List of TeamMentor titles to get GUIDs for serge

dotNet_2.0_Titles.txt

New Guidance Item
Assign Information Security Responsibilities
Avoid Accepting Delegates From Untrusted Sources
Avoid Exposing Unmanaged Types Or Handles to Partially Trusted Code
Avoid Storing Secrets in Code
Avoid Using APTCA
Back Up And Analyze Log Data Regularly
Back Up And Analyze Log Files Regularly
Calculate Destinations of Redirects And Forwards Without User Input
Calculate Destinations of Redirects And Forwards Without User Input
Catch Exceptions
Change System Default Settings on Network Devices
Change the Session State Port from the Default Value
Conduct Background Checks
Configure a Wireless Access Point for PCI DSS
Configure the Firewalls for PCI DSS Compliance
Configure the Routers for PCI DSS Compliance
Configure the Firewalls for PCI DSS Compliance
Configure the Routers for PCI DSS Compliance
Configure the Windows Access Control System
Consider Identity Flow
Consider Restricting Permissions to the Delegate
Consider Using Obfuscation
Constrain And Sanitize Input Data
Constrain And Validate String Parameters
Create a Custom Trust Policy If Your Application Needs Additional Permissions
Define Acceptable Technology Usage Policies
Define Daily Security Operational Procedures
Define Information Security Responsibilities
Deploy a File-integrity Monitoring Solution
Deploy a Web Application Firewall
Deploy a Wireless IDS
Deploy an Anti-Virus
Deploy an IDS Or IPS
Develop Applications Using Secure Coding Guidelines
Disable the Session State Service If Unused
Disable Unused Services And Protocols
Do Not Accept File Names Or Paths from Users
Do Not Develop Your Own Cryptography
Do Not Leave the System Vulnerable After Unrecoverable Exceptions Occur
Do Not Pass Sensitive Data Using the HTTP-GET Protocol
Do Not Rely On Client State Management Options
Do Not Rely on Client-Side Validation
Do Not Store Secrets If Avoidable
Do Not Store Sensitive Data in Cookies, Hidden Form Fields, Or Query Strings
Do Not Store Sensitive Data in Persistent Cookies
Don't Use Redirects Or Forwards If Possible
Don't Use Redirects Or Forwards If Possible
Draw a Network Diagram
Encrypt And Check Integrity of Authentication Cookies
Encrypt Off-site Backups
Encrypt Remote Administrator Access
Encrypt Sensitive Data That Is Stored in .config Files Using Protected Configuration Providers
Encrypt the Contents of the Authentication Cookies
Encrypt the Data Or Secure the Communication Channel
Enforce Strong Password Policies
Erase Files Securely
Formulate a Data Access Control Policy
Formulate a Storage Media Policy
Formulate the User Authentication And Password Policies
Implement Audit Trails for System Components
Implement Change Control Procedures
Implement Only One Primary Function per Server
Implement Audit Trails for System Components
Implement Change Control Procedures
Implement Only One Primary Function per Server
Implement Physical Security Controls
Implement the Password Policy Using Group Policy Objects
Implement Two-factor Authentication for Remote Network Access
Install And Configure a Personal Firewall
Install the Latest Security Updates
Keep Track of New Security Vulnerabilities
Keep Unencrypted Data Close to the Algorithm
Know Your Tradeoffs with Impersonation
Limit Access to the Credential Store to the Application Account
Log Events with Appropriate Levels of Information to Reconstruct System Activity
Log High Volume Events with Performance Counters
Log Key Events
Maintain a PCI DSS Compliant Information Security Policy
Manage a Formal Security Awareness Program
Manage Service Providers
Optimize Pages That Use SSL
Organize the Software Development Processes for PCI DSS Compliance
Perform Network Vulnerability Scans
Perform Penetration Tests
Platform Features Are Used And Custom Key Management Is Avoided
Prepare an Incident Response Plan
Prepare System Configuration Standards Using Industry Standards
Prepare the Data Retention And Disposal Policies
Prepare the Key Management Procedures
Prepare the Network Documentation for PCI DSS Compliance
Protect Credentials Over the Network When Using SQL Authentication
Protect Sensitive Data Over the Wire
Protect SQL Server Session State
Protect the Cardholder Data
Protect Your Session State Communication Channel
Remove Unnecessary Functionality
Restrict Access to Your Code
Restrict Class And Member Visibility
Review the Firewall Configuration
Review the Router Configuration
Review Web Applications
Run the Session State Service With the Least Privileged Account
Secure Log Data
Secure the Logs
Specify Hashed Password Format in Provider Configuration
Store Hashes with Salt Instead of Storing Plain Passwords
Store Keys in User-level Key Store for Shared Hosting Environments
Store Only Salted Password Digests, Not Plaintext Passwords
Synchronize System Clocks
Test Changes to the Firewall Configuration
Test Changes to the Router Configuration
Test Dynamic Packet Filtering with a Port Scanner
Turn off Output Caching for Pages That Contain Sensitive Data
Use a Wireless Analyzer
Use an Account That Has Restricted Permissions in the Database
Use Least Privileged Process And Service Accounts
Use Least-privileged Accounts for Database Access
Use Mapping Values When Redirecting on User Input
Use Mapping Values When Redirecting on User Input
Use Platform-provided Cryptographic Services
Use Protocol Transition When Multiple Identities Need to Access Downstream Resources
Use ReflectionOnlyLoadFrom If You Only Need to Inspect Code
Use the Same MachineKey For All Servers In a Web Farm
Use Trusted Service Accounts When Connecting to SQL Server
Validate Destinations of Redirects And Forwards
Validate Destinations of Redirects And Forwards
When Using Impersonation, Consider Threading Issues
A Centralized Log Server Is Deployed
A Certificate Is Installed on the Database Server to Support SSL Communication
A Custom ASP.NET Policy Is Used to Access Non-SQL Server Databases from Partial Trust ASP.NET Applications.
A Custom Least-privileged Anonymous Account Is Created for Anonymous Access.
A DMZ Is Implemented
A Least-privileged Local/domain Account Is Used to Run the Various SQL Server Services, For example, Back up And Replication.
A Secure Approach to Exception Management Is Identified.
A Strong Password Is Applied for the Sa Account Or Any Other Member of the Sysadmin Role.
A Strong Sa Password Is Used
A Web Application Firewall Is Used
A Wireless Analyzer Is Used Regularly
A Wireless IDS Or IPS Is Deployed
Absolute URLs Are Used for Navigation Where the Site Is Partitioned with Secure And Non-secure Folders.
Access Control Systems Enforce Privileges
Access Control Systems Have a Deny-all Default
Access Control Systems Should Cover All System Components
Access to Cardholder Data Is Logged
Access to CmdExec Is Restricted to Members of the Sysadmin Role.
Access to Logs Is Logged
Access to Persisted Keys Is Restricted
Access to Required Shares Is Restricted
Access to Required Shares Is Restricted
Access to State Data Is Restricted.
Access to the Credential Store Is Limited to Application Account.
Access to the Metabase Is Restricted by Using NTFS Permissions
Access to the Metabase.bin File Is Audited.
Accounts Are Not Shared Among Administrators.
Administration Interfaces to the Router Are Enumerated And Secured.
Administrative Interfaces Are Enumerated And Secured.
Administrative Shares (C$ And Admin$) Are Removed If They Are Not Required
Administrative Shares Are Removed If They Are Not Required
Administrator Account Is Renamed And Has a Strong Password.
Administrator Actions Should Be Logged
Administrators Are Required to Log on Locally OR the Remote Administration Solution Is Secure.
All Failed Actions Are Logged Across the File System.
All Failed Windows Login Attempts Are Logged.
All Optional Services Are Disabled If Not Used by Any Applications.
All Permissions Have Been Removed from the Internet Zone.
All Permissions Have Been Removed from the Local Intranet Zone.
All Protocols Except TCP/IP Are Disabled Within SQL Server. Check This Using the Server Network Utility.
All the Input Parameters Are Validated For Length, Range, Format, And Type
All Unnecessary Shares Are Removed (including Default Administration Shares).
All Unnecessary Shares Are Removed from the Server.
All Untrusted Input Is Validated Inside Data Access Methods.
All Users Have Unique User IDs
An Access Control System Is Implemented
An Anti-virus Is Deployed
An Employee Security Awareness Program Is Conducted Properly
An IDS Or IPS Is Deployed
Application Does Not Rely on Client-side State Management Options.
Application-specific Data Access Code Is Placed in the Application's Bin Directory.
Applications Are Isolated Using Medium Trust in Hosted Environments.
Appropriate ACLs Are Configured on Web Site Files.
Appropriate Key Sizes Are Used.
Appropriate Mechanism of Secure Communication (IPSec Or SSL) Is Used, Depending on Application Requirement.
Approval Is Required for Account Delegation.
Approval Is Required for Account Delegation.
Array Bounds Are Validated When an Array Is Used to Pass Input to a Native API.
ASP.NET Process Account Is Configured for Least Privilege.
Aspnet_regiis Is Used to Encrypt Credentials Stored in Connection Strings in Configuration Files.
Assemblies Are Not Loaded Dynamically Based on User Input for Assembly Or Type Names.
Assemblies Marked with APTCA Are Subjected to Thorough Security Code Review.
Assembly.ReflectionOnlyLoadFrom Is Used Only If You Need to Inspect Code.
Attribute AllowOverride Is Set to False in the Machine-level Web.config File to Ensure Developers Cannot Change the Trust Level of Their Application.
Audit Logs Are Regularly Monitored.
Authentication Cookie Is Encrypted And Integrity Checked.
Authentication Cookies Are Not Persisted.
Authentication Cookies Are Restricted to HTTPS Connections Only by Using the RequireSSL Attribute.
Authorization Cookie Is Protected for Tampering And Reading Information.
Available Services Are Secured.
Back-out Procedures Exist for Each Change
Back-up Storage Is Secure
Background Checks Are Performed on New Employees
Badge Management Procedures Are Defined
Base Classes That Are Not Intended to Be Derived from Are Sealed.
BUILTIN\Administrators Server Login Is Removed.
Card PIN Is Not Stored
Card Verification Code Is Not Stored
Cardholder Data Is Periodically Removed
Cardholder Data on Removable Media Is Encrypted
Certificate Date Ranges Are Valid.
Certificates Are Used for Their Intended Purpose (for Example, the Server Certificate Is Not Used for E-mail).
Change Documentation Includes Customer Impact Considerations
Change Documentation Includes Management Sign-offs
Changes Are Documented
Code Access Security Is Enabled on the Server.
Code Access Security Is Used When Applications Need to Be Isolated from Each Other.
Code Avoids Untrusted Input for File Names And File Paths.
Code Fails Early to Avoid Unnecessary Processing.
Code Is Not Subject to Exception Filter Issues Where the Filter Higher in the Call Stack Executes Before Code in a Finally Block.
Compromised Encryption Keys Are Replaced
Configuration Sections That Contain Sensitive Data Are Encrypted Using Protected Configuration Providers.
Configuration Settings Are Locked by Setting AllowOverride to False Where Appropriate to Enforce Policy Settings.
Configuration Standards Include Common Security Settings
Connection String Information Is Encrypted Using Strong Encryption (for Example, 3DES).
Connection Strings Are Encrypted If They Contain Credentials.
Connection Strings Are Not Hard Coded. Connection Strings Are Stored in Configuration Files.
Connection to Database Is Used with Least-privileged Service Account.
Content Directories Have Deny Write ACE for Anonymous Internet Accounts.
Creation And Deletion of System Objects Is Logged
Credentials Are Secured over the Network by Using IPSec Or SSL, Or by Installing a Database Server Certificate.
Credentials in SQL Connection Strings Are Protected in Configuration Files.
Current Log Files Are Promptly Backed Up
Current Router Configuration Matches the Start-up Settings
Custom Application Code Is Reviewed
Database Access Is Authenticated
Database Connections Are Closed with Using Statements Or in Finally Blocks.
Debug Compiles Are Turned Off.
Default Permissions That Are Applied to SQL Server Objects Are Not Altered.
Default SNMP Community Strings Are Changed on Wireless Devices
Default Usernames And Passwords Are Not Used
Delay Signing Is Used to Reduce the Chance of Private Key Compromise Or to Enable the Use of a Single Public Key Across a Team.
Delegates Are Not Accepted from Untrusted Sources.
Design Exposes a Minimal Number of Public Interfaces to Limit the Assembly's Attack Surface.
Destinations of Redirects And Forwards Are Calculated Without User Input
Destinations of Redirects And Forwards Are Calculated Without User Input
Destinations of Redirects And Forwards Are Validated
Destinations of Redirects And Forwards Are Validated
Developers Know Secure Programming Techniques
Development And Production Environments Are Separate
Development And Production Staff Are Different
Directed Broadcast Traffic Is Not Received Or Forwarded.
Disk Encryption Uses Secure Authentication
Dispose Methods Are Synchronized.
Documented Access Authorization Is Required
Dynamic Queries That Accept User Input Are Used Only If Stored Procedures Cannot Be Used.
Each Change to the Software Code Is Tested
Effective Filters Are in Place to Prevent Malicious Traffic from Entering the Perimeter
Encryption Key Custodians Understand And Accept Their Responsibilities
Erased Data Is Unrecoverable
Event Log Data Is Not Exposed to Unauthorized Users.
Events Are Logged with Appropriate Levels of Information to Reconstruct System Activity.
Except Where Necessary, APTCA Usage Is Avoided.
Exceptions While Impersonating Are Not Allowed to Propagate.
Exported Private Keys Are Protected.
Extended OleDbPermission Syntax Is Used to Restrict Database Access on Hosted Servers.
Extensions Not Used by the Application Are Mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, Idc, .htr, .printer).
Failed Access Attempts Are Logged
Failed Logon Attempts Are Audited.
Few People Have Access to Encryption Keys
Fields Are Private. Properties Are Used to Expose Fields.
File Authorization Is Used with Windows Authentication.
File Path Lengths Are Checked When a File Name And Path Are Passed to an Unmanaged API.
File-integrity Monitoring Is Used
Files And Directories Are Contained on NTFS Volumes.
Firewalls Between Wireless Networks And the Cardholder Data Environment
For Communication Between Servers, IPSec Is Used When Secure Server-to-server Communication Is Required.
For Communication Between Servers, SSL Is Used When an Application Does Not Trust Other Applications on a Server.
For Communication Between Web Browser And Web Server, SSL Is Used When Pages Need to Be Encrypted
Free Form Input Is Sanitized to Clean Malicious Data.
FrontPage Server Extensions (FPSE) Are Removed If Not Used. If They Are Used, They Are Updated And Access to FPSE Is Restricted.
Full Assembly Names Are Used When Activator.CreateInstance Loads Add-ins.
Full Card Track Contents Are Not Stored
GenerateKey Is Used to Generate Random Keys for a Managed Symmetric Cryptographic Class.
Group Membership Is Audited.
Hashed Password Format Is Specified in Provider Configuration.
High Volume, Per-request Events Are Captured with Performance Counters.
HTTP Requests Are Filtered. URLScan Is Installed And Configured.
HttpOnlyCookies Attribute Is Set to True on Authentication Cookie
HTTPS Appears in the URL
ICMP Traffic Is Screened from the Internal Network.
Identification And Authentication Events Are Logged
Idle Terminal Sessions Are Locked After 15 Minutes
If Credentials Are Stored in Configuration Files, They Are Encrypted. RSA Encryption Is Used on Web Farm Servers.
If File Names Must Be Accepted Through Input, the Names And Locations Are First Validated.
If Required, Strong Names Are Used
If Role Caching Is Used, Authorization Cookie Is Restricted to HTTPS Connections by Using the RequireSSL Attribute.
If Sensitive Data Must Be Stored, Then It Should Be Encrypted
If SQL Authentication Is Used, Then Aspnet_regiis Is Used to Encrypt Connection Strings in Configuration Files.
If SQL Authentication Is Used, Then IPSec Or SSL Is Used to Protect Credentials on the Network.
If SQL Authentication Is Used, Then Strong Passwords Are Used And Enforced.
If User Input Must Be Used to Build Connection Strings, the Input Is Validated And ConnectionStringBuilder Is Used.
If Using SSL Is Not Possible, the CookieSlidingExpiration Attribute Is Set to False And Limited Authentication Cookie Time-outs Are Used.
If Using SSL Is Not Possible, the SlidingExpiration Attribute Is Set to False And Limited Authentication Cookie Time-outs Are Used.
If Your Application Needs Additional Permissions, a Custom Trust Policy Is Used.
IIS Banner Information Is Restricted (IP Address in Content Location Disabled).
IIS Is Configured for W3C Extended Log File Format Auditing.
IIS Log Files Are Relocated And Secured.
IIS Log Files Are Relocated to a Non-system NTFS Volume And Secured
IISLockdown Tool Has Been Run on the Server.
Impersonation Is Reverted by Using Finally Blocks.
Impersonation Is Used Only When Original Caller's Security Context Is Required for Downstream Tier for Auditing Or Authorization.
Impersonation Token Is Not Created by Using LogonUser API.
Impersonation Tokens Are Not Lost; They Flow to the Newly Created Thread.
In ASP .NET Applications, ASP.NET Validator Controls Are Used to Constrain And Validate Input.
In ASP.NET Applications, a Generic Error Page Is Used to Avoid Accidentally Returning Detailed Error Information to the Client.
In Full Trust Scenarios, StrongNameIdentityPermission Is Not Relied upon to Restrict Code That Can Call the Assembly.
In the Connection String, the PersistSecurityInfo Attribute Is Not Specified Or Is Set to False Or No.
Inactive Accounts Are Disabled
Incident Response Plan Covers Unauthorized Wireless Devices
Include Directories Do Not Have Read Web Permission.
Information Storage Media Is Physically Secure
Ingress And Egress Filtering Is Enabled. Incoming And Outgoing Packets Are Confirmed as Coming from Public Or Internal Networks.
Initalization of Logs Is Logged
Input Data Is Constrained And Sanitized. Data Is Checked for Type, Length, Format, And Range.
Input from All the Sources Including Query Strings, Cookies, And HTML Controls Is Validated
Input Is Not Trusted. Input Is Validated for Type, Range, Format And Length.
Internet-facing Interfaces Are Restricted to Port 80 (and 443 If SSL Is Used).
Intranet Traffic Is Encrypted (for Example, with SSL) Or Restricted If You Do Not Have a Secure Data Center Infrastructure.
Intrusion Detection Is Enabled at the Firewall.
IPsec Is Configured for Encrypted Communication Within the Perimeter Network.
IUSR_MACHINE Account Is Disabled If It Is Not Used by the Application.
Key Management Procedures Require Keys to Be Changed Regularly
Key Management Procedures Require Secure Key Distribution
Key Management Procedures Require Secure Storage
Key Management Procedures Require Strong Encryption Keys
Keys Are Cycled Periodically.
Keys Are Not Stored in Code.
Keys Are Stored in Machine-level Key Store
Keys Are Stored in User-level Key Store for Applications Running in a Shared Hosting Environment.
Keys Stored in Files Are Encrypted
Known Vulnerable Ports Are Blocked.
Large Ping Packets Are Screened.
Latest Patches And Updates Are Installed.
Latest Security Updates Are Installed
Least-privileged Service Account Is Used for Running ASP.NET Applications.
Log Entries Include Event Origin
Log Entries Include Event Time
Log Entries Include Event Type
Log Entries Include Resource Name
Log Entries Include Success Or Failure Indication
Log Entries Include User Identification
Log Files Are Configured with an Appropriate Size Depending on the Application Security Requirement.
Log Files Are Configured with an Appropriate Size Depending on the Application Security Requirement.
Log Files Are Regularly Archived And Analyzed.
Log Files Are Relocated from the Default Location And Secured with Access Control Lists.
Log Files Are Secure
Logging Is Enabled And Audited for Unusual Traffic Or Patterns.
Logs Are Reviewed Regularly
Mapping Values Are Used for Redirects And Forwards
Mapping Values Are Used for Redirects And Forwards
Mechanisms Have Been Identified to Secure Sensitive Information over Network And in Persistent Stores.
Members of Sysadmin Fixed Server Role Are Limited (ideally, No More than Two Users).
Membership of the Local Administrators Group Is Restricted (ideally, No More than Two Administration Accounts).
Microsoft SQL Server Is Not Installed on a Domain Controller.
Mirrored Local Accounts Are Considered as an Alternative If Domain Accounts Cannot Be Used.
Monitor And Control Remote Vendor Accounts
MS DTC Is Disabled If It Is Not Being Used by Any Applications.
MSADC Virtual Directory (RDS) Is Removed Or Secured.
Multithreaded Code Does Not Cache the Results of Security Checks.
Named Instances Are Configured to Listen on the Same Port.
Naming Conventions Are Used (safe, Native, Unsafe) to Identify Unmanaged APIs.
NAT Is Used to Masquerade Local IPs
NetBIOS And SMB Are Disabled (closes Ports 137, 138, 139, And 445).
Network Documentation Explains Why Insecure Services Are Necessary
Network Documentation Includes a Description of Groups, Roles, And Responsibilities
Network Documentation Includes an Accurate Network Diagram
Network Documentation Includes Descriptions of Used Ports
Network Traffic Is Restricted to That Which Is Necessary
New Passwords Are Unique
No More than Two Accounts Exist in the Administrators Group.
NTLM Version 2 Is Enabled by Setting LMCompatibilityLevel to 5.
Null Sessions (anonymous Logons) Are Disabled.
Off-site Backups Are Encrypted
Old Encryption Keys Are Retired
Only One Primary Function Is Implemented per Server
Only Required Ports Are Opened And Firewall Restrictions Are Applied for the Application.
Only Trusted Certificates Are Used
Out-of-process State Service Is Protected.
Output Caching for Pages That Contain Sensitive Data Is Turned Off.
Outside Resources Are Used to Track Vulnerabilities
Pages That Use SSL Are Optimized
PasswordDeriveBytes Is Used for Password-based Encryption.
Passwords Are Changed Regularly
Passwords Are Encrypted When Stored Or Sent
Passwords Are Not Stored Directly in the User Store; Password Digests with Salt Are Stored Instead.
Passwords Are Required to Have Both Letters And Numbers
Passwords Are Stored as Irreversible Hash Values with Added Salt. Passwords Are Not Stored in Clear Text Or in Encrypted Format.
Passwords Have a Minimum Length Requirement
Patches Are Tested Before Being Deployed
Penetration Tests Are Documented
Penetration Tests Are Performed Regularly
Periodic Anti-virus Scans Are Scheduled
Permissions Are Not Asserted Before Delegate Is Called.
Permissions Are Not Granted for the Public Role.
Personal Firewalls Are Installed on Employees' Computers
Physical Security Controls Are in Place
Plaintext Passwords Are Not Used in Configuration Files (Web.config And Machine.config).
Platform Features Are Used And Custom Key Management Is Avoided.
Platform-provided Cryptographic Services Are Used. Custom Cryptography Algorithms Are Not Used.
Pointers Are Held in Private Fields
Policy Covers Sensitive Media Distribution
Policy Defines Daily Security Procedures
Policy Defines Information Security Responsibilities
Policy Forbids Sending Unencrypted PANs
Policy Includes Data Retention Requirements
Policy Includes Provisions for Data Disposal
Policy Requires Logs to Be Kept for at Least a Year
Policy Requires Media Inventory
Policy Requires Patches to Be Installed Monthly
Policy Requires Secure Media Destruction
Policy Requires the Anti-virus to Be Updated Regularly
Port 3389 Is Secured Using IPSec If It Is Left Open for Remote Terminal Services Administration
Post Service-pack Patches Have Been Applied for SQL Server.
Potentially Dangerous Virtual Directories, Including IISSamples, IISAdmin, IISHelp, And Scripts Virtual Directories, Are Removed.
Previously Used Passwords Are Forbidden
Privileges Are Assigned Based on Job Function
Production Data Is Not Used for Testing Or Development
Programmatic Impersonation Is Avoided Where Possible.
Properties Are Read-only Unless Write Access Is Specifically Required.
Protected Configuration Is Used to Protect Sensitive Data And Secrets in Configuration Files.
Protected File Types Are Blocked Using HttpForbiddenHandler.
Protected Resources Are Mapped to HttpForbiddenHandler.
Protocol Transition Is Used When Multiple Identities Need to Access Downstream Resources.
Public-facing Web Applications Are Reviewed
Redirects And Forwards Are Not Used Unless Necessary
Redirects And Forwards Are Not Used Unless Necessary
Regular Backups Are Performed.
Regular Expressions Are Used to Validate Input Against Expected Patterns.
Remote Administration of the Server Is Secured And Configured for Encryption, Low Session Time-outs, And Account Lockouts.
Remote Administrator Access Is Encrypted
Remote IIS Administration Application Is Removed (\WINNT\System32\Inetsrv\IISAdmin).
Remote Logons Are Restricted.
Remote Logons Are Restricted.
Remote Registry Access Is Restricted.
Resource Kit Tools, Utilities, And SDKs Are Removed.
Restrict Access to All Ports on the Server Except the Ports Configured for SQL Server And Database Instances (TCP 1433 And UDP 1434 by Default).
Restricted Database Permissions Are Granted.
Restrictive Permissions Are Configured on SQL Server Installation Directories
Role Caching Is Used If Role Store Lookup Is Too Costly.
Role Checks Or Declarative Or Imperative Principal Permission Checks Are Used to Restrict Calling Users..
Routing Information Protocol (RIP) Packets, If Used, Are Blocked at the Outermost Router.
RSA Encryption Is Used to Protect Credentials Stored in Connection Strings on Web Farm Servers.
RSA Protected Configuration Provider Is Used to Protect Connection Strings in a Web Farm Environment.
SAM Is Secured
Sample Applications Are Removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples).
Sample Databases (including Pubs And Northwind) Are Removed.
Secrets Are Not Stored in Code.
Security Assessments Are Regularly Performed.
Security Decisions Are Not Based on User-supplied File Names.
Security Decisions Should Not Rely on Client-side Validations; They Are Made on the Server Side.
Security Is Included Throughout the Development Life Cycle
Security Responsibilities Are Assigned to Specific Staff Members
SecurityTransparent And SecurityCritical Attributes Are Used Appropriately.
Sensitive Data Files Are Encrypted Using EFS
Sensitive Data in the Registry Is Encrypted.
Sensitive Data Is Encrypted in the Database.
Sensitive Data Is Not Cached.
Sensitive Data Is Not Logged in the Event Log.
Sensitive Data Is Not Logged.
Sensitive Data Is Not Passed Across Pages; It Is Maintained Using Server-side State Management.
Sensitive Data Is Not Stored in Cookies, Hidden Form Fields, Or Query Strings.
Sensitive Data Is Protected with IPSec Or SSL on the Network.
Sensitive Data Passed over Wire Is Secured Using SSL Or IPSec Where Appropriate.
Sensitive Data Stored in HKEY_LOCAL_MACHINE Is Protected by ACLs.
Sensitive Data That Is Stored in .config Files Are Encrypted Using Protected Configuration Providers.
Separate, Low-trust Application Domains Are Used for Assemblies Created with User Input.
Serialized Data Streams Are Validated When They Are Deserialized
Service Providers Are Managed in Compliance with PCI DSS
Session State Connection Strings Are Encrypted Using Protected Configuration Providers.
Session State Port Is Changed from Default of 42424.
Set Mode Attribute in CustomErrors to On to Prevent Displaying Detailed Error Messages to the Caller.
Setup Log Files Are Secured.
Shared Accounts Are Not Used.
Shared Accounts Are Not Used
Site Is Partitioned to Restricted Areas And Public Areas.
Split Knowledge Access to Encryption Keys Is Implemented
SQL Queries Use Parameterized Stored Procedures And Type-safe SQL Parameters.
SQL Server Agent Is Not Installed If It Is Not Being Used by Any Application.
SQL Server Authentication Is Set to Windows Only.
SQL Server Guest User Accounts Are Removed.
SQL Server Is Installed on a Dedicated Database Server.
SQL Server Is Installed on an NTFS Partition.
SQL Server Is Running Using a Least-privileged Local Account
SQL Server Login Auditing Is Enabled.
SQL Server Registry Keys Are Secured with Restricted Permissions.
SQL Server Runs Using a Least-privileged Account.
SQL Server Session State Is Protected.
Staff Checks for New Vulnerabilities
Static Class Constructors Are Synchronized.
Static Constructors Are Private.
Stored Procedures And Extended Stored Procedures Are Secured.
String Parameters Are Constrained And Validated
Strong Account And Password Policies Are Enforced for the Server.
Strong Cryptography Is Used to Secure Network Traffic
Strong Names Are Not Relied upon to Create Tamper-proof Assemblies.
Strong Naming Or Code Access Security Is Used to Restrict Code Access.
Strong Password Policy Is Enforced.
Strong Passwords Are Used And Enforced.
Strong Passwords Are Used.
Strong Passwords Policies Are Enforced.
StrongNameIdentityPermission Is Not the Only Means Used to Restrict Full Trust Callers.
Structured Exception Handling Is Used Instead of Returning Error Codes.
SuppressUnmanagedCode Is Used with Caution
System Administrators Know Common Security Settings
System Clocks Are Synchronized
System Configuration Standards Are Applied to New Systems
System Configuration Standards Match Industry Standards
System Or Sensitive Application Information Is Not Revealed. Only Generic Error Messages Are Returned to the End User.
Target Trust Environment Is Identified. Permissions Available to Partial Trust Code And APIs That Require Additional Permissions Are Identified.
Test Data Is Removed Before the Production System Becomes Active
The Account Used to Connect to the Database Has Restricted Database Permissions.
The Anonymous Account Does Not Have Write Access to Web Content Directories And Cannot Execute Command-line Tools.
The Anti-virus Keeps Logs
The Anti-virus Removes Known Malware
The Anti-virus Updates Itself Automatically
The Application Does Not Rely Only on ASP.NET Request Validation.
The Application Login Is Restricted And Has Limited Database Permissions.
The Application's Database Login Is Restricted in the Database
The Authorization Cookie Is Not Persisted.
The Application's Database Login Is Restricted in the Database
The Authorization Cookie Is Not Persisted.
The Cardholder Data Environment Doesn't Have Direct Internet Access
The Certificate Has Not Been Revoked.
The Certificate's Public Key Is Valid, All the Way to a Trusted Root Authority.
The Chosen Trust Level Does Not Exceed Your Application's Requirement.
The Communication Channel to State Store Is Encrypted (IPSec Or SSL).
The Data Access Library Code Uses Strong Names to Constrain Partial Trust Callers.
The Data Access Policy Follows the Least Privilege Principle
The Database Server Is Physically Secured.
The Design Assumes That User Input Is Malicious.
The Everyone Group Does Not Have Permission to Access SQL Server Installation Directories.
The Everyone Group Is Restricted (no Access to \WINNT\system32 Or Web Directories).
The Firewall Configuration Is Documented
The Firewall Configuration Is Reviewed Regularly
The Firewall Is Configured to Support DTC Traffic
The Hide Server Option Is Selected in the Server Network Utility (optional).
The Identities Used to Access Remote Resources from ASP.NET Web Applications Are Clearly Identified.
The Incident Response Plan Satisfies PCI DSS Requirements
The Information Security Policy Includes Key-management Procedures
The Information Security Policy Is PCI DSS Compliant
The Internet Firewall Uses Dynamic Packet Filtering
The ISerializable Interface Or the NonSerialized Attribute Are Used to Control Serialization of Sensitive Data.
The Latest Security Patches Are Installed
The Latest Service Packs And Patches Have Been Applied for SQL Server.
The PAN Is Masked When It Is Displayed
The PAN Is Unreadable Whenever It Is Stored
The Router Configuration Is Documented
The Router Configuration Is Reviewed Regularly
The SAM Is Secured
The Same Machine Keys Are Used Consistently Across All Servers in a Web Farm.
The Server Implements the Latest SSL Version
The Session Cookie Is Protected Using SSL on All Pages That Require Authenticated Access.
The Session State Service (if Used) Runs Using a Least-privileged Account.
The Session State Service Is Disabled If Not Used.
The Site Has Granular Authorization Checks for Pages And Directories.
The SQL Server Audit Level Is Set to Failure Or All.
The TCP/IP Stack Is Hardened on the Database Server.
The Web Site Is Partitioned into Public Access Areas And Restricted Areas That Require Authentication Access.
The Windows Guest Account Is Disabled.
There Is a Firewall at Each Internet Connection
There Is a Firewall Between the DMZ And the Intranet
There Is a Formal Process for Testing Changes to the Firewall Configuration
There Is a Formal Process for Testing Changes to the Router Configuration
There Is Script Source Access Only on Folders That Support Content Authoring.
Threading Issues Have Been Considered If Impersonation Is Used.
To Prevent SQL Injection, Input Is Validated And Parameterized Stored Procedures Are Used.
To Reduce Visibility, Classes And Members Use the Most Restrictive Access Modifier Possible.
Tools, Utilities, And SDKs Are Removed Or Secured.
Tracing Is Disabled <trace Enable="false"/>
Track Off-site Backups
Tradeoffs Associated with Use of Impersonation Are Fully Understood.
Transport-level Encryption Is Used to Protect Secrets over the Network.
Trusted Service Accounts Are Used to Connect to SQL Server.
Type-safe SQL Parameters Are Used for Data Access.
Unauthorized Substitution of Keys Is Prevented
Unique Cookie Names And Paths Are Used.
Unless Required, Dynamic Assemblies Created by Reflection.Emit Are Not Persisted.
Unmanaged API Calls Are Isolated in a Wrapper Assembly.
Unmanaged Code Is Compiled with the /GS Switch to Enable Stack Probes.
Unmanaged Code Is Inspected for Potentially Dangerous APIs.
Unmanaged Types Or Handles Are Not Exposed to Partially Trusted Code.
Unnecessary ASP.NET File Type Extensions Are Mapped to "HttpForbiddenHandler" in Machine.config.
Unnecessary Functionality Is Removed
Unnecessary Inbound And Outbound Traffic Is Denied
Unnecessary Microsoft Windows Services Are Disabled on the Database Server.
Unnecessary Or Unused ISAPI Filters Are Removed from the Server.
Untrusted Code Does Not Use Reflection.Emit to Create Dynamic Assemblies.
Untrusted Input Passed to Data Access Methods Is Validated.
Untrusted Output Is Not Directly Echoed Back to the User.
Unused Accounts Are Removed from Windows And SQL Server.
Unused Administrative Interfaces Are Disabled.
Unused HttpModules Are Removed.
Unused Ports Are Blocked by Default.
Unused Protocols Are Blocked by Default.
Unused Services Are Disabled (for Example, TFTP).
Unused Services Are Disabled.
Unused Services, Daemons And Protocols Are Disabled
Upgrade Tools, Debug Symbols, Replication Support, Books Online, And Development Tools Are Not Installed on the Production Server.
Usage Policies Are Defined
Use of LogonUser Is Avoided Where Possible.
User Is Locked out After Six Failed Logon Attempts
User Lockout Lasts at Least 30 Minutes
User Login Information Is Validated Using the Regex Class And/or Your Custom Validation Code.
User's Identity Is Verified Before a Password Reset
Users And Administrators Do Not Share Accounts.
Users Are Authenticated
Users Are Familiar with the Password Policies
Virtual Directories That Allow Anonymous Access Restrict Write And Execute Web Permissions for the Anonymous Account.
Visitor Information Is Logged
Visitors Are Assigned Badges
Vulnerability Scans Are Documented
Vulnerability Scans Are Performed Regularly
Web Controls, User Controls, And Resource Access Code Are All Partitioned in Their Own Assemblies for Granular Security.
Web Site Content Is Located on a Non-system NTFS Volume.
Web Site Root Directory Has Deny Write ACE for Anonymous Internet Accounts.
Web Sites Are Located on a Non-system Partition.
Web-facing Administration Is Disabled.
Where Appropriate, an Exception Management System Is Used.
Where Appropriate, DPAPI Is Used to Protect Secrets And to Reduce Or Eliminate Key Management.
Where Appropriate, File I/O Is Constrained Within the Application's Context.
Where Appropriate, Obfuscation Is Used to Make Intellectual Property Theft More Difficult.
Where Appropriate, Permissions to the Delegate Are Restricted.
Where Appropriate, Private Default Constructors Are Used to Prevent Object Instantiation.
Where Appropriate, SecureString Is Used Rather than System.String.
Where Appropriate, the Data Access Library Code Is Designed to Restrict the Access of Calling Code.
Where Appropriate, the System.Net.Security.NegotiateStream Class Is Used for a TCP Channel with .NET Remoting.
Where Possible, Absolute File Paths Are Used.
Where Possible, Connection Strings Are Not Constructed with User Input.
Where Possible, Dynamic Queries That Accept Untrusted Input Are Avoided.
Where Possible, Universal Data Link (UDL) Files for OLE DB Data Sources Are Avoided.
Where Possible, Windows Authentication Is Used to Avoid Placing Credentials in Connection Strings.
Where Possible, Windows Authentication Is Used to Connect to the Database.
Where the Database Contents Are Highly Sensitive Or Vital, Windows Is Set to Shut Down Mode on Overflow of the Security Logs.
Windows Authentication Is Used to Connect to Microsoft SQL Server State Database.
Windows Authentication Is Used When Connecting to SQL Server.
Windows Authentication Mode Is Selected Unless SQL Server Authentication Is Specifically Required, in Which Case Mixed Mode Is Selected.
Wireless Access Points Use Strong Encryption
Wireless Keys Are Changed When an Employee Leaves
With Dynamic SQL, Character Escaping Is Used to Handle Special Input Characters.
Write Access Only on Folders That Support Content Authoring And Are Configured for Authentication
You Subscribe to SQL Security Bulletins
You Subscribe to the Microsoft Security Notification Service
You Subscribed to Router Vendor's Security Notification Service.

gistfile1.txt

A Centralized Log Server Is Deployed
A Custom Least-privileged Anonymous Account Is Created for Anonymous Access.
A DMZ Is Implemented
A Repeatable Hardening Process Is Established
A Secure Approach to Exception Management Is Identified
A Web Application Firewall Is Used
A Wireless Analyzer Is Used Regularly
A Wireless IDS Or IPS Is Deployed
Absolute URLs Are Used for Navigation Where the Site Is Partitioned with Secure And Non-Secure Folders
Access Control Systems Enforce Privileges
Access Control Systems Have a Deny-all Default
Access Control Systems Should Cover All System Components
Access to Cardholder Data Is Logged
Access to Logs Is Logged
Access to Persisted Keys Is Restricted (for Example with ACLs).
Access to Required Shares Is Restricted
Access to State Data Is Restricted.
Access to State Data Should Be Restricted
Access to the Metabase Is Restricted by Using NTFS Permissions (%systemroot%\system32\inetsrv\metabase.bin).
Access to the Metabase.bin File Is Audited.
Accounts Are Not Shared Among Administrators.
Administration Interfaces to the Router Are Enumerated And Secured.
Administrative Interfaces Are Enumerated And Secured.
Administrative Shares (C$ And Admin$) Are Removed If They Are Not Required
Administrator Actions Should Be Logged
Administrators Are Required to Log on Locally OR the Remote Administration Solution Is Secure.
All Input Parameters Are Validated for Length, Range, Format, And Type
All Permissions Have Been Removed from the Internet Zone.
All Permissions Have Been Removed from the Local Intranet Zone.
All the Input Is Validated For Length, Range, Format, And Type
All Unnecessary Shares Are Removed (including Default Administration Shares).
All Users Have Unique User IDs
An Access Control System Is Implemented
An Anti-virus Is Deployed
An Employee Security Awareness Program Is Conducted Properly
An IDS Or IPS Is Deployed
Application Does Not Rely on Client-side State Management Options
Appropriate Mechanism of Secure Communication (IPSec Or SSL) Is Used, Depending on Application Requirement
Approval Is Required for Account Delegation.
Array Bounds Are Validated When an Array Is Used to Pass Input to a Native API.
ASP.NET Process Account Is Configured for Least Privilege.
Assemblies Are Not Loaded Dynamically Based on User Input for Assembly Or Type Names.
Assemblies Marked with APTCA Are Subjected to Thorough Security Code Review.
Assembly.ReflectionOnlyLoadFrom Is Used Only If You Need to Inspect Code.
Authentication Cookie Is Encrypted And Its Integrity Checked
Available Services Are Secured.
Avoid Plain Text Passwords Or Other Sensitive Data in Configuration Files
Avoid User-supplied File Name And Path Input
Back-out Procedures Exist for Each Change
Back-up Storage Is Secure
Background Checks Are Performed on New Employees
Badge Management Procedures Are Defined
Be Aware That BasicHttpBinding Will Not Protect Sensitive Data by Default
Card PIN Is Not Stored
Card Verification Code Is Not Stored
Cardholder Data Is Periodically Removed
Cardholder Data on Removable Media Is Encrypted
Certificate Date Ranges Are Valid.
Certificates Are Used for Their Intended Purpose (for Example, the Server Certificate Is Not Used for E-mail).
Change Documentation Includes Customer Impact Considerations
Change Documentation Includes Management Sign-offs
Changes Are Documented
Choose the Right Binding for Your Scenario
Code Access Security Is Used When Applications Need to Be Isolated from Each Other
Code Avoids Untrusted Input for File Names And File Paths.
Code Fails Early to Avoid Unnecessary Processing.
Communication Channel to State Store Is Encrypted via IPSec Or SSL
Compromised Encryption Keys Are Replaced
Configuration Standards Include Common Security Settings
Connection String Information Is Encrypted Using Strong Encryption (for Example, 3DES)
Connection Strings Are Encrypted in Configuration Files
Connection Strings Are Not Hard Coded. Connection Strings Are Stored in Configuration Files.
Consider Exposing Different Endpoints
Consider Transport Security as Your Preferred Security Mode
Consider Using LogonUser API, If Your WCF Service Cannot Be Trusted for Delegation
Consider Using Programmatic Instead of Declarative Impersonation
Consider Using S4U Feature for Impersonation And Delegation, When You Cannot Do a Windows Mapping
Content Directories Have Deny Write ACE for Anonymous Internet Accounts.
Creation And Deletion of System Objects Is Logged
Credentials in SQL Connection Strings Are Protected in Configuration Files
Current Log Files Are Promptly Backed Up
Current Router Configuration Matches the Start-up Settings
Custom Application Code Is Reviewed
Database Access Is Authenticated
Debug Compiles Are Turned Off.
Default SNMP Community Strings Are Changed on Wireless Devices
Default Usernames And Passwords Are Not Used
Delegates Are Not Accepted from Untrusted Sources.
Design Exposes a Minimal Number of Public Interfaces to Limit the Assembly's Attack Surface.
Destinations of Redirects And Forwards Are Calculated Without User Input
Destinations of Redirects And Forwards Are Validated
Developers Know Secure Programming Techniques
Development And Production Environments Are Separate
Development And Production Staff Are Different
Directed Broadcast Traffic Is Not Received Or Forwarded.
Disk Encryption Uses Secure Authentication
Do Not Cache Sensitive Data
Do Not Divulge Exception Details to Clients in Production
Do Not Echo Untrusted Input
Do Not Log Sensitive Information
Do Not Pass Sensitive Information In SOAP Headers When Using Http Transport And Message Security
Do Not Rely on Client-side Validation
Do Not Store Passwords Directly in the User Store
Do Not Use Temporary Certificates in Production
Documented Access Authorization Is Required
Dynamic Queries That Accept User Input Are Used Only If Stored Procedures Cannot Be Used
Each Change to the Software Code Is Tested
Encrypt Configuration Sections That Contain Sensitive Data
Encryption Key Custodians Understand And Accept Their Responsibilities
Enforce Strong Passwords
Erased Data Is Unrecoverable
Event Log Data Is Not Exposed to Unauthorized Users.
Events Are Logged With Appropriate Levels of Information to Reconstruct System Activity
Exported Private Keys Are Protected.
Failed Access Attempts Are Logged
Few People Have Access to Encryption Keys
Fields Are Private. Properties Are Used to Expose Fields.
File Authorization Is Used with Windows Authentication
File Path Lengths Are Checked When a File Name And Path Are Passed to an Unmanaged API.
File-integrity Monitoring Is Used
Files And Directories Are Contained on NTFS Volumes.
Firewalls Between Wireless Networks And the Cardholder Data Environment
For Communication Between Servers, SSL Is Used When an Application Does Not Trust Other Applications on a Server
For Communication Between Web Browser And Web Server, SSL Is Used When Pages Need to Be Encrypted
Free Form Input Is Sanitized to Protect Against Malicious Data
FrontPage Server Extensions (FPSE) Are Removed If Not Used. If They Are Used, They Are Updated And Access to FPSE Is Restricted.
Full Card Track Contents Are Not Stored
Granular Authorization Checks Are Used for Pages And Directories on the Site
Hashed Password Format Is Specified in Membership Provider Configuration
High Volume, Per-request Events Are Captured with Performance Counters
HTTPS Appears in the URL
ICMP Traffic Is Screened from the Internal Network.
Identification And Authentication Events Are Logged
Idle Terminal Sessions Are Locked After 15 Minutes
If Non-repudiation Is Important, Consider Setting SuppressAuditFailure Property to False
If Role Caching Is Used, the Authorization Cookie Is Restricted to HTTPS Connections by Using the RequireSSL Attribute
If Running the Session State Service, a Least-Privileged Account Is Used
If There Are Intermediaries Between Client And Service, Consider Using Message Security
If You Are Migrating from DCOM Then Use NetTcpBinding
If You Are Using Client Certificate Authentication, Consider Reducing the Attack Surface by Limiting the Certificates in the Certificate Store
If You Are Using Kerberos Authentication Or Delegation, Create an SPN
If You Are Using Username Authentication, Use Membership Provider Instead of Custom Authentication
If You Are Using Username Authentication, Validate User Login Information
If You Don’t Want to Expose Your WSDL, Turn off HttpGetEnabled And Metadata Exchange (mex)
If You Have to Flow the Original Caller to the Backend Services, Use Constrained Delegation
If You Host Your Service in a Windows Service, Expose a Metadata Exchange (mex) Binding
If You Need to Authorize Access to WCF Operations
If You Need to Expose Your WCF Service to Legacy Clients as an ASMX Web Service
If You Need to Limit the Clients That Will Consume Your Service, Consider Setting NegotiateServiceCredentials to False
If You Need to Perform Fine-grained Authorization Based on Business Logic
If You Need to Publish Your WCF Service Metadata, Publish It Over HTTPS Protocol
If You Need to Publish Your WCF Service Metadata, Publish It Using Secure Binding
If You Need to Streamline Certificate Distribution to Your Clients, Consider Negotiating the Service Credentials
If You Need to Support ASMX Clients, Use BasicHttpBinding
If You Need to Support Bidirectional Communication Between WCF Client And WCF Service
If You Need to Support Clients in an Intranet, Use Transport Security
If You Need to Support Clients over the Internet
If You Need to Support Clients Over the Internet, Consider Using Message Security
If You Need to Support Interoperability, Consider Setting NegotiateServiceCredentials to False
If You Need to Support Legacy WSE Clients Then Use a CustomBinding in WCF
If You Need to Support Multiple Transactions Per Session Using Secure Conversation, Use Message Security
If You Need to Support Selective Message Protection, Use Message Security
If You Need to Support WCF Clients on the Same Machine
If You Need to Support WCF Clients Within an Intranet
If You Need To Validate Parameters, Use Parameter Inspectors
If You Store Role Information in a Custom Store
If You Store Role Information in ADAM
If You Store Role Information in SQL
If You Store Role Information in Windows Groups
If You Turn Off Mutual Authentication, Be Aware of Service Spoofing
If You Use ASP.NET Roles
If You Use Windows Groups for Authorization
If Your Clients Have Certificates, Consider Using Client Certificate Authentication
If Your Partner Applications Need to Be Authenticated When Calling WCF Services, Use Client Certificate Authentication.
If Your Users Are in a Custom Store, Consider Using Username Authentication with a Custom Validator
If Your Users Are in a SQL Membership Store, Use the SQL Membership Provider
If Your Users Are in AD, but You Can’t Use Windows Authentication, Consider Using Username Authentication
IIS Banner Information Is Restricted (IP Address in Content Location Disabled).
IIS Is Configured for W3C Extended Log File Format Auditing.
IIS Log Files Are Relocated And Secured.
IIS Log Files Are Relocated to a Non-system NTFS Volume And Secured
IISLockdown Tool Has Been Run on the Server.
Impersonation Is Used Only When the Original Caller's Security Context Is Required for Downstream Tier for Auditing Or Authorization
Implement AfterReceiveReply Method to Validate Inbound Messages on the Client
Implement AfterReceiveRequest Method to Validate Inbound Messages on the Service
Implement BeforeSendReply Method to Validate Outbound Messages on the Service
Implement BeforeSendRequest Method to Validate Outbound Messages on the Client
Inactive Accounts Are Disabled
Incident Response Plan Covers Unauthorized Wireless Devices
Include Directories Do Not Have Read Web Permission.
Information Storage Media Is Physically Secure
Ingress And Egress Filtering Is Enabled. Incoming And Outgoing Packets Are Confirmed as Coming from Public Or Internal Networks.
Initalization of Logs Is Logged
Input Is Not Trusted. Input Is Validated for Type, Range, Format And Length.
Instrument for Significant Business Operations
Instrument for User Management Events
Internet-facing Interfaces Are Restricted to Port 80 (and 443 If SSL Is Used).
Intranet Traffic Is Encrypted (for Example, with SSL) Or Restricted If You Do Not Have a Secure Data Center Infrastructure.
Intrusion Detection Is Enabled at the Firewall.
IPsec Is Configured for Encrypted Communication Within the Perimeter Network.
IPSec Is Used for Communication Between Servers When Secure Server-to-server Communication Is Required
IUSR_MACHINE Account Is Disabled If It Is Not Used by the Application.
Key Management Procedures Require Keys to Be Changed Regularly
Key Management Procedures Require Secure Key Distribution
Key Management Procedures Require Secure Storage
Key Management Procedures Require Strong Encryption Keys
Keys Are Cycled Periodically.
Keys Are Not Stored in Code.
Keys Are Stored in User-level Key Store for Applications Running in a Shared Hosting Environment
Keys Stored in Files Are Encrypted
Know Your Authentication Options
Know Your Authorization Options
Know Your Binding Options
Know Your Impersonation Methods
Know Your Impersonation Options
Know Your Tradeoffs with Impersonation
Known Vulnerable Ports Are Blocked.
Large Ping Packets Are Screened.
Latest Patches And Updates Are Installed.
Latest Security Updates Are Installed
Log Entries Include Event Origin
Log Entries Include Event Time
Log Entries Include Event Type
Log Entries Include Resource Name
Log Entries Include Success Or Failure Indication
Log Entries Include User Identification
Log Files Are Configured with an Appropriate Size Depending on the Application Security Requirement.
Log Files Are Regularly Archived And Analyzed.
Log Files Are Secure
Logging Is Enabled
Logging Is Enabled And Audited for Unusual Traffic Or Patterns.
Logs Are Reviewed Regularly
Mapping Values Are Used for Redirects And Forwards
Mapping Values Are Used for Redirects And Forwards
Mechanisms Have Been Identified to Secure Sensitive Information Over the Network And in Persistent Stores
Minimize Exposure of Secrets in Memory
Mirrored Local Accounts Are Considered as an Alternative If Domain Accounts Cannot Be Used
Monitor And Control Remote Vendor Accounts
NAT Is Used to Masquerade Local IPs
Network Documentation Explains Why Insecure Services Are Necessary
Network Documentation Includes a Description of Groups, Roles, And Responsibilities
Network Documentation Includes an Accurate Network Diagram
Network Documentation Includes Descriptions of Used Ports
Network Traffic Is Restricted to That Which Is Necessary
New Passwords Are Unique
No More than Two Accounts Exist in the Administrators Group.
Old Encryption Keys Are Retired
Only One Primary Function Is Implemented per Server
Only Trusted Certificates Are Used
Output Caching for Pages That Contain Sensitive Data Is Turned Off
Outside Resources Are Used to Track Vulnerabilities
Pages That Use SSL Are Optimized
PasswordDeriveBytes Is Used for Password-based Encryption.
Passwords Are Changed Regularly
Passwords Are Encrypted When Stored Or Sent
Passwords Are Not Stored Directly in the User Store; Password Digests with Salt Are Stored Instead
Passwords Are Required to Have Both Letters And Numbers
Passwords Have a Minimum Length Requirement
Patches Are Tested Before Being Deployed
Penetration Tests Are Documented
Penetration Tests Are Performed Regularly
Periodic Anti-virus Scans Are Scheduled
Permissions Are Not Asserted Before Delegate Is Called.
Personal Firewalls Are Installed on Employees' Computers
Physical Security Controls Are in Place
Plaintext Passwords Are Not Used in Configuration Files (Web.config And Machine.config)
Platform Features Are Used And Custom Key Management Is Avoided
Platform-provided Cryptographic Services Are Used. Custom Cryptography Algorithms Are Not Used.
Pointers Are Held in Private Fields
Policy Covers Sensitive Media Distribution
Policy Defines Daily Security Procedures
Policy Defines Information Security Responsibilities
Policy Forbids Sending Unencrypted PANs
Policy Includes Data Retention Requirements
Policy Includes Provisions for Data Disposal
Policy Requires Logs to Be Kept for at Least a Year
Policy Requires Media Inventory
Policy Requires Patches to Be Installed Monthly
Policy Requires Secure Media Destruction
Policy Requires the Anti-virus to Be Updated Regularly
Potentially Dangerous Virtual Directories, Including IISSamples, IISAdmin, IISHelp, And Scripts Virtual Directories, Are Removed.
Previously Used Passwords Are Forbidden
Privileges Are Assigned Based on Job Function
Production Data Is Not Used for Testing Or Development
Programmatic Impersonation Is Avoided When Possible
Properties Are Read-only Unless Write Access Is Specifically Required.
Protect Access to Your Credential Store
Protect Information in Log Files
Protect Log Files from Unauthorized Access
Protect Sensitive Data in Your Configuration Files
Protect Sensitive Data Over the Wire
Protocol Transition Is Used When Multiple Identities Need to Access Downstream Resources
Public-facing Web Applications Are Reviewed
Publish Your WCF Service Metadata Only When Required
Redirects And Forwards Are Not Used Unless Necessary
Redirects And Forwards Are Not Used Unless Necessary
Remote Administration of the Server Is Secured And Configured for Encryption, Low Session Time-outs, And Account Lockouts.
Remote Administrator Access Is Encrypted
Remote IIS Administration Application Is Removed (\WINNT\System32\Inetsrv\IISAdmin).
Remote Logons Are Restricted.
Remote Registry Access Is Restricted.
Resource Kit Tools, Utilities, And SDKs Are Removed.
Role Caching Is Used If Role Store Lookup Is Too Costly
Routing Information Protocol (RIP) Packets, If Used, Are Blocked at the Outermost Router.
Run Your Service in a Least Privileged Account
SAM Is Secured
Sample Applications Are Removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples).
Security Decisions Are Not Based on User-supplied File Names.
Security Decisions Should Not Rely on Client-side Validations; They Are Made on the Server Side
Security Design Guidelines Are Applied
Security Is Included Throughout the Development Life Cycle
Security Objectives Are Identified
Security Responsibilities Are Assigned to Specific Staff Members
Sensitive Data Is Not Logged in the Event Log.
Sensitive Data Is Not Logged.
Sensitive Data Is Not Passed Across Pages
Sensitive Data Is Not Stored in Cookies, Hidden Form Fields, Or Query Strings
Sensitive Data Passed Over Wire Is Secured Using SSL Or IPSec, Where Appropriate
Sensitive Data Stored in .config Files Is Encrypted Using Protected Configuration Providers
Separate, Low-trust Application Domains Are Used for Assemblies Created with User Input.
Service Providers Are Managed in Compliance with PCI DSS
Session Cookies Are Protected Using SSL on All Pages That Require Authenticated Access
Session State Connection Strings Are Encrypted Using Protected Configuration Providers
Shared Accounts Are Not Used
Split Knowledge Access to Encryption Keys Is Implemented
SQL Server Session State Is Protected
SSL Is Used When Transmitting Credentials
Staff Checks for New Vulnerabilities
Static Class Constructors Are Synchronized.
Static Constructors Are Private.
String Parameters Are Constrained And Validated
Strong Account And Password Policies Are Enforced for the Server.
Strong Cryptography Is Used to Secure Network Traffic
Strong Names Are Not Relied upon to Create Tamper-proof Assemblies.
Strong Naming Or Code Access Security Is Used to Restrict Code Access.
Strong Passwords Are Used.
Structured Exception Handling Is Used Instead of Returning Error Codes.
System Administrators Know Common Security Settings
System Clocks Are Synchronized
System Configuration Standards Are Applied to New Systems
System Configuration Standards Match Industry Standards
System Or Sensitive Application Information Is Not Revealed. Only Generic Error Messages Are Returned to the End User.
Target Trust Environment Is Identified. Permissions Available to Partial Trust Code And APIs That Require Additional Permissions Are Identified.
Test Data Is Removed Before the Production System Becomes Active
The Anti-virus Keeps Logs
The Anti-virus Removes Known Malware
The Anti-virus Updates Itself Automatically
The Authorization Cookie Is Not Persisted
The Cardholder Data Environment Doesn't Have Direct Internet Access
The Certificate Has Not Been Revoked.
The Certificate's Public Key Is Valid, All the Way to a Trusted Root Authority.
The Data Access Policy Follows the Least Privilege Principle
The Everyone Group Is Restricted (no Access to \WINNT\system32 Or Web Directories).
The Firewall Configuration Is Documented
The Firewall Configuration Is Reviewed Regularly
The Identities Used to Access Remote Resources from ASP.NET Web Applications Are Clearly Identified
The Incident Response Plan Satisfies PCI DSS Requirements
The Information Security Policy Includes Key-management Procedures
The Information Security Policy Is PCI DSS Compliant
The Internet Firewall Uses Dynamic Packet Filtering
The Latest Security Patches Are Installed
The PAN Is Masked When It Is Displayed
The PAN Is Unreadable Whenever It Is Stored
The Router Configuration Is Documented
The Router Configuration Is Reviewed Regularly
The Server Implements the Latest SSL Version
The Session State Port Is Changed from the Default of 42424
The Session State Service Is Disabled If Not Used
The Web Site Is Partitioned into Public Access Areas And Restricted Areas That Require Authenticated Access
There Is a Firewall at Each Internet Connection
There Is a Firewall Between the DMZ And the Intranet
There Is a Formal Process for Testing Changes to the Firewall Configuration
There Is a Formal Process for Testing Changes to the Router Configuration
There Is Script Source Access Only on Folders That Support Content Authoring.
Threats to Data Are Considered
To Reduce Visibility, Classes And Members Use the Most Restrictive Access Modifier Possible.
Track Off-site Backups
Tradeoffs Associated with Use of Impersonation Are Fully Understood
Transport-level Encryption Is Used to Protect Secrets over the Network.
Trusted Service Accounts Are Used to Connect to SQL Server
Unauthorized Substitution of Keys Is Prevented
Unique Cookie Names And Paths Are Used
Unless Required, Dynamic Assemblies Created by Reflection.Emit Are Not Persisted. 
Unmanaged API Calls Are Isolated in a Wrapper Assembly.
Unmanaged Code Is Compiled with the /GS Switch to Enable Stack Probes.
Unmanaged Code Is Inspected for Potentially Dangerous APIs.
Unmanaged Types Or Handles Are Not Exposed to Partially Trusted Code.
Unnecessary Functionality Is Removed
Unnecessary Inbound And Outbound Traffic Is Denied
Untrusted Input Passed to Data Access Methods Is Validated
Untrusted Output Is Not Directly Echoed Back to the User
Unused Administrative Interfaces Are Disabled.
Unused HttpModules Are Removed.
Unused Ports Are Blocked by Default.
Unused Protocols Are Blocked by Default.
Unused Services Are Disabled (for Example, TFTP).
Unused Services Are Disabled.
Unused Services, Daemons And Protocols Are Disabled
Usage Policies Are Defined
Use a Custom Trace Listener Only When Message Filtering Is Needed
Use a Fault Contract to Return Error Information to Clients
Use a Global Exception Handler with IErrorHandler to Catch Unhandled Exceptions
Use a Least Privileged Account to Run Your WCF Service
Use Appropriately Sized Keys
Use Hardware Accelerator When Using Transport Security
Use IIS to Host Your Service Unless You Need to Use a Transport That IIS Does Not Support
Use IIS to Host Your WCF Service Wherever Possible
Use Message Logging to Log Operations on Your Service
Use Platform Features to Manage Keys Where Possible
Use Regular Expressions in Schemas to Validate Format, Range Or Length
Use Replay Detection to Protect Against Message Replay Attacks
Use Schemas to Validate Messages, Using Message Inspectors
Use Structured Exception Handling
Use Transport Security When Possible
Use WCF Auditing to Audit Your Service
Use Windows Authentication When You Can
User Is Locked out After Six Failed Logon Attempts
User Lockout Lasts at Least 30 Minutes
User Login Information Is Validated Using the Regex Class And/or Your Custom Validation Code
User's Identity Is Verified Before a Password Reset
Users And Administrators Do Not Share Accounts.
Users Are Authenticated
Users Are Familiar with the Password Policies
Validate Operation Parameters for Length, Range, Format And Type
Virtual Directories That Allow Anonymous Access Restrict Write And Execute Web Permissions for the Anonymous Account.
Visitor Information Is Logged
Visitors Are Assigned Badges
Vulnerability Scans Are Documented
Vulnerability Scans Are Performed Regularly
Web Controls, User Controls, And Resource Access Code Are All Partitioned in Their Own Assemblies for Granular Security
Web Site Content Is Located on a Non-system NTFS Volume.
Web Site Root Directory Has Deny Write ACE for Anonymous Internet Accounts.
Web Sites Are Located on a Non-system Partition.
Web-facing Administration Is Disabled.
When Impersonating Declaratively, Only Impersonate on the Operations That Require It
When Impersonating Programmatically Be Sure to Revert to Original Context
Where Appropriate, an Exception Management System Is Used.
Where Appropriate, Obfuscation Is Used to Make Intellectual Property Theft More Difficult.
Where Appropriate, Private Default Constructors Are Used to Prevent Object Instantiation.
Where Possible, Absolute File Paths Are Used.
Wireless Access Points Use Strong Encryption
Wireless Keys Are Changed When an Employee Leaves
Write Access Only on Folders That Support Content Authoring And Are Configured for Authentication
You Subscribed to Router Vendor's Security Notification Service.
Assign Information Security Responsibilities
Avoid Accepting Delegates From Untrusted Sources
Avoid Asserting Permissions Before Calling a Delegate
Avoid Asserting Permissions Before Calling a Delegate
Avoid Exposing Unmanaged Types Or Handles to Partially Trusted Code
Avoid Letting Untrusted Code Or Data Control Reflection.Emit
Avoid Letting Untrusted Code Or Data Control Run-time Assembly Load Decisions
Avoid Losing Impersonation Tokens
Avoid Plain-text Passwords Or Other Sensitive Data in Configuration Files
Avoid Plaintext Passwords in Configuration Files
Avoid Programmatic Impersonation When Possible
Avoid Storing Secrets in Code
Avoid Using APTCA
Back Up And Analyze Log Data Regularly
Back Up And Analyze Log Files Regularly
Be Aware That BasicHttpBinding Will Not Protect Sensitive Data by Default
Calculate Destinations of Redirects And Forwards Without User Input
Calculate Destinations of Redirects And Forwards Without User Input
Catch Exceptions
Change System Default Settings on Network Devices
Change the Session State Port from the Default Value
Choose Windows Authentication When You Can
Conduct Background Checks
Configure a Wireless Access Point for PCI DSS
Configure the Firewalls for PCI DSS Compliance
Configure the Routers for PCI DSS Compliance
Configure the Windows Access Control System
Consider an Exception Management System
Consider Exposing Different Endpoints
Consider Identity Flow
Consider Transport Security as Your Preferred Security Mode
Consider Using ACLs to Restrict Access to Data Stored in HKLM
Consider Using Obfuscation
Constrain And Validate String Parameters
Define Acceptable Technology Usage Policies
Define Daily Security Operational Procedures
Define Information Security Responsibilities
Deploy a File-integrity Monitoring Solution
Deploy a Web Application Firewall
Deploy a Wireless IDS
Deploy an Anti-Virus
Deploy an IDS Or IPS
Develop Applications Using Secure Coding Guidelines
Disable Unused Services And Protocols
Do Not Accept File Names Or Paths from Users
Do Not Depend on Strong Name Identity Permissions in Full Trust Scenarios
Do Not Develop Your Own Cryptography
Do Not Echo Untrusted Input
Do Not Expect Strong Names to Make Your Assembly Tamper Proof
Do Not Log Sensitive Data
Do Not Pass Sensitive Data Using the HTTP-GET Protocol
Do Not Pass Sensitive Information In SOAP Headers When Using Http Transport And Message Security
Do Not Rely on Client-side Validation
Do Not Rely on Client-Side Validation
Do Not Store Passwords
Do Not Store Secrets If Avoidable
Do Not Trust HTTP Header Information
Do Not Trust Input
Do Not Use Temporary Certificates in Production
Don't Use Redirects Or Forwards If Possible
Don't Use Redirects Or Forwards If Possible
Draw a Network Diagram
Encrypt And Check Integrity of Authentication Cookies
Encrypt Configuration Sections That Store Sensitive Data
Encrypt Off-site Backups
Encrypt Remote Administrator Access
Encrypt Sensitive Data Stored in .config Files Using Protected Configuration Providers
Encrypt the Contents of the Authentication Cookies
Encrypt the Data Or Secure the Communication Channel
Ensure That Users Do Not Bypass Checks
Erase Files Securely
Establish a Repeatable Hardening Process
Evaluate Whether You Need Strong Names
Formulate a Data Access Control Policy
Formulate a Storage Media Policy
Formulate the User Authentication And Password Policies
If You Need to Expose Your WCF Service to Legacy Clients as an ASMX Web Service, Use BasicHttpBinding
If You Need to Interop with Non-MS Clients, Use Bindings That Are Targetted for Interop
If You Host Your Service in a Windows Service, Expose a Metadata Exchange (mex) Binding
If Your Non-MS Clients Understand the WS* Stack, Use Ws2007HttpBinding Or WsHttpBinding
If Your Users Are in AD, but You Can’t Use Windows Authentication, Consider Using Username Authentication
Implement Audit Trails for System Components
Implement Change Control Procedures
Implement Only One Primary Function per Server
Implement Physical Security Controls
Implement the Password Policy Using Group Policy Objects
Implement Two-factor Authentication for Remote Network Access
Install And Configure a Personal Firewall
Install the Latest Security Updates
Keep Track of New Security Vulnerabilities
Keep Unencrypted Data Close to the Algorithm
Keep Up with Security Updates
Know Your Tradeoffs with Impersonation
Know Your Tradeoffs with Impersonation
Limit Access to the Credential Store to the Application Account
Log Events with Appropriate Levels of Information to Reconstruct System Activity
Log High-volume Events with Performance Counters
Log Key Events
Maintain a PCI DSS Compliant Information Security Policy
Manage a Formal Security Awareness Program
Manage Service Providers
Optimize Pages That Use SSL
Organize the Software Development Processes for PCI DSS Compliance
Perform Network Vulnerability Scans
Perform Penetration Tests
Prepare an Incident Response Plan
Prepare System Configuration Standards Using Industry Standards
Prepare the Data Retention And Disposal Policies
Prepare the Key Management Procedures
Prepare the Network Documentation for PCI DSS Compliance
Protect Log Files From Unauthorized Access
Protect Sensitive Data Over the Wire
Protect Sensitive Data over the Wire
Protect Session State from Unauthorized Access
Protect SQL Server Session State
Protect the Cardholder Data
Protect Your Out-of-process State Service
Protect Your Session State Communication Channel
Remove Unnecessary Functionality
Restrict Access to Your Code
Revert Impersonation Using Finally Blocks
Review the Firewall Configuration
Review the Router Configuration
Review Web Applications
Run the Session State Service with the Least Privileged Account
Secure Log Data
Secure Log Files
Secure the Logs
Separate Administration Privileges
Specify Hashed Password Format in Provider Configuration
Store Keys in User-level Key Store for Shared Hosting Environments
Store Only Salted Password Digests, Not Plaintext Passwords
Synchronize System Clocks
Test Changes to the Firewall Configuration
Test Changes to the Router Configuration
Test Dynamic Packet Filtering with a Port Scanner
Turn Off Output Caching for Pages That Contain Sensitive Data
Use a Wireless Analyzer
Use Granular Authorization Checks for Pages And Directories
Use Hardware Accelerator When Using Transport Security
Use IIS to Host Your Service Unless You Need to Use a Transport That IIS Does Not Support
Use Least Privileged Process And Service Accounts
Use Mapping Values When Redirecting on User Input
Use Mapping Values When Redirecting on User Input
Use PasswordDeriveBytes for Password-Based Encryption
Use Page ViewState User Key to Counter One-Click Attacks
Use Platform Features And Avoid Custom Key Management
Use Platform Features to Manage Keys Where Possible
Use Platform-provided Cryptographic Services
Use Private Default Constructors to Prevent Unwanted Object Instantiation
Use Protocol Transition When Multiple Identities Need to Access Downstream Resources
Use ReflectionOnlyLoadFrom If You Only Need to Inspect Code
Use Schemas to Validate Messages, Using Message Inspectors
Use SSL Or IPSec for Secure Communication Between Entities
Use Structured Exception Handling
Use Structured Exception Handling
Use Structured Exception Handling
Use Structured Exception Management
Use Transport Security When Possible
Use Trusted Service Accounts When Connecting to SQL Server
Use Windows Authentication When You Can
Validate Destinations of Redirects And Forwards
Validate Destinations of Redirects And Forwards
Validate Input for Length, Range, Format, And Type
Validate Input from All Sources
Validate Serialized Data Streams
Validate Unmanaged String Parameters