Skip to content

Commit

Permalink
Security settings web config (#134)
Browse files Browse the repository at this point in the history 
* Add better description to web.config security settings mod.

* Add hash string salt check

* Add check for SA account in connection string
  • Loading branch information
@ChristopherJennings
ChristopherJennings authored Dec 15, 2016
1 parent 7899c93 commit 11911f6
Showing 1 changed file with 65 additions and 16 deletions.
81 changes: 65 additions & 16 deletions KInspector.Modules/Modules/Security/SecurityAppSettingsModule.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,18 +12,27 @@ public class SecurityAppSettingsModule : IModule
{
private const string RECOMMENDED_VALUE_TRUE = "True";
private const string RECOMMENDED_VALUE_FALSE = "False";
private const string VALUE_NOT_SET = "Settings was not set at all.";
private const string VALUE_NOT_SET = "No value set";

public ModuleMetadata GetModuleMetadata()
{
return new ModuleMetadata
{
Name = "Security web.config settings",
Comment = "Checks security settings in web.config.",
SupportedVersions = new[] {
Name = "Security settings in web.config",
Comment = @"Checks the following security settings in web.config:
- Compilation debug
- Tracing
- Custom errors
- Cookieless authentication
- Session fixation
- Http only cookies
- Viewstate (MAC) validation
- Hash string salt",

SupportedVersions = new[] {
new Version("7.0"),
new Version("8.0"),
new Version("8.1"),
new Version("8.0"),
new Version("8.1"),
new Version("8.2"),
new Version("9.0")
},
Expand Down Expand Up @@ -52,19 +61,19 @@ public ModuleResults GetResults(IInstanceInfo instanceInfo)
var configuration = ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);

# region "Debug mode"
var compilationNode = (CompilationSection) configuration.GetSection("system.web/compilation");
var compilationNode = (CompilationSection)configuration.GetSection("system.web/compilation");
bool debugMode = compilationNode.Debug;

if (debugMode)
{
{
result.Rows.Add("Debug (<compilation debug=\"...)", debugMode.ToString(), RECOMMENDED_VALUE_FALSE);
}

# endregion

# region "Tracing"

var traceNode = (TraceSection) configuration.GetSection("system.web/trace");
var traceNode = (TraceSection)configuration.GetSection("system.web/trace");
bool tracing = traceNode.Enabled;

if (tracing)
Expand All @@ -76,7 +85,7 @@ public ModuleResults GetResults(IInstanceInfo instanceInfo)

# region "Custom errors"

var customErrorsNode = (CustomErrorsSection) configuration.GetSection("system.web/customErrors");
var customErrorsNode = (CustomErrorsSection)configuration.GetSection("system.web/customErrors");
var customErrors = customErrorsNode.Mode;

if (customErrors != CustomErrorsMode.On)
Expand All @@ -88,7 +97,7 @@ public ModuleResults GetResults(IInstanceInfo instanceInfo)

# region "Cookieless authentication"

var authNode = (AuthenticationSection) configuration.GetSection("system.web/authentication");
var authNode = (AuthenticationSection)configuration.GetSection("system.web/authentication");
var cookieless = authNode.Forms.Cookieless;

if (cookieless != HttpCookieMode.UseCookies) // Auto? Device?
Expand Down Expand Up @@ -122,10 +131,10 @@ public ModuleResults GetResults(IInstanceInfo instanceInfo)

# region "HttpOnlyCookies"

var httpOnlyCookiesNode = (HttpCookiesSection) configuration.GetSection("system.web/httpCookies");
var httpOnlyCookiesNode = (HttpCookiesSection)configuration.GetSection("system.web/httpCookies");
bool httpOnlyCookies = httpOnlyCookiesNode.HttpOnlyCookies;

if (!httpOnlyCookies)
if (!httpOnlyCookies)
{
result.Rows.Add("HttpOnlyCookies (<httpCookies httpOnlyCookies=\"...)", httpOnlyCookies.ToString(), RECOMMENDED_VALUE_TRUE);
}
Expand All @@ -134,7 +143,7 @@ public ModuleResults GetResults(IInstanceInfo instanceInfo)

# region "Viewstate (MAC) validation"

var pagesNode = (PagesSection) configuration.GetSection("system.web/pages");
var pagesNode = (PagesSection)configuration.GetSection("system.web/pages");
bool viewstate = pagesNode.EnableViewState;
bool viewstatemac = pagesNode.EnableViewStateMac;

Expand All @@ -147,8 +156,48 @@ public ModuleResults GetResults(IInstanceInfo instanceInfo)
{
result.Rows.Add("Viewstate MAC (<pages EnableViewStateMac=\"...)", viewstatemac.ToString(), RECOMMENDED_VALUE_TRUE);
}

# endregion

#endregion

#region "CMS hash string salt"

string hashStringSalt = string.Empty;

try
{
hashStringSalt = configuration.AppSettings.Settings["CMSHashStringSalt"].Value;
}
catch (Exception ex)
{
// Do nothing, value is not set.
}

if (string.IsNullOrWhiteSpace(hashStringSalt))
{
result.Rows.Add("Hash string salt (<add key=\"CMSHashStringSalt\" ...)", VALUE_NOT_SET, "Any value (typically a GUID)");
}

#endregion

#region "Using SA account for SQL connection"

var connectionString = configuration.ConnectionStrings.ConnectionStrings["CMSConnectionString"];

if (connectionString != null)
{
var usingServerAdminAccount = connectionString.ConnectionString.ToLower().Contains("user id=sa;");
if (usingServerAdminAccount)
{
result.Rows.Add("CMS Connection string is using SA account", "User ID=SA;", "Use integrated security or a specific user");
}
}
else
{
result.Rows.Add("CMS Connection string is not present", VALUE_NOT_SET, "Add a CMSConnectionString");
}


#endregion

// Return result depending on findings
if (result.Rows.Count > 0)
Expand Down

0 comments on commit 11911f6

Please sign in to comment.