Session Title

Download Report

Transcript Session Title

ASP.NET 2.0 Security
Alex Mackman
CM Group Ltd
[email protected]
My Background
Agenda
Web application security
Authentication
Authorization
Input validation
Data access
Auditing and logging
Top Web Application Security
Issues
Preventing
parameter
manipulation
Authorizing users
Authenticating
users
Auditing
Protecting
sensitive data
Handling exceptions
Protecting
configuration data
Validating input
Preventing
session hijacking
and cookie replay
attacks
Auditing
Auditing
Authorization
Authorization
Encrypting or
hashing
sensitive data
Threat Modelling
The Activity
Step 1. Identify security objectives
Step 2. Create application overview
Step 3. Decompose application
Step 4. Identify threats
Step 5. Identify vulnerabilities
http://msdn.com/threatmodeling
What’s new in ASP.NET 2.0?
Forms authentication and membership
Role manager
DPAPI managed wrapper
Configuration file changes
Configuration file encryption
Health monitoring
Code access security enhancements
MachineKey enhancements
Agenda
Web application security
Authentication
Authorization
Input validation
Data access
Auditing and logging
Authentication Guidelines
Enforce strong passwords
Support password expiration periods and
account disablement
Do not store credentials
Protect authentication cookies
Forms Authentication Guidelines
Use membership instead of custom authentication
Use SSL to protect credentials and auth cookies
Restrict authentication tickets to HTTPS connections
If you cannot use SSL, consider session lifetime
Validate user login information
Do not store passwords directly in the user store
Enforce strong passwords
Protect access to your credential store
Do not persist authentication cookies
Consider partitioning your site
Use unique cookie names and paths
Membership System
Login Controls
Login
LoginStatus
LoginView
Others
Membership API
Membership
MembershipUser
Membership Providers
SqlMembershipProvider
Data Stores
ActiveDirectoryMembershipProvider
SQL
Server
Active
Directory
Custom
Other
Data
Stores
Agenda
Web application security
Authentication
Authorization
Input validation
Data access
Auditing and logging
Authorization Guidelines
Use URL authorization for page and directory
access control
Now supports all files in a directory
Including those not mapped to Aspnet_isapi.dll
Use ASP.NET Role Manager
Use File authorization with Windows auth
Configure ACLs on your Web site files
If your role lookup is expensive, consider role
caching
Protect your authorization cookie
Role Manager
Role Management API
Roles
RoleProvider
Membership Providers
SqlRoleProvider
WindowsTokenRoleProvider
AuthorizationStoreRoleProvider
Data Stores
AzMan
SQL
Server
Active
Directory
XML
ADAM
ASP.NET 2.0 Forms
Authentication with Membership
and Role Manager
How To: Use Membership in ASP.NET 2.0
How To: Use Forms Authentication with SQL in ASP.NET 2.0
How To: Use Forms Authentication with AD in ASP.NET 2.0
How To: Use Windows Authentication in ASP.NET 2.0
How To: Connect to SQL Server Using SQL Auth in ASP.NET 2.0
How To: Connect to SQL Server Using Win Auth in ASP.NET 2.0
How To: Use Role Manager in ASP.NET 2.0
How To: Use ADAM for Roles in ASP.NET 2.0
How To: Use AzMan with ASP.NET 2.0
Agenda
Web application security
Authentication
Authorization
Input validation
Data access
Auditing and logging
Input Validation Guidelines
Do not trust input including forms fields,
cookies, query strings, HTTP headers
Validate input for type, range, format and
length
Do not rely on ASP.NET request validation
Do not rely on client-side validation
Consider centralized input validation
Avoid user supplied filename and path input
Do not echo untrusted input
Paths, URLs and
Canonicalization
How To: Protect from Injection Attacks in ASP.NET 2.0
How To: Use Regular Expressions to Constrain Input in ASP.NET
How To: Protect from SQL Injection in ASP.NET 2.0
How To: Prevent Cross-Site Scripting in ASP.NET 2.0
How To: Use Regular Expressions to Constrain Input in ASP.NET
Agenda
Web application security
Authentication
Authorization
Input validation
Data access
Auditing and logging
Data Access Guidelines
Use Windows authentication to the database
If you use SQL authentication
Use strong passwords
Protect credentials over the network
Protect credentials in configuration files
Use least privileged accounts for data access
Restrict the account in the database
Use type-safe SQL parameters and not
dynamic queries
Configuration File Encryption
How To: Encrypt Config Sections in ASP.NET 2.0 Using DPAPI
How To: Encrypt Config Sections in ASP.NET 2.0 Using RSA
Agenda
Web application security
Authentication
Authorization
Input validation
Data access
Auditing and logging
Auditing and Logging Guidelines
Use health monitoring to log and audit
events
Instrument for user management events
Instrument for unusual activity
Instrument for significant business
operations
Consider using an application-specific event
source
Protect audit and log files
More Information
patterns & practices guidelines, practices, How Tos
http://msdn.com/securityguidance
Security Engineering
http://msdn.com/securityengineering
Threat Modelling
http://msdn.com/threatmodeling
Highway Code Handbook
http://www.microsoft.com/uk/msdn/security/home.mspx
Mail me with questions
[email protected]
© 2004 Microsoft Limited. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary .
Security Engineering
Lifecycle Integration
Core
Security
Planning
Requirements and Analysis
Functional Requirements
Non-Functional Requirements
Technology Requirements
Security Objectives
Architecture and Design
Design Guidelines
Architecture and Design
Review
Security Design Guidelines
Threat Modeling
Security Arch and Design Review
Development
Unit Test
Code Review
Daily Builds
Security Code Review
Testing
Integration Testing
System Testing
Security Testing
Deployment
Deployment Review
Security Deployment
Review
Maintenance