Security checklist - deploying a website

This is a security deployment checklist – things to do before you deploy your site to a live environment.

Web.config:

Check

Description

Details

The debug mode is turned off to prevent sensitive information leakage.

Web.config file settings

Tracing is disabled to prevent sensitive information leakage.

Web.config file settings

The error messages of websites and application-server default error messages are not displayed in details to users.

Designing secure error messages

Sensitive sections of the web.config file are encrypted (mainly the connection string).

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Access to sensitive directories is forbidden to protect the servers against the enumeration attack.

Enumeration

Cookieless authentication is disabled to prevent session hijacking. This can be done by changing the cookieless attribute of the form element.

Session protection

The HttpOnlyCookies flag is set so that the cookies are accessible only from the server-side code (this behavior is set by default in Kentico).

Web.config file settings

IIS:

Check

Description

Details

Directory listing is disabled in the website and web servers.

Export/import package directory browsing

All HTTP methods except GET and POST are disabled if they are not in use.

Securing the Staging and REST web services

Scripts and 3rd party libraries are up-to-date. If external libraries (e.g. for database access, XML parsing) are used, always use the current versions.

Sensitive links which should not be indexed by search engines are listed within robots.txt files.

Managing robots.txt

The execution of scripts is disabled on folders where it is undesirable.

Edit Feature Permissions for the Handler Mappings Feature (IIS 7)

Kentico:

Check

Description

Details

All test user accounts are deleted or disabled.

All unnecessary modules and applications are disabled.

Disabling unnecessary modules and services and keeping the system up-to-date

All unnecessary pages are deleted.

File types that can be uploaded to the system are restricted. You can specify which extensions are allowed for uploaded files in general, including forms in Settings -> System -> Files in the Security group.

UI personalization for specified roles is set correctly to prevent users from accessing unnecessary user interface. You can configure UI personalization in the UI personalization application.

UI Personalization

Permissions for specified actions in Kentico modules are set correctly for all roles. You can configure permissions in the Permissions application.

Configuring permissions securely

Users are allowed to use only strong and complex passwords. You can enable the Use password policy setting in Settings -> Security & Membership -> Passwords.

Password strength policy and its enforcement

The passwords are stored in a strong and secure format. Recommended option is SHA2 with salt. You can set password format in Settings -> Security & Membership -> Passwords -> general group.

Setting the user password format

The number of allowed invalid logon attempts is limited. You can set the limit in Settings -> Security & Membership -> protection in the Invalid logon attempts group.

Invalid logon attempts

You have consider if autocomplete function is needed. Autocomplete can be enabled in Settings -> Security & Membership -> Protection -> General group.

Autocomplete deactivation

Forms are secured with CAPTCHA (spam protection control).

Spam protection (CAPTCHA)

Encrypted Internet connection (HTTPS) is configured properly.

Configuring SSL