ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Slides:



Advertisements
Similar presentations
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Advertisements

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
ASP.NET Web Application Security Hannes Preishuber ppedv AG
ASP.NET Web Application Security Hannes Preishuber ppedv AG
Barracuda Web Application Firewall
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Security and Policy Enforcement Mark Gibson Dave Northey
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction To Windows NT ® Server And Internet Information Server.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš by Martin Kruliš (v1.0)1.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist
Web Security Overview Lohika ASC team 2009
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Session 11: Security with ASP.NET
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Windows Role-Based Access Control Longhorn Update
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Web2.0 Secure Development Practice Bruce Xia
Web Services Security Patterns Alex Mackman CM Group Ltd
A Lap Around New Enhancements for Web Developers in Visual Studio 2005 Alexander Holy Developer Evangelist, Microsoft EMEA
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Pete LePage Senior Product Manager Microsoft Corporation WUX310.
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
Developing Custom ASP.NET Providers For Membership And Role Manager Stefan Schackow PRS404 Program Manager – Web Platform and Tools Microsoft Corporation.
Vinod Unny Enterprise InfoTech Microsoft Regional Director, North India
Web Application Vulnerabilities
SQL Server Security & Intrusion Prevention
# 66.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Enterprise Library Overview
Security mechanisms and vulnerabilities in .NET
ASP.NET Module Subtitle.
Designing IIS Security (IIS – Internet Information Service)
Fast-Track UiPath Developer Module 10: Sensitive Data Handling
Presentation transcript:

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

My Background

Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

Top Web Application Security Issues Protecting sensitive data Validating input Handling exceptions Protecting configuration data Encrypting or hashing sensitive data Auditing Auditing Authenticating users Authorization Authorization Preventing parameter manipulation Preventing session hijacking and cookie replay attacks Auditing Authorizing users

Threat Modelling The Activity Step 1. Identify security objectives Step 2. Create application overview Step 3. Decompose application Step 4. Identify threats Step 5. Identify vulnerabilities

What’s new in ASP.NET 2.0? Forms authentication and membership Role manager DPAPI managed wrapper Configuration file changes Configuration file encryption Health monitoring Code access security enhancements MachineKey enhancements

Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

Authentication Guidelines Enforce strong passwords Support password expiration periods and account disablement Do not store credentials Protect authentication cookies

Forms Authentication Guidelines Use membership instead of custom authentication Use SSL to protect credentials and auth cookies If you cannot use SSL, consider session lifetime Validate user login information Do not store passwords directly in the user store Enforce strong passwords Protect access to your credential store Do not persist authentication cookies Restrict authentication tickets to HTTPS connections Consider partitioning your site Use unique cookie names and paths

Membership System LoginLoginStatusLoginViewOthers MembershipMembershipUser SqlMembershipProviderActiveDirectoryMembershipProviderCustom SQL Server Active Directory Other Data Stores Login Controls Membership API Membership Providers Data Stores

ASP.NET 2.0 Forms Authentication with Membership

Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

Authorization Guidelines Use URL authorization for page and directory access control Now supports all files in a directory Including those not mapped to Aspnet_isapi.dll Use ASP.NET Role Manager Use File authorization with Windows auth Configure ACLs on your Web site files If your role lookup is expensive, consider role caching Protect your authorization cookie

Role Manager Roles SqlRoleProviderWindowsTokenRoleProviderAuthorizationStoreRoleProvider SQL Server Active Directory Role Management API Membership Providers Data Stores AzMan ADAM XML RoleProvider

Authorization with ASP.NET 2.0 Role Manager

Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

Input Validation Guidelines Do not trust input including forms fields, cookies, query strings, HTTP headers Validate input for type, range, format and length Do not rely on ASP.NET request validation Do not rely on client-side validation Consider centralized input validation Avoid user supplied filename and path input Do not echo untrusted input

Paths, URLs and Canonicalization

Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

Data Access Guidelines Use Windows authentication to the database If you use SQL authentication Use strong passwords Protect credentials over the network Protect credentials in configuration files Use least privileged accounts for data access Restrict the account in the database Use type-safe SQL parameters and not dynamic queries

Configuration File Encryption

Agenda Web application security AuthenticationAuthorization Input validation Data access Auditing and logging

Auditing and Logging Guidelines Use health monitoring to log and audit events Instrument for user management events Instrument for unusual activity Instrument for significant business operations Consider using an application-specific event source Protect audit and log files

ASP.NET 2.0 Health Monitoring

More Information patterns & practices guidelines, practices, How Tos Security Engineering Threat Modelling Highway Code Handbook Mail me with questions

© 2004 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Security Engineering Lifecycle Integration Requirements and Analysis Functional Requirements Non-Functional Requirements Technology Requirements Security Objectives Planning Architecture and Design Design Guidelines Architecture and Design Review Security Design Guidelines Threat Modeling Security Arch and Design Review Development Unit Test Code Review Daily Builds Security Code Review Testing Integration Testing System Testing Security Testing Deployment Deployment Review Security Deployment Review Maintenance Core Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.