We would like to install a Web App written in C#/.NET4 on client servers, not ours. I would like to know what are the best security practices to implement for avoid the following:
I heard someone talking of encrypting the Web.Config file with RSA, and so on.
Thanks in advance!
This sounds you are just asking for problems.
1) Authority stealing - What exactly do you mean by this? If you write your Web Application the correct way, then it will only be able to do things your client allows, find out what sort of configuration they are using.
2) Read files with sensitive data - I suggest you don't attempt to do this. Your web application should not be on a computer with sensitive data if its accesible to the internet.
3) Software tweaking - Say What?
4) Any security issues - This is not possible. Considering you are even asking how to prevent this, means you will have security issues, even Microsoft has security issues.
Encrypting the Web.Config only protects the contents within it, if there is nothing senistive within it, it really serves no purpose to encrypt it.
It sounds you are way over your head.
I think those are valid concerns, however you should consider those points before programming anything. I recommend this links, some are old but some basic principles still apply
Basic Security Practices for Web Applications(.Net 4.0)
ASP.NET Security Best Practices
How To: Instrument ASP.NET Applications for Security (.Net 2.0)
Improving Web Application Security: Threats and Countermeasures (.Net 2.0)
Haha, it's .NET, I'll just decompile everything (even if you obfuscate it, it's not that bad).
http://wiki.sharpdevelop.net/ILSpy.ashx
Throw your binary through that and weep.
Best practice? Don't write it in .net (and I'm a C# dev!), anything you do will likely be easily mitigated with ilspy, reflection, and using your own code to decrypt anything you've encrypted.
Best you can do is write it in C++/CLR if you want the .NET platform.
