms or incorrect permission settings
- And insuring that settings in configuration files are protected.
For those deploying .Net applications, particular attention should be paid to:
- Keeping frameworks up to date. Libraries can be kept current by using the NuGet Package Manager.
- Customizing error messages to keep from revealing sensitive information about the application, especially internal server errors.
- Using the ASP.NET health monitor to capture stack error messages and send them by e-mail them to the appropriate administrator.
- Preventing ASP.NET tracing from leaking information; tracing should be set to local only or removed completely.
- Using request validation to prevent the processing of dangerous injections.
- Insuring that confidential configuration data is encrypted.
- Disabling debugging mode in any production application.
- And to configure applications to use database accounts with the least allowable amount of privileges.
The solutions to security misconfiguration are simple to implement yet they make up a vital part of comprehensive defense of a web application.
For more information see:
Web Server Security Best Practices
OWASP Top 10 for .NET developers part 6: Security Misconfiguration