Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security
Agenda Authentication Authorization Sensitive data protection Input validation Cryptography Auditing and logging
SDL-IT SDLC SDL-IT Envision Application Entry / Risk Assessment Security Review Develop / Purchase Security Deployment Review TestRelease / Sustainment CreationAssimilation Signoff Threat Model / Design Review Design Iterative Process Security Deployment Review Define Model Measure Validate Optimize
Holistic Approach to security
Agenda Authentication Authorization Sensitive data protection Input validation Cryptography Auditing and logging
Methods of Authentication Basic Digest Integrated Kerberos v5 NTLM ASP.NET Forms Authentication Digital signatures and digital certificates Smart Cards Biometrics
Authentication Techniques Windows authentication Forms authentication
Authentication MembershipProvider Provides a consistent and simple APIs for user storage and management and enables easy implementation of Forms Authentication. ActiveDirectoryMembershipProvider SqlMembershipProvider aspnet_regsql -S (local) -E -A m S specifies the server, which is (local) in this example. E specifies to use Windows authentication to connect to SQL Server. A m specifies to add only the membership feature. For simple authentication against a SQL Server user store, only the membership feature is required.
Authentication and Membership Provider and Discovering the client identity
Agenda Authentication Authorization Sensitive data protection Input validation Cryptography Auditing and logging
Authorization What is authorization? URL Authorization selectively deny or allow access to specific files or folders File Authorization Applicable to file types like.aspx or.asmx Access check will be made for user based on windows token Role based authorization
RBAC Role manager simple APIs for role authorization and role management WindowsTokenRoleProvider / AuthorizationStoreRoleProvider (Azman) SqlRoleProvider
SQL Role Provider
URL Authorization
Imperative authorization Example of an Imperative check if(Thread.CurrentPrincipal.IsInRole(‘Administr ators')) { // Authorized }
Imperative authorization Example of an Imperative check using the ASP.NET role provider: if { //authorized }
Declarative authorization PrincipalPermission Example [PrincipalPermission(SecurityAction.Demand, Role = “Administrators")] public double Add(double a, double b) { return a + b; }
Agenda Authentication Authorization Sensitive data protection Input validation Cryptography Auditing and logging
How to encrypt the Web.Config Use aspnet_regiis RSAConfigurationProvider If you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RSAProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data. "DataProtectionConfigurationProvider"
Encrypting sections of configuration file
Agenda Authentication Authorization Sensitive data protection Input validation Cryptography Auditing and logging
Input Validation Protection against common attacks White list Vs Blacklist Client side Vs Server Side Regex validator controls
Demo of Input validations using RegEx
Agenda Authentication Authorization Sensitive data protection Input validation Cryptography Auditing and logging
Cryptographic Algorithms Symmetric Algorithms Uses same key for encryption and decryption Computationally cheaper Used to exchange or store information in secret Asymmetric Algorithms Uses separate keys for encryption and decryption Computationally more expensive Normally used to negotiate a symmetric key Both only require one key to be kept secret Hashing Algorithms
.Net supported Cryptographic Algorithms Symmetric AES DES Deprecated 3DES RC2 Deprecated RijndaelManaged Asymmetric DSACryptoServicePr ovider RSACryptoServiceP rovider ECDiffieHellmanCng ECDsaCng
.Net supported Cryptographic Algorithms.NET Supported Hash Algorithms MD5 (produces 128-bit hash value) Collisions discovered! SHA1 (produces 160-bit hash value) Has been compromised! SHA256 (produces 256-bit hash value) SHA384 (produces 384-bit hash value) SHA512 (produces 512-bit hash value)
Agenda Authentication Authorization Sensitive data protection Input validation Cryptography Auditing and logging
Auditing & Logging Threats Failure to spot the signs of intrusion Inability to prove a user's actions Difficulties in problem diagnosis. 29
Logging Keep a log trail of authentication attempts Both successful and failed Keep a log trail of all accesses to assets Log as close to an asset as possible SQL Server Stored Procedure Sometimes… a log trail is the only mitigation
What you Log “Don’t write sensitive information in logs Passwords Identify the (“who, what, where & when”): Identity Action Component/Service/Object/Method Timestamp Enterprise Library Logging Application BlockBlock
Feedback / QnA Your Feedback is Important! Please take a few moments to fill out our online feedback form Use the Question Manager on LiveMeeting to ask your questions now!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.