Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Best Practices and Techniques for Building Secure Microsoft ASP.NET Applications ® Joe Stagner Developer Community Champion Microsoft Corporation [email protected] www.ManagedCode.com So Why This Presentation? Web application security is more important than ever Ensure that security is a consideration in application design Creating secure Web applications is a series of complex tasks Promote best techniques for security Let developers know about new resources available msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp What We Will Cover Why Web application security? Planning for Web application security Authentication and authorization strategies Using the ASP.NET process identity Secure communication Securing secrets and state information Session Prerequisites Familiarity with Microsoft® Windows® management tools Familiarity with IIS Management Console C# and ASP.NET coding experience Familiarity with Microsoft® Visual Studio® .NET Basic understanding of Web application security issues Level 200 Demonstrations Configuring IIS for SSL Configuring ASP.NET Security Using forms authentication with Microsoft® SQL Server™ Creating a GenericPrincipal object for roles-based authorization Before We Start ! SSL IS NOT WEB APPLICATION SECURITY Required Reading Secure Development Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Planning for ASP.NET Web Application Security Authentication and Authorization Authentication / authorization request flow Planning for ASP.NET Web Application Security Authentication and Authorization Identify resources exposed to client Identify resource for app Choose authorization strategy Role-based Resource-based Planning for ASP.NET Web Application Security Authentication and Authorization Choose Identities Used to Access Resources ASP.NET process identity (default) Custom identity Original caller Fixed identity Decide on identity flow To the application To the operating system Planning for ASP.NET Web Application Security Authentication and Authorization Choosing an authentication approach Internet scenarios Start Interactive Web app? Users don’t have Windows accounts or certificates Yes No – Web Service Use GXA WSSecurity Authentication Use Passport or Forms Authentication Planning for ASP.NET Web Application Security Authentication and Authorization Choosing an authentication approach Planning for ASP.NET Web Application Security Secure Communication Strategies From client to Web server From Web server to database and application servers Planning for ASP.NET Web Application Security Threat Modeling An iterative process Planning for ASP.NET Web Application Security Specific Threats Common attacks against Web applications Planning for ASP.NET Web Application Security Specific Threats SQL injection attacks Cross-site scripting Alters existing query or creates new query Use stored procedures with parameters Malicious script sent to application as input Frequently part of cookie replay attacks Server-side input validation Encode all output that includes input Buffer overflows Unmanaged code can cause arbitrary code Server-side input validation Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Configuring Security IIS to Secure Communication Configuring Web Application Security Configure IIS Settings Optionally install a Web server certificate for SSL Configure IIS authentication Optionally configure client certificate mapping Set NTFS permissions on files and folders Demo 1 Configure IIS for SSL Set Up the SecurityDemo Web Site Create a Certificate Request Configure IIS for SSL and Certificates Configuring Web Application Security ASP.NET Settings in Web.config Configure authentication mode <authentication mode="Windows|Passport|Forms|None" /> Configure impersonation <identity impersonate="true" /> Configure authorization <authorization> <allow users="DomainName\Bob", "DomainName\Mary" /> <deny users="*" /> </authorization> Demo 2 Configure ASP.NET for Forms Authentication Create a Web Application in Visual Studio Edit the Application’s Web.config File Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Programming ASP.NET Security Basic Authorization Pattern Retrieve credentials Validate credentials Put users in roles Create an IPrincipal object Put the IPrincipal object into current HttpContext Authorize based on user identity/role Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Storing Secrets Secret Examples Database connection strings Credentials for SQL roles Fixed identities in Web.config Process identity in Machine.config Keys used to store data securely SQL Server session state Passwords used for forms authentication against a database Storing Secrets Storage Methods and Tips Install Web application directories on a separate logical volume from the OS Secret storage methods for ASP.NET apps Data Protection API (DPAPI) COM+ constructor strings .NET cryptography classes CAPICOM Crypto API Demonstration 3 Create a Logon Page and Validate Against Credentials Create a Logon Page Create a User Accounts Database Register the User Store Connection String Store Account Details in Database Authenticate a User Demonstration 4 Generate an Authentication Ticket and Create a GenericPrincipal object Create a GetRoles Method Create a Forms Authentication Ticket Create GenericPrincipal and FormsIdentity Objects Check the Logged-in User and Their Roles Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers ASP.NET Process Identity Guidelines Configured in <processModel> element Always run ASP.NET as a leastprivileged account Never run ASP.NET as SYSTEM Using the default ASPNET account to access remote resources Create duplicate accounts on remote computers Use a least-privileged domain account Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Impersonation Flowing Client Identity Inherent performance issues Consider instead: URL or file authorization with role-based checks Efficient management of gatekeepers and trust boundaries Impersonation Flowing Client Identity Four reasons to use impersonation For local resources Create ACE with read access for user Better to avoid impersonation and use URL or File authorization with role-based checks For remote resources Audit on the OS level Flow original caller to access resources Use a fixed identity Save default behavior of a ported classic ASP application Must use basic, forms or Kerberos authentication Threading consideration Child threads inherit the ASP.NET process account’s security context Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Accessing Resources System Resources and COM Objects Creating event sources At install time with a .NET installer class Grant permissions to account on registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \EventLog For any registry key, grant account at least read access Apartment Model COM objects <%@ Page AspCompat="true" %> Create COM objects in page event handlers Accessing Resources Network Resources ASP.NET process identity Anonymous Internet user account Use impersonation to flow anonymous account through trust boundaries Can be applied to hosting scenarios Accessing Resources Network Resources Original caller using delegation Windows Authentication using Kerberos Windows Authentication using client certificates OOP-serviced component Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Securing State Information View State Configure validation attribute in machine.config <machineKey validation=“SHA1” … /> <machineKey validation=“3DES” … /> Enable message authentication code (MAC) checks for pages that use view state <% @ Page enableViewStateMac = “true” %> Securing State Information SQL Session State Secure connection string using Windows authentication Create duplicate account on database server Change connection string sqlConectionString="server=127.0.0.1;database=State Database;Integrated Security=SSPI;" Use IPSec or SSL to protect network traffic between Web server and SQL state database server Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Web Farm Considerations Security Implications Must use remote, OOP session state For DPAPI, consider user vs. machine store For forms authentication, <machineKey> must be the same for each computer validationKey attribute decryptionKey attribute validation attribute should be SHA1 Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Securing All Tiers From Code to Network Follow published guidelines to: Use CAS with ASP.NET Build secure pages and controls Build secure components Build secure Web services Build secure data access Secure the network Secure the Web server Secure the database server Secure the application server Read Improving Web Application Security: Threats and Countermeasures Building Secure ASP.NET Applications Session Summary Planning for security is part of designing a Web application Threat modeling can help your team focus resources on security Creating a secure Web application is demanding—Microsoft provides resources to help you For More Information… MSDN Web site ASP.NET Web site www.gotdotnet.com TechNet Security home page www.asp.net GotDotNet Web site msdn.microsoft.com www.microsoft.com/technet/security Microsoft Security and Privacy home page www.microsoft.com/security/ For More Information… .NET Security home page Microsoft Training and Certification in Security www.microsoft.com/traincert/centers/security.asp Improving Web Application Security: Threats and Countermeasures msdn.microsoft.com/net/security msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp Building Secure ASP.NET Applications msdn.microsoft.com/library/enus/dnnetsec/html/secnetlpMSDN.asp MSDN Essential Resources for Developers Subscription Services Library, OS, Professional, Enterprise, Universal Delivered via CD-ROM, DVD, Web Online Information MSDN Online, MSDN Flash, How-to Resources, Download Center Training and Events MSDN Webcasts, MSDN Online Seminars, Tech·Ed, PDC, Developer Days Print Publications MSDN Magazine MSDN News Membership Programs MSDN User Groups How-to Resources Simple, Step-by-Step Procedures Embedded development How-to resources General How-to resources Integration How-to resources Microsoft® JScript® .NET How-to resources Microsoft .NET development How-to resources Office development resources Security How-to resources Microsoft® Visual Basic® .NET How-to resources Microsoft® Visual C#® .NET How-to resources Microsoft Visual Studio .NET How-to resources Web development How-to resources (ASP, IIS, XML) Web services How-to resources Windows development How-to resources http://msdn.microsoft.com/howto MSDN Webcasts Interactive, Live Online Events Interactive, synchronous, live online events Discuss the hottest topics from Microsoft Open and free for the general public Take place every Tuesday http://www.microsoft.com/usa/webcasts MSDN Subscriptions The Way to Get Visual Studio .NET Visual Studio .NET MSDN Subscriptions MSDN Universal $2799 new $2299 renewal/upgrade Enterprise Developer • Enterprise lifecycle tools • Team development support • Windows Server 2003 and SQL Server™ MSDN Enterprise $2199 new $1599 renewal/upgrade Professional • Tools to build applications and XML Web services for Windows and the Web MSDN Professional $1199 new $899 renewal/upgrade NEW Enterprise Architect • Software and data modeling • Enterprise templates • Architectural guidance Where Can I Get MSDN? Visit MSDN Online at msdn.microsoft.com Register for the MSDN Flash e-mail newsletter at msdn.microsoft.com/flash Become an MSDN CD subscriber at msdn.microsoft.com/subscriptions MSDN online seminars msdn.microsoft.com/training/seminars Attend more MSDN events Microsoft Press® Essential Resources for Developers Microsoft Visual Studio .NET is here! This is your chance to start building the next big thing. Develop your .NET skills, increase your productivity with .NET books from Microsoft Press www.microsoft.com/mspress Become a Microsoft Certified Solution Developer What is MCSD? How do I attain MCSD certification? Premium certification for professionals who design and develop custom business solutions Certification requires passing four exams to prove competency with Microsoft solution architecture, desktop applications, distributed application development, and development tools Where do I get more information? For more information about certification requirements, exams, and training options, visit www.microsoft.com/mcp Get this Presentation www.ManagedCode.com © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Microsoft, MSDN, Visual Basic, Windows, Windows NT, JScript, Visual Studio, Visual C#, Active Directory, Win32, and Microsoft Press are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.