Download MSDN Session

Document related concepts

C Sharp (programming language) wikipedia , lookup

Transcript
Best Practices and
Techniques for Building
Secure Microsoft ASP.NET
Applications
®
Joe Stagner
Developer Community Champion
Microsoft Corporation
[email protected]
www.ManagedCode.com
So Why This Presentation?
Web application security is more
important than ever
 Ensure that security is a consideration
in application design
 Creating secure Web applications is a
series of complex tasks
 Promote best techniques for security
 Let developers know about new
resources available
 msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp

What We Will Cover






Why Web application security?
Planning for Web application security
Authentication and authorization
strategies
Using the ASP.NET process identity
Secure communication
Securing secrets and state information
Session Prerequisites
Familiarity with Microsoft® Windows®
management tools
 Familiarity with IIS Management Console
 C# and ASP.NET coding experience
 Familiarity with Microsoft® Visual
Studio® .NET
 Basic understanding of Web application
security issues

Level 200
Demonstrations




Configuring IIS for SSL
Configuring ASP.NET Security
Using forms authentication with
Microsoft® SQL Server™
Creating a GenericPrincipal object for
roles-based authorization
Before We Start !
SSL IS NOT WEB APPLICATION
SECURITY
Required Reading
Secure Development
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Planning for ASP.NET Web
Application Security
Authentication and Authorization

Authentication / authorization request
flow
Planning for ASP.NET Web
Application Security
Authentication and Authorization



Identify resources exposed to client
Identify resource for app
Choose authorization strategy


Role-based
Resource-based
Planning for ASP.NET Web
Application Security
Authentication and Authorization

Choose Identities Used to Access
Resources





ASP.NET process identity (default)
Custom identity
Original caller
Fixed identity
Decide on identity flow


To the application
To the operating system
Planning for ASP.NET Web
Application Security
Authentication and Authorization

Choosing an authentication approach

Internet scenarios
Start
Interactive
Web app?
Users don’t have
Windows accounts
or certificates
Yes
No – Web Service
Use GXA WSSecurity
Authentication
Use
Passport or
Forms
Authentication
Planning for ASP.NET Web
Application Security
Authentication and Authorization

Choosing an authentication approach
Planning for ASP.NET Web
Application Security
Secure Communication Strategies


From client to Web server
From Web server to database and
application servers
Planning for ASP.NET Web
Application Security
Threat Modeling

An iterative process
Planning for ASP.NET Web
Application Security
Specific Threats

Common attacks against Web
applications
Planning for ASP.NET Web
Application Security
Specific Threats

SQL injection attacks



Cross-site scripting





Alters existing query or creates new query
Use stored procedures with parameters
Malicious script sent to application as input
Frequently part of cookie replay attacks
Server-side input validation
Encode all output that includes input
Buffer overflows


Unmanaged code can cause arbitrary code
Server-side input validation
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Configuring Security
IIS to Secure Communication
Configuring Web
Application Security
Configure IIS Settings




Optionally install a Web server
certificate for SSL
Configure IIS authentication
Optionally configure client certificate
mapping
Set NTFS permissions on files and
folders
Demo 1
Configure IIS for SSL
Set Up the SecurityDemo Web Site
Create a Certificate Request
Configure IIS for SSL and Certificates
Configuring Web
Application Security
ASP.NET Settings in Web.config

Configure authentication mode
<authentication mode="Windows|Passport|Forms|None" />

Configure impersonation
<identity impersonate="true" />

Configure authorization
<authorization>
<allow users="DomainName\Bob", "DomainName\Mary" />
<deny users="*" />
</authorization>
Demo 2
Configure ASP.NET for
Forms Authentication
Create a Web Application in Visual Studio
Edit the Application’s Web.config File
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Programming ASP.NET
Security
Basic Authorization Pattern






Retrieve credentials
Validate credentials
Put users in roles
Create an IPrincipal object
Put the IPrincipal object into current
HttpContext
Authorize based on user identity/role
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Storing Secrets
Secret Examples







Database connection strings
Credentials for SQL roles
Fixed identities in Web.config
Process identity in Machine.config
Keys used to store data securely
SQL Server session state
Passwords used for forms
authentication against a database
Storing Secrets
Storage Methods and Tips
Install Web application directories on a
separate logical volume from the OS
Secret storage methods for ASP.NET apps
 Data Protection API (DPAPI)
 COM+ constructor strings
 .NET cryptography classes
 CAPICOM
 Crypto API

Demonstration 3
Create a Logon Page
and Validate Against
Credentials
Create a Logon Page
Create a User Accounts Database
Register the User
Store Connection String
Store Account Details in Database
Authenticate a User
Demonstration 4
Generate an Authentication
Ticket and Create a
GenericPrincipal object
Create a GetRoles Method
Create a Forms Authentication Ticket
Create GenericPrincipal and
FormsIdentity Objects
Check the Logged-in User and Their Roles
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
ASP.NET Process Identity
Guidelines




Configured in <processModel> element
Always run ASP.NET as a leastprivileged account
Never run ASP.NET as SYSTEM
Using the default ASPNET account to
access remote resources


Create duplicate accounts on remote
computers
Use a least-privileged domain account
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Impersonation
Flowing Client Identity


Inherent performance issues
Consider instead:


URL or file authorization with role-based
checks
Efficient management of gatekeepers and
trust boundaries
Impersonation
Flowing Client Identity

Four reasons to use impersonation





For local resources



Create ACE with read access for user
Better to avoid impersonation and use URL or File
authorization with role-based checks
For remote resources


Audit on the OS level
Flow original caller to access resources
Use a fixed identity
Save default behavior of a ported classic ASP application
Must use basic, forms or Kerberos authentication
Threading consideration

Child threads inherit the ASP.NET process account’s security
context
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Accessing Resources
System Resources and COM Objects

Creating event sources


At install time with a .NET installer class
Grant permissions to account on registry hive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\EventLog


For any registry key, grant account at least
read access
Apartment Model COM objects


<%@ Page AspCompat="true" %>
Create COM objects in page event handlers
Accessing Resources
Network Resources


ASP.NET process identity
Anonymous Internet user account


Use impersonation to flow anonymous
account through trust boundaries
Can be applied to hosting scenarios
Accessing Resources
Network Resources

Original caller using delegation



Windows Authentication using Kerberos
Windows Authentication using client certificates
OOP-serviced component
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Securing State Information
View State

Configure validation attribute in
machine.config



<machineKey validation=“SHA1” … />
<machineKey validation=“3DES” … />
Enable message authentication code
(MAC) checks for pages that use view
state

<% @ Page enableViewStateMac = “true” %>
Securing State Information
SQL Session State

Secure connection string using
Windows authentication


Create duplicate account on database
server
Change connection string


sqlConectionString="server=127.0.0.1;database=State
Database;Integrated Security=SSPI;"
Use IPSec or SSL to protect network
traffic between Web server and SQL
state database server
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Web Farm Considerations
Security Implications



Must use remote, OOP session state
For DPAPI, consider user vs. machine
store
For forms authentication,
<machineKey> must be the same for
each computer



validationKey attribute
decryptionKey attribute
validation attribute should be SHA1
Agenda










Planning for ASP.NET application
security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Accessing resources
Securing state information
Web farm considerations
Securing all tiers
Securing All Tiers
From Code to Network

Follow published guidelines to:










Use CAS with ASP.NET
Build secure pages and controls
Build secure components
Build secure Web services
Build secure data access
Secure the network
Secure the Web server
Secure the database server
Secure the application server
Read


Improving Web Application Security: Threats and
Countermeasures
Building Secure ASP.NET Applications
Session Summary



Planning for security is part of
designing a Web application
Threat modeling can help your team
focus resources on security
Creating a secure Web application is
demanding—Microsoft provides
resources to help you
For More Information…

MSDN Web site


ASP.NET Web site


www.gotdotnet.com
TechNet Security home page


www.asp.net
GotDotNet Web site


msdn.microsoft.com
www.microsoft.com/technet/security
Microsoft Security and Privacy home
page

www.microsoft.com/security/
For More Information…

.NET Security home page


Microsoft Training and Certification in
Security


www.microsoft.com/traincert/centers/security.asp
Improving Web Application Security: Threats
and Countermeasures


msdn.microsoft.com/net/security
msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp
Building Secure ASP.NET Applications

msdn.microsoft.com/library/enus/dnnetsec/html/secnetlpMSDN.asp
MSDN
Essential Resources for Developers
Subscription
Services
Library, OS, Professional, Enterprise,
Universal Delivered via CD-ROM, DVD, Web
Online
Information
MSDN Online, MSDN Flash, How-to
Resources, Download Center
Training and
Events
MSDN Webcasts, MSDN Online
Seminars, Tech·Ed, PDC, Developer Days
Print
Publications
MSDN Magazine
MSDN News
Membership
Programs
MSDN User Groups
How-to Resources
Simple, Step-by-Step Procedures













Embedded development How-to resources
General How-to resources
Integration How-to resources
Microsoft® JScript® .NET How-to resources
Microsoft .NET development How-to resources
Office development resources
Security How-to resources
Microsoft® Visual Basic® .NET How-to resources
Microsoft® Visual C#® .NET How-to resources
Microsoft Visual Studio .NET How-to resources
Web development How-to resources (ASP, IIS, XML)
Web services How-to resources
Windows development How-to resources
http://msdn.microsoft.com/howto
MSDN Webcasts
Interactive, Live Online Events




Interactive, synchronous, live online
events
Discuss the hottest topics from Microsoft
Open and free for the general public
Take place every Tuesday
http://www.microsoft.com/usa/webcasts
MSDN Subscriptions
The Way to Get Visual Studio .NET
Visual Studio .NET
MSDN Subscriptions
MSDN Universal
$2799 new
$2299 renewal/upgrade
Enterprise Developer
• Enterprise lifecycle tools
• Team development support
• Windows Server 2003 and
SQL Server™
MSDN Enterprise
$2199 new
$1599 renewal/upgrade
Professional
• Tools to build applications
and XML Web services for
Windows and the Web
MSDN Professional
$1199 new
$899 renewal/upgrade
NEW
Enterprise Architect
• Software and data modeling
• Enterprise templates
• Architectural guidance
Where Can I Get MSDN?





Visit MSDN Online at
msdn.microsoft.com
Register for the MSDN Flash e-mail
newsletter at
msdn.microsoft.com/flash
Become an MSDN CD subscriber at
msdn.microsoft.com/subscriptions
MSDN online seminars
msdn.microsoft.com/training/seminars
Attend more MSDN events
Microsoft Press®
Essential Resources for Developers
Microsoft Visual Studio .NET is here!
This is your chance to start building the next big
thing. Develop your .NET skills, increase your
productivity with .NET books from Microsoft Press
www.microsoft.com/mspress
Become a Microsoft Certified
Solution Developer

What is MCSD?


How do I attain MCSD certification?


Premium certification for professionals who design
and develop custom business solutions
Certification requires passing four exams to prove
competency with Microsoft solution architecture,
desktop applications, distributed application
development, and development tools
Where do I get more information?

For more information about certification
requirements, exams, and training options,
visit www.microsoft.com/mcp
Get this Presentation
www.ManagedCode.com
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Microsoft, MSDN, Visual Basic, Windows, Windows NT, JScript, Visual Studio, Visual C#, Active Directory, Win32, and Microsoft Press are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of
their respective owners.