ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't look at what is assigned to the property and only looks if something is assigned to it. The ViewStateUserKey property is not full proof. If you are not using viewstate on the page it doesn't help much. You can also review this post regarding limitation of the ViewStateUserKey. I strongly recommend that you include this rule when running fxcop or code analysis in visual studio on web projects.
I've been working with projects using ASP.NET MVC and made some update to the rule to ignore classes inheriting from ViewPage since MVC doesn't use ViewState.