When storing sensitive information in a configuration file for an application, you should encrypt the sensitive values using Protected Configuration. Information that is especially sensitive includes the encryption keys stored in the machineKey configuration element and connection strings to a data source stored in the connectionStrings configuration element. For more information, see Encrypting Configuration Information Using Protected Configuration.

It is highly recommended that you protect role names cached in a cookie by setting the cookieProtection attribute of the roleManager Element (ASP.NET Settings Schema) to All. The encryption key values for the specified encryption algorithm are stored in the machineKey configuration element. For strong encryption, specify an encryption key that is a randomly generated value of the appropriate length for the selected encryption algorithm.

On a server that hosts multiple applications, you should define unique encryption keys for each application. A less secure alternative is to define a single encryption key and specify the IsolateApps option with the key.

Host servers can also restrict the ability to override configuration settings from the machine configuration by denying override rights. This includes denying the ability for encryption keys to be redefined in the Web.config file for an application.

As mentioned earlier, it is important to protect the connection string that is used to access SQL Server, Active Directory, or another data-source application. To keep the connection to your database server secure, you should encrypt connection-string information in the configuration by using Protected Configuration. For more information, see Encrypting Configuration Information Using Protected Configuration.

To connect to computers running SQL Server, you should use Integrated Security to avoid the possibility of your connection string being compromised and your user ID and password being exposed. When you specify a connection that uses Integrated Security to connect to a computer running SQL Server, the role-manager feature reverts to the identity of the process. You should ensure that the identity of the process (for example, the application pool) that is running ASP.NET be the default process account or a restricted user account. For more information, see ASP.NET Impersonation.

The SQL Server database that is used to store the user information for roles includes database roles and views that enable you to restrict user access to only the required capabilities and visibility. You should assign minimum privileges to the user ID that is used to connect to the SQL Server role database. For more information, see Roles and Views in the Application Services Database for SQL Server.

SQL Server Express 2005 includes a new mode of operation that allows SQL Server to start a worker process running as the identity of the connecting user. This capability is referred to as "run as user" mode. Although this mode of operation is suitable for desktop development when using IIS, starting worker processes is not appropriate on Web servers hosting multiple, untrusted customer codebases. Shared hosting servers that contain applications that do not trust each other should explicitly disable the "run as user" functionality. This functionality can be turned off by connecting to the SQL Express instance (for example, osql –E –S .\sqlexpress) and issuing the following Transact-SQL command.

EXEC sp_configure 'show advanced option', '1'

GO

RECONFIGURE WITH OVERRIDE

GO

EXEC sp_configure 'user instances enabled', 0

GO

RECONFIGURE WITH OVERRIDE

GO

To improve the security of your data source when using the AuthorizationStoreRoleProvider, you should store your role information in an Active Directory server, as opposed to a file-based authorization store. This can keep the policy-store file from being exposed should the Web server be compromised.

The role-manager feature reverts to the identity of the process when connecting to an Active Directory server. You should ensure that the identity of the process (for example, the application pool) that is running ASP.NET is the default process account or a restricted user account. For more information, see ASP.NET Impersonation. Additionally, you should assign permissions to the account in the Active Directory authorization store that allow access to only the specific Authorization Manager application or scope required by your ASP.NET application.

You should use a network encryption tool such as Internet Protocol Security (IPSec) to protect the connection to the Active Directory server.

If the cacheRolesInCookie attribute of the roleManager Element (ASP.NET Settings Schema) is set to true, and if the cookiePath attribute is set to a path that includes multiple applications, the same role cookie will be sent to multiple applications. You can share the role cookie across multiple applications by specifying the same encryption information in the machineKey configuration element for each application.

To avoid sharing the role names cookie across multiple applications, specify separate encryption keys in the machineKey configuration element for each application, set the cookiePath attribute for each application to the specific application path, and set the ApplicationName property to a unique value for each application.

To prevent sensitive information from being exposed to unwanted sources, configure your application either to not display detailed error messages or to display detailed error messages only when the client is the Web server itself. For more information, see customErrors Element (ASP.NET Settings Schema).

If your server is running Windows ServerВ 2003, you can improve the security of you application by securing the event log, and by setting parameters regarding the size, retention, and so on of the event log to prevent an indirect denial of service attack against it.

Your Web server can be configured to trace when certain actions occur regarding the role-manager feature and store the trace information in a log file. Because sensitive information such as user names and role names can be stored in the trace log file, you should restrict access to the ability to enable tracing to administrators only as well as the ability to configure the location of the trace log file and access to the trace log file.