Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Similar presentations


Presentation on theme: "ASP.NET 2.0 Security Alex Mackman CM Group Ltd"— Presentation transcript:

1 ASP.NET 2.0 Security Alex Mackman CM Group Ltd alexm@cm-consulting.com

2 My Background

3 Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

4 Top Web Application Security Issues Protecting sensitive data Validating input Handling exceptions Protecting configuration data Encrypting or hashing sensitive data Auditing Auditing Authenticating users Authorization Authorization Preventing parameter manipulation Preventing session hijacking and cookie replay attacks Auditing Authorizing users

5 Threat Modelling The Activity Step 1. Identify security objectives Step 2. Create application overview Step 3. Decompose application Step 4. Identify threats Step 5. Identify vulnerabilities http://msdn.com/threatmodeling

6 What’s new in ASP.NET 2.0? Forms authentication and membership Role manager DPAPI managed wrapper Configuration file changes Configuration file encryption Health monitoring Code access security enhancements MachineKey enhancements

7 Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

8 Authentication Guidelines Enforce strong passwords Support password expiration periods and account disablement Do not store credentials Protect authentication cookies

9 Forms Authentication Guidelines Use membership instead of custom authentication Use SSL to protect credentials and auth cookies If you cannot use SSL, consider session lifetime Validate user login information Do not store passwords directly in the user store Enforce strong passwords Protect access to your credential store Do not persist authentication cookies Restrict authentication tickets to HTTPS connections Consider partitioning your site Use unique cookie names and paths

10 Membership System LoginLoginStatusLoginViewOthers MembershipMembershipUser SqlMembershipProviderActiveDirectoryMembershipProviderCustom SQL Server Active Directory Other Data Stores Login Controls Membership API Membership Providers Data Stores

11 ASP.NET 2.0 Forms Authentication with Membership

12 Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

13 Authorization Guidelines Use URL authorization for page and directory access control Now supports all files in a directory Including those not mapped to Aspnet_isapi.dll Use ASP.NET Role Manager Use File authorization with Windows auth Configure ACLs on your Web site files If your role lookup is expensive, consider role caching Protect your authorization cookie

14 Role Manager Roles SqlRoleProviderWindowsTokenRoleProviderAuthorizationStoreRoleProvider SQL Server Active Directory Role Management API Membership Providers Data Stores AzMan ADAM XML RoleProvider

15 Authorization with ASP.NET 2.0 Role Manager

16 Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

17 Input Validation Guidelines Do not trust input including forms fields, cookies, query strings, HTTP headers Validate input for type, range, format and length Do not rely on ASP.NET request validation Do not rely on client-side validation Consider centralized input validation Avoid user supplied filename and path input Do not echo untrusted input

18 Paths, URLs and Canonicalization

19 Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

20 Data Access Guidelines Use Windows authentication to the database If you use SQL authentication Use strong passwords Protect credentials over the network Protect credentials in configuration files Use least privileged accounts for data access Restrict the account in the database Use type-safe SQL parameters and not dynamic queries

21 Configuration File Encryption

22 Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

23 Auditing and Logging Guidelines Use health monitoring to log and audit events Instrument for user management events Instrument for unusual activity Instrument for significant business operations Consider using an application-specific event source Protect audit and log files

24 ASP.NET 2.0 Health Monitoring

25 More Information patterns & practices guidelines, practices, How Tos http://msdn.com/securityguidance Security Engineering http://msdn.com/securityengineering Threat Modelling http://msdn.com/threatmodeling Highway Code Handbook http://www.microsoft.com/uk/msdn/security/home.mspx Mail me with questions alexm@cm-consulting.com

26 © 2004 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 Security Engineering Lifecycle Integration Requirements and Analysis Functional Requirements Non-Functional Requirements Technology Requirements Security Objectives Planning Architecture and Design Design Guidelines Architecture and Design Review Security Design Guidelines Threat Modeling Security Arch and Design Review Development Unit Test Code Review Daily Builds Security Code Review Testing Integration Testing System Testing Security Testing Deployment Deployment Review Security Deployment Review Maintenance Core Security


Download ppt "ASP.NET 2.0 Security Alex Mackman CM Group Ltd"

Similar presentations


Ads by Google