The out-of-process session state server runs as an NT service using the aspnet_state.exe executable. Because the state service itself simply listens on a socket, it doesn't have any built-in security protections that prevent arbitrary hosts on the network from connecting to the state server. Unlike SQL Server, the OOP state server has no concept of integrated security. As a result, server administrators should use other network security mechanisms such as IP security (IPSEC) rules to prevent random machines from attempting to connect to the state server.
Beyond network layer security mechanisms, there are two other security options you should be aware of when using the OOP state server. The first thing you should do is change the default network port that the state server listens on. By default, the state server listens on port 42424. Because this is a well-known port for the state server, you can make the state server listen on a different port by finding the following registry key:
Underneath this key, you can add a new DWORD registry value named Port. Set the actual value to a different port number that you want the state service to listen on. With this change a malicious network user now has to perform a port scan in order to find the state service as opposed to just connecting to port 42424.
Because the OOP state server is usually deployed to support ...