SOFTware is HARD

A little dated by now. From Windows 2000 Resource Kit: http://technet.microsoft.com/en-us/library/cc938609.aspx http://technet.microsoft.com/en-us/library/cc940375.aspx http://technet.microsoft.com/en-us/library/cc938586.aspx http://technet.microsoft.com/en-us/library/bb734903.aspx For .NET http://www.symantec.com/business/support/index?page=content&id=HOWTO9722 From Windows 2003: http://technet.microsoft.com/en-us/library/cc779038(WS.10).aspx

We just had a Security Assessment for our web applications. Some points of interest follows: Cookie XSS security: Where possible, all cookies should be configured to be httpOnly . This is to prevent client-side scripts or applets from accessing the cookie. Incidentally, this is the default for ASP.NET session cookie and cannot be changed via httpCookies element in Web.Config: <httpCookies httpOnlyCookies="true"/> Prevent MITM from accessing the session: Ensure that the session cookie is delivered over secured HTTP session (TLS). Setting the cookie as secure d indicates to the browser that the cookie should only be sent over a secured channel. To configure the httpCookies element: <httpCookies requireSSL="true" /> Note that Forms and Session cookies have slightly different behaviour with Forms cookie being more secured and more configurable. Interestingly, setting requireSSL to true for Forms cookie mandates that the communication channel to