Application security boils down to two concepts. Everything else extends from these.
1. NO INPUT IS TRUSTWORTHY
Never assume any input is trustworthy. This includes text fields, strings encoded on RFID cards, uploads of images or other files, GETs and POSTs … anything from outside the application.
For every typical entry into your username field, imagine one SQL injection attempt and 10,000 bruteforce attempts.
2. NEVER PROVIDE MORE ACCESS THAN NECESSARY
Your users should have bare minimum privileges to meet their needs. If seeing that other users exist isn’t a use case, they shouldn’t be able to do that.
Beyond functionality, this applies to information. Nobody should know your application is ASP.NET beyond technical staff. Not even managers if it doesn’t pertain to their job. Hide those “.aspx” extensions (htaccess is one way) and redact error output.