Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joe Stagner Developer Community Champion Microsoft Corporation Best Practices and Techniques for Building Secure.

Published byBathsheba Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Joe Stagner Developer Community Champion Microsoft Corporation Best Practices and Techniques for Building Secure."— Presentation transcript:

1 Joe Stagner Developer Community Champion Microsoft Corporation JoeStag@Microsoft.comwww.ManagedCode.com Best Practices and Techniques for Building Secure Microsoft ® ASP.NET Applications

2 So Why This Presentation? Web application security is more important than ever Web application security is more important than ever Ensure that security is a consideration in application design Ensure that security is a consideration in application design Creating secure Web applications is a series of complex tasks Creating secure Web applications is a series of complex tasks Promote best techniques for security Promote best techniques for security Let developers know about new resources available Let developers know about new resources available  msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp

3 What We Will Cover Why Web application security? Why Web application security? Planning for Web application security Planning for Web application security Authentication and authorization strategies Authentication and authorization strategies Using the ASP.NET process identity Using the ASP.NET process identity Secure communication Secure communication Securing secrets and state information Securing secrets and state information

4 Session Prerequisites Level 200 Familiarity with Microsoft ® Windows ® management tools Familiarity with Microsoft ® Windows ® management tools Familiarity with IIS Management Console Familiarity with IIS Management Console C# and ASP.NET coding experience C# and ASP.NET coding experience Familiarity with Microsoft ® Visual Studio ®.NET Familiarity with Microsoft ® Visual Studio ®.NET Basic understanding of Web application security issues Basic understanding of Web application security issues

5 Demonstrations Configuring IIS for SSL Configuring IIS for SSL Configuring ASP.NET Security Configuring ASP.NET Security Using forms authentication with Microsoft ® SQL Server™ Using forms authentication with Microsoft ® SQL Server™ Creating a GenericPrincipal object for roles-based authorization Creating a GenericPrincipal object for roles-based authorization

6 Before We Start ! SSL IS NOT WEB APPLICATION SECURITY

7 Required Reading

8 Secure Development

9 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

10 Planning for ASP.NET Web Application Security Authentication and Authorization Authentication / authorization request flow Authentication / authorization request flow

11 Planning for ASP.NET Web Application Security Authentication and Authorization Identify resources exposed to client Identify resources exposed to client Identify resource for app Identify resource for app Choose authorization strategy Choose authorization strategy  Role-based  Resource-based

12 Planning for ASP.NET Web Application Security Authentication and Authorization Choose Identities Used to Access Resources Choose Identities Used to Access Resources  ASP.NET process identity (default)  Custom identity  Original caller  Fixed identity Decide on identity flow Decide on identity flow  To the application  To the operating system

13 Planning for ASP.NET Web Application Security Authentication and Authorization Choosing an authentication approach Choosing an authentication approach  Internet scenarios Start Users don’t have Windows accounts or certificates Interactive Web app? Web app? Use GXA WS- SecurityAuthentication Use Passport or FormsAuthentication No – Web Service Yes

14 Planning for ASP.NET Web Application Security Authentication and Authorization Choosing an authentication approach Choosing an authentication approach

15 Planning for ASP.NET Web Application Security Secure Communication Strategies From client to Web server From client to Web server From Web server to database and application servers From Web server to database and application servers

16 Planning for ASP.NET Web Application Security Threat Modeling An iterative process An iterative process

17 Planning for ASP.NET Web Application Security Specific Threats Common attacks against Web applications Common attacks against Web applications

18 Planning for ASP.NET Web Application Security Specific Threats SQL injection attacks SQL injection attacks  Alters existing query or creates new query  Use stored procedures with parameters Cross-site scripting Cross-site scripting  Malicious script sent to application as input  Frequently part of cookie replay attacks  Server-side input validation  Encode all output that includes input Buffer overflows Buffer overflows  Unmanaged code can cause arbitrary code  Server-side input validation

19 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets Using the ASP.NET process identity Using the ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

20 Configuring Security IIS to Secure Communication

21 Configuring Web Application Security Configure IIS Settings Optionally install a Web server certificate for SSL Optionally install a Web server certificate for SSL Configure IIS authentication Configure IIS authentication Optionally configure client certificate mapping Optionally configure client certificate mapping Set NTFS permissions on files and folders Set NTFS permissions on files and folders

22 Demo 1 Configure IIS for SSL Set Up the SecurityDemo Web Site Create a Certificate Request Configure IIS for SSL and Certificates Set Up the SecurityDemo Web Site Create a Certificate Request Configure IIS for SSL and Certificates

23 Configuring Web Application Security ASP.NET Settings in Web.config Configure authentication mode Configure authentication mode Configure impersonation Configure impersonation Configure authorization Configure authorization<authorization> </authorization>

24 Demo 2 Configure ASP.NET for Forms Authentication Create a Web Application in Visual Studio Edit the Application’s Web.config File Create a Web Application in Visual Studio Edit the Application’s Web.config File

25 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets Using the ASP.NET process identity Using the ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

26 Programming ASP.NET Security Basic Authorization Pattern Retrieve credentials Retrieve credentials Validate credentials Validate credentials Put users in roles Put users in roles Create an IPrincipal object Create an IPrincipal object Put the IPrincipal object into current HttpContext Put the IPrincipal object into current HttpContext Authorize based on user identity/role Authorize based on user identity/role

27 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

28 Storing Secrets Secret Examples Database connection strings Database connection strings Credentials for SQL roles Credentials for SQL roles Fixed identities in Web.config Fixed identities in Web.config Process identity in Machine.config Process identity in Machine.config Keys used to store data securely Keys used to store data securely SQL Server session state SQL Server session state Passwords used for forms authentication against a database Passwords used for forms authentication against a database

29 Storing Secrets Storage Methods and Tips Install Web application directories on a separate logical volume from the OS Install Web application directories on a separate logical volume from the OS Secret storage methods for ASP.NET apps Data Protection API (DPAPI) Data Protection API (DPAPI) COM+ constructor strings COM+ constructor strings.NET cryptography classes.NET cryptography classes CAPICOM CAPICOM Crypto API Crypto API

30 Demonstration 3 Create a Logon Page and Validate Against and Validate Against Credentials Create a Logon Page Create a User Accounts Database Register the User Store Connection String Store Account Details in Database Authenticate a User

31 Demonstration 4 Generate an Authentication Ticket and Create a GenericPrincipal object Create a GetRoles Method Create a Forms Authentication Ticket Create GenericPrincipal and FormsIdentity Objects FormsIdentity Objects Check the Logged-in User and Their Roles

32 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

33 ASP.NET Process Identity Guidelines Configured in element Configured in element Always run ASP.NET as a least- privileged account Always run ASP.NET as a least- privileged account Never run ASP.NET as SYSTEM Never run ASP.NET as SYSTEM Using the default ASPNET account to access remote resources Using the default ASPNET account to access remote resources  Create duplicate accounts on remote computers  Use a least-privileged domain account

34 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

35 Impersonation Flowing Client Identity Inherent performance issues Inherent performance issues Consider instead: Consider instead:  URL or file authorization with role-based checks  Efficient management of gatekeepers and trust boundaries

36 Impersonation Flowing Client Identity Four reasons to use impersonation Four reasons to use impersonation  Audit on the OS level  Flow original caller to access resources  Use a fixed identity  Save default behavior of a ported classic ASP application For local resources For local resources  Create ACE with read access for user  Better to avoid impersonation and use URL or File authorization with role-based checks For remote resources For remote resources  Must use basic, forms or Kerberos authentication Threading consideration Threading consideration  Child threads inherit the ASP.NET process account’s security context

37 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets Using the ASP.NET process identity Using the ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

38 Accessing Resources System Resources and COM Objects Creating event sources Creating event sources  At install time with a.NET installer class  Grant permissions to account on registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog For any registry key, grant account at least read access For any registry key, grant account at least read access Apartment Model COM objects Apartment Model COM objects   Create COM objects in page event handlers Create COM objects in page event handlers

39 Accessing Resources Network Resources ASP.NET process identity ASP.NET process identity Anonymous Internet user account Anonymous Internet user account  Use impersonation to flow anonymous account through trust boundaries  Can be applied to hosting scenarios

40 Accessing Resources Network Resources Original caller using delegation Original caller using delegation  Windows Authentication using Kerberos  Windows Authentication using client certificates OOP-serviced component OOP-serviced component

41 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets Using the ASP.NET process identity Using the ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

42 Securing State Information View State Configure validation attribute in machine.config Configure validation attribute in machine.config   Enable message authentication code (MAC) checks for pages that use view state Enable message authentication code (MAC) checks for pages that use view state  

43 Securing State Information SQL Session State Secure connection string using Windows authentication Secure connection string using Windows authentication  Create duplicate account on database server  Change connection string  sqlConectionString="server=127.0.0.1;database=State Database;Integrated Security=SSPI;" Use IPSec or SSL to protect network traffic between Web server and SQL state database server Use IPSec or SSL to protect network traffic between Web server and SQL state database server

44 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets Using the ASP.NET process identity Using the ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

45 Web Farm Considerations Security Implications Must use remote, OOP session state Must use remote, OOP session state For DPAPI, consider user vs. machine store For DPAPI, consider user vs. machine store For forms authentication, must be the same for each computer For forms authentication, must be the same for each computer  validationKey attribute  decryptionKey attribute  validation attribute should be SHA1

46 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Programming security Programming security Securing secrets Securing secrets Using the ASP.NET process identity Using the ASP.NET process identity Impersonation Impersonation Accessing resources Accessing resources Securing state information Securing state information Web farm considerations Web farm considerations Securing all tiers Securing all tiers

47 Securing All Tiers From Code to Network Follow published guidelines to: Follow published guidelines to:  Use CAS with ASP.NET  Build secure pages and controls  Build secure components  Build secure Web services  Build secure data access  Secure the network  Secure the Web server  Secure the database server  Secure the application server Read Read  Improving Web Application Security: Threats and Countermeasures  Building Secure ASP.NET Applications

48 Session Summary Planning for security is part of designing a Web application Planning for security is part of designing a Web application Threat modeling can help your team focus resources on security Threat modeling can help your team focus resources on security Creating a secure Web application is demanding—Microsoft provides resources to help you Creating a secure Web application is demanding—Microsoft provides resources to help you

49 For More Information… MSDN Web site MSDN Web site  msdn.microsoft.com ASP.NET Web site ASP.NET Web site  www.asp.net GotDotNet Web site GotDotNet Web site  www.gotdotnet.com TechNet Security home page TechNet Security home page  www.microsoft.com/technet/security Microsoft Security and Privacy home page Microsoft Security and Privacy home page  www.microsoft.com/security/

50 For More Information….NET Security home page.NET Security home page  msdn.microsoft.com/net/security Microsoft Training and Certification in Security Microsoft Training and Certification in Security  www.microsoft.com/traincert/centers/security.asp Improving Web Application Security: Threats and Countermeasures Improving Web Application Security: Threats and Countermeasures  msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp Building Secure ASP.NET Applications Building Secure ASP.NET Applications  msdn.microsoft.com/library/en- us/dnnetsec/html/secnetlpMSDN.asp

51 Training Training Resources for Developers Course Title: Course Title:  Course Number:  Availability:  Detailed Syllabus: www.microsoft.com/traincert Course Title: Course Title:  Course Number:  Availability:  Detailed Syllabus: www.microsoft.com/traincert To locate a training provider for this course, please access www.microsoft.com/traincert Microsoft Certified Technical Education Centers are Microsoft’s premier partners for training services

52 Training and Events MSDN Webcasts, MSDN Online Seminars, Tech·Ed, PDC, Developer Days MSDN Essential Resources for Developers Subscription Services Online Information Membership Programs Print Publications Library, OS, Professional, Enterprise, Universal Delivered via CD-ROM, DVD, Web MSDN Online, MSDN Flash, How-to Resources, Download Center MSDN User Groups MSDN Magazine MSDN News

53 How-to Resources Simple, Step-by-Step Procedures Embedded development How-to resources Embedded development How-to resources General How-to resources General How-to resources Integration How-to resources Integration How-to resources Microsoft ® JScript ®.NET How-to resources Microsoft ® JScript ®.NET How-to resources Microsoft.NET development How-to resources Microsoft.NET development How-to resources Office development resources Office development resources Security How-to resources Security How-to resources Microsoft ® Visual Basic ®.NET How-to resources Microsoft ® Visual Basic ®.NET How-to resources Microsoft ® Visual C# ®.NET How-to resources Microsoft ® Visual C# ®.NET How-to resources Microsoft Visual Studio.NET How-to resources Microsoft Visual Studio.NET How-to resources Web development How-to resources (ASP, IIS, XML) Web development How-to resources (ASP, IIS, XML) Web services How-to resources Web services How-to resources Windows development How-to resources Windows development How-to resourceshttp://msdn.microsoft.com/howto

54 MSDN Webcasts Interactive, Live Online Events Interactive, synchronous, live online events Interactive, synchronous, live online events Discuss the hottest topics from Microsoft Discuss the hottest topics from Microsoft Open and free for the general public Open and free for the general public Take place every Tuesday Take place every Tuesdayhttp://www.microsoft.com/usa/webcasts

55 MSDN Subscriptions The Way to Get Visual Studio.NET Visual Studio.NET MSDN Subscriptions NEW Professional Tools to build applications and XML Web services for Windows and the WebTools to build applications and XML Web services for Windows and the Web MSDN Professional $1199 new $899 renewal/upgrade MSDN Enterprise $2199 new $1599 renewal/upgrade MSDN Universal $2799 new $2299 renewal/upgrade Enterprise Developer Enterprise lifecycle toolsEnterprise lifecycle tools Team development supportTeam development support Windows Server 2003 and SQL Server™Windows Server 2003 and SQL Server™ Enterprise Architect Software and data modelingSoftware and data modeling Enterprise templatesEnterprise templates Architectural guidanceArchitectural guidance

56 Where Can I Get MSDN? Visit MSDN Online at msdn.microsoft.com Visit MSDN Online at msdn.microsoft.com Register for the MSDN Flash e-mail newsletter at msdn.microsoft.com/flash Register for the MSDN Flash e-mail newsletter at msdn.microsoft.com/flash Become an MSDN CD subscriber at msdn.microsoft.com/subscriptions Become an MSDN CD subscriber at msdn.microsoft.com/subscriptions MSDN online seminars msdn.microsoft.com/training/seminars MSDN online seminars msdn.microsoft.com/training/seminars Attend more MSDN events Attend more MSDN events

57 Microsoft Press ® Essential Resources for Developers Microsoft Visual Studio.NET is here! This is your chance to start building the next big thing. Develop your.NET skills, increase your productivity with.NET books from Microsoft Press www.microsoft.com/mspress

58 Become a Microsoft Certified Solution Developer What is MCSD? What is MCSD?  Premium certification for professionals who design and develop custom business solutions How do I attain MCSD certification? How do I attain MCSD certification?  Certification requires passing four exams to prove competency with Microsoft solution architecture, desktop applications, distributed application development, and development tools Where do I get more information? Where do I get more information?  For more information about certification requirements, exams, and training options, visit www.microsoft.com/mcp

59 Get this Presentation www.ManagedCode.com

60 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Microsoft, MSDN, Visual Basic, Windows, Windows NT, JScript, Visual Studio, Visual C#, Active Directory, Win32, and Microsoft Press are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Download ppt "Joe Stagner Developer Community Champion Microsoft Corporation Best Practices and Techniques for Building Secure."

Similar presentations

Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
© 2011 Autodesk Go Big or Go Home! Part 1 – Large Scale Autodesk Vault Deployments Irvin Hayes Jr. Technical Product Manager.

© 2011 Autodesk Go Big or Go Home! Part 1 – Large Scale Autodesk Vault Deployments Irvin Hayes Jr. Technical Product Manager.
XML Web Services in Visual Studio ®.NET NameTitleCompany.

XML Web Services in Visual Studio ®.NET NameTitleCompany.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
ESupport Shifting Customers to the Internet for Support Published: January 2002.

ESupport Shifting Customers to the Internet for Support Published: January 2002.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Best Practices for Building Web Services with Visual Studio ®.NET Sanguan Thammarojsakul Microsoft MVP -.NET Department of Computer Science, Faculty of.

Best Practices for Building Web Services with Visual Studio ®.NET Sanguan Thammarojsakul Microsoft MVP -.NET Department of Computer Science, Faculty of.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Microsoft ® ASP.NET: Designing and Developing a Line-of-Business Web Application.

Microsoft ® ASP.NET: Designing and Developing a Line-of-Business Web Application.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Leveraging Application Blocks in Your Application Development Ihsan Anabtawi Technology Specialist Microsoft ® Corporation.

Leveraging Application Blocks in Your Application Development Ihsan Anabtawi Technology Specialist Microsoft ® Corporation.
ASP.NET: Designing and Developing a Line-of-Business Web Application Ammar Abuthuraya Developer & Platform Lead Microsoft ® Corporation.

ASP.NET: Designing and Developing a Line-of-Business Web Application Ammar Abuthuraya Developer & Platform Lead Microsoft ® Corporation.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Similar presentations

Ads by Google