The deployment security review activity includes the following steps:
- <trace> is disabled?
- Verify that <customErrors> mode is set to On.
- Review <httpRuntime> settings to limit the size of the request.
- Verify that the <compilation> setting prevents debug compilations.
- Review <forms> authentication settings.
- Review <membership> settings when using forms authentication.
- Review <identity> and impersonation settings.
- Review <authorization> settings.
- Review <roleManager> settings.
- Review <sessionState> settings.
- Review <machineKey> settings.
- Review <trust> levels.
- Prevent download of unused file types.
- Verify that credentials are encrypted in <processModel> settings.
- Review <healthMonitoring> settings.
