Custom error pages are used to hide technical information from end users. Often default error pages can leak technical information to potential attackers. In this post Ill show how to implement custom error pages for IIS and Asp.net to assist with hardening the security of a system.
HTTP headers leak technical information to potential attackers about a system. To harden the security of an application you need to disclose as little information about a system as possible.
The request was aborted: Could not create SSL/TLS secure channel.Description: An unhandled exception occurred during the execution of the current web request.
A few posts back I was looking at OAuth and I stumbled onto some posts with references to this thing called OWIN. Initially I thought it was a framework that wrapped OAuth to make it easier to use but it turned out to be a hosting solution with support for middleware.
HTTP Strict Transport Security or HSTS is a header that instructs a browser not to downgrade a secure https connection to a unsecure HTTP connection for a specified domain.
There is a vulnerability in SSL3 called POODLE, it is documented in detail here by Google. SSL2 & 3 needs to be disabled in the client browser and on the web server. Below is a registry file that can be copied and run on a Microsoft IIS web servers to disable SSL 2 & 3… Read More »
So you have decided for some reason to host your WCF services with a net.tcp binding in IIS and for some reason the services timeout, becomes unresponsive or unreachable some times? It turns out this is a known Microsoft bug and the fix can be found here.
Check the SPNs of the client end point inside the wcf configuration file. Make sure that the destination endpoint is defined correctly. This can be caused by requiring kerberos authentication where is it not possible. In this case make sure that allowntlm is enabled for the particular service. Keep in mind that Kerberos caches the SPN… Read More »