Home » Topics » Tech Giants » Microsoft .Net: security good, but not perfect

Microsoft .Net: security good, but not perfect

Avatar photoby Ben Rossi

3 May 2002 Software giant Microsoft has emphasised the high security levels of its .Net web services platform, but according to one hacker and security consultant, there are still some issues that need to be addressed.

Speaking at the CanSecWest security conference in Vancouver, Canada, H.D. Moore, a ‘white hat’ hacker and senior security analyst at Digital Defense, said that while .Net can almost eliminate some of the vulnerabilities that currently affect other Microsoft products, the server software can still be easily misconfigured.

Misconfiguration is especially easy, said Moore, as much of the Microsoft documentation actually teaches insecure programming. “It doesn’t make a difference how secure products are initially, but how you program them that counts,” said Moore. “And developers are being told the wrong things to do in a lot of situations.”

Regarding ASP.Net, the web services part of the .Net framework, Moore found several vulnerabilities in some of the components of the framework. However, his main issue was with developer resources. His research showed that the five most popular ASP.Net books, for example, all neglected to mention at least one of a number of common .Net security problems.

Furthermore, Microsoft’s IBuySpy, the main example for programmers looking to develop .Net web services applications, has a Unicode vulnerability that leaves two project files configured so that they are accessible to anyone on the Internet, said Moore. The Microsoft Developer Network documentation also tells developers to create a file containing users’ passwords and to put it in a directory on the web — something that Moore strenuously advises against.

However, Moore’s analysis of .Net did generally back-up Microsoft’s claims that it is much more secure than the current web services infrastructure. “There are a lot more features to lock down web applications,” he said.

The default configuration for a computer running .Net with Microsoft’s web infrastructure and Internet Information Server (IIS) is more secure than before, but may break many services that the web server offers. Turning the services on in a secure manner may be a challenge, added Moore.

He advises that all developers take server configuration very seriously, as any changes to the default configuration could cause security vulnerabilities. “Research an option before making a change,” says Moore.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Related Stories

Governance, Risk and Compliance

What unbundling Microsoft Teams will mean for EU customers

In the midst of an EU antitrust investigation, Microsoft Teams is now set to be offered to businesses separately from its Office suite

Releases & Updates

Meta to undergo second round of staff cuts this week

Thousands more staff cuts are expected to be actioned by Meta chief Mark Zuckerberg, as Facebook and Instagram's parent company looks to continue decreasing costs

Cybersecurity

Data privacy can give businesses a competitive advantage

Cloud & Edge Computing

Ofcom to scrutinise UK cloud positions of AWS, Microsoft and Google