Enable TLS 1.2 or above on your ASP.NET Web App or WebAPI

The Transport Layer Security (TLS) 1.2 is a stadnard that provides security improvements over previous versions. More and more thrid-party APIs were configured to disable any requests from clients that were using TLS 1.0/1.1. So if your ASP.NET Web App or WebAPI Services Web Site will need to update to TLS 1.2 as well if your ASP.NET Web App or WebAPI Services Web Site has some calls to the third-party APIs, otherwise they will only return empty responses.

You could disable TLS 1.0/1.1 and only enable TLS 1.2 in your Web Server or in Azure, so that your hosting environments will no longer accept requests from earlier version of TLS.

But what happens on your application (ASP.NET Web App or WebAPI Services)? Depend on what version of .NET framework your project usrs will dicate the possible solutions available to you.

  1. If your project compiles against .NET Framework 4.7 or above, then you don’t have to do anything.
  2. If your project has been developed in a earlier version of .NET Framework, then you could either
    1. Recompile your project using .NET Framework 4.7 or above
    2. If recompiling is not an option, then you will have to update your .config file as below,
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
    <compilation targetFramework="x.y.z" />
    <httpRuntime targetFramework="x.y.z" /> 

It is preferred that x.y.z are the same. So if your application is 4.6.2, then replacing x.y.z into 4.6.2.

Microsoft also has post a useful document on describing the best pratices to TLS 1.2. It will be great if you could read them all and understand them in order to fully secure your application(ASP.NET Web App or WebAPI Services).


Another security strategy – Using Least Privilege

I recently read about Programming on Windows Authenication, I got a lto of result after searching. I have in touch with Aaron Margosis and Keith Brown. Aaron is a Senior Consultant with Microsoft Consulting Services.  He wrote about “Non-Admin” and also “Least Privilege”. Keith Brown is MVP – Visual Develop in Security. He wrote about Programming Security and also Secondary Logon.

UserFul Link:

Aaron Margosis: http://blogs.msdn.com/aaron_margosis/default.aspx
Keith Brown: http://www.develop.com/us/technology/techresources.aspx
MSDN Article: Credential Management with the .NET Framework 2.0

Also, I read about something on “Least User Priveledge” writen by Brian Boston. Here is his article,

One of the interesting conundrums these days with users running Microsoft Windows XP is how an operating system built on Windows NT should require so much help to be “secure.”  How is it that a product designed with security in mind be so insecure as to require so many additional tools to keep us free of spyware and other malicious attacks?  While you can argue that the evolution of invasive technology requires us to be more vigilant, any security expert who has been around a while knows the answer is rooted not in technology but in our human behavior.

How many of you run Windows XP all the time with administrator rights?  Even among a more technical crowd, the percentage of people running as Admin on their system is pretty high.  This is, of course, what makers of malicious software are counting on.  If they can survive the gauntlet of firewalls, anti-virus, and spyware detection programs, they can usually count doing what they want because you as Administrator have granted them that right.

Why do people run as Administrator?  The simplest answer is that it’s easier than running as Standard User.  Adding devices or installing software usually requires running as Admin. Programs can and do fail to either run or function correctly unless you are logged in with admin rights.  Of course, that is also why worms, Trojans, and viruses like the environment as well.

The use of User Access Control in Windows Vista (formally known a LUA and other names) will help with this problem in some ways.  When a program or task requires a higher level of access, Windows Vista will ask you for permission to give it that access.  Will this help?  Probably.  Will be annoying?  Very likely.  One way to get a jump and reduce that annoyance is to start running as Standard User right now in Windows XP.  That way you can understand and perhaps correct problems before you can confronted in Windows Vista..and be more secure as well.

One person committed to that course is a Aaron Margosis.  Aaron is a Senior Consultant with Microsoft Consulting Services.  He also runs weblog subtitled “The Non-Admin blog – running with least privilege on the desktop.” Over the last few years, Aaron has been running as Standard User on Windows XP and documenting how he has been doing it on his blog.  Aaron has developed tools, scripts, and strategy to keep him from logging into his Admin account when he starts up.

Aaron also speaks at conferences about this topic and advocating developers write applications that do not require administrative access.  His point is that developers usually build their applications while running as Admin and do not test those applications as Standard Users.  This often results in unnecessary or irrelevant calls to files or registry entries fail when logged in as Standard User.  Aaron often illustrates his point by makes changes what permit certain applications to run without this problem.

So, if you haven’t enough New Year’s resolutions for this year, consider running as Standard User and practice what Aaron and like minded people are doing.  Use his blog as a reference, listen to a webcast of his 2005 TechEd talk,  Tips and Tricks to Running Windows with Least Privilege (Level 300),  and check out the podcast he did right after the session.  You can also explorer resources on the nonadmin wiki..