Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )

Published byLee Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )"— Presentation transcript:

1 Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft rob.bagby@microsoft.comrob.bagby@microsoft.com (email) rob.bagby@microsoft.com http://www.robbagby.comhttp://www.robbagby.com (blog) http://www.robbagby.com

2 Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data Session Agenda

3 Defense-In-Depth Security – The concept that many layers of security is better than one layer. Security Overview

4 Threat Modeling Structured approach to: Evaluate security threats Identify countermeasures DREAD helps rate risk Damage potential ReproducibilityExploitability Affected users Discoverability More information in MSDN Patterns and Practices http://msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp http://msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp Threat Modeling Process 1. Identify Assets 2. Create an Architectural Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

5 Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data

6 ASP.NET Architecture - Overview

7 Gatekeepers – The authorization points within an ASP.NET application that are provided by: IIS ASP.NET IIS Permits requests from users that it can authenticate (with anonymous turned off) Uses NTFS permissions to perform access control ASP.NET Architecture - Gatekeepers

8 ASP.NET – has 2 gatekeepers UrlAuthorizationModule Configure elements in Web.Config to configure access Based on IPrincipal (stored in HttpContext.User) FileAuthorizationModule For file types mapped to the ASP.NET ISAPI ext. Access checks done using the authenticated users token Could be the anonymous account ASP.NET Architecture - Gatekeepers

9

10 Declarative [PrincipalPermission(SecurityAction.Demand, Role=@"DomainName\WindowsGroup)] Imperative PrincipalPermission permCheck = new PrincipalPermission( null, @"DomainName\ WindowsGroup"); permCheck.Demand(); ASP.NET Architecture (Principal Permission Demands)

11 Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data

12 The process by which a user is uniquely identified, given his/her credentials. Authentication Options Windows w/ impersonation Windows w/o impersonation Forms Passport Authentication

13 Operating system authenticates user Requires valid windows account Transparent access to resources WindowsIdentity WindowsIdentity widentity = WindowsIdentity.GetCurrent(); IIdentity iidentity = WindowsIdentity.GetCurrent(); Authentication - Windows (Overview)

14 Configuration Advantages ACLs for Resources accessed by your app. Flow caller ’ s identity to middle tier Disadvantages Reduced scalability – database pooling Requires windows account for each user Increased administration Authentication - Windows (w/ Impersonation)

15 Configuration (or no identity ele.) Advantages ACLs for Client Requested Resources URL Authorization Disadvantages Requires windows account for each user Increased administration Authentication - Windows (w/o Impersonation)

16 Configuration Advantages No Windows accounts required Firewall friendly Disadvantages You have to implement / write Authentication - Forms

17 Configuration Advantages Single sign-on Disadvantages Non-trivial to implement Authentication - Passport

18 Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data

19 The Process By which The System Validates That The Authenticated User Has Access To Resources Or Has Privileges To Perform Certain Operations. Options Depend upon Authentication type Windows w/ impersonation Windows w/o impersonation Forms Passport Authorization

20 Behaviors ACLs Client Requested Resources: Original Caller ’ s token Resources Accessed by Application: Original Caller ’ s token URL Authorization: Original Caller ’ s Group or User Authorization - Windows (w/ Impersonation)

21 Behaviors ACLs Client Requested Resources: Original Caller ’ s token Resources Accessed by Application: ASP.NET process identity URL Authorization: Original Caller ’ s Group or User Authorization - Windows (w/o Impersonation)

22 Behaviors ACLs Client Requested Resources: ACLs must allow read access to anonymous Internet user account File Authorization not available Resources Accessed by Application: ASP.NET process identity URL Authorization: Determined by custom data store. Sql example: Authorization - Forms

23 .NET Role-Based Options Declarative Demands With PrincipalPermissionAttribute (1 Role) [PrincipalPermissionAttribute(SecurityAction.Demand, Role= “ MyRole ” )] Imperative Demands Using PrincipalPermission Object (Multiple) public void MyMethod { PrincipalPermission perm = New PrincipalPermission(null, “ MyRole ” ); perm.Demand(); } Role Checks With IsInRole (Multiple) Principal.IsInRole( “ MyRole ” ); Custom Authentication Role Checks string[] roles = new string[] { “ MyRole ”, “ MyRole1 ” }; IPrincipal principal = new GenericPrincipal(identity, roles); principal.IsInRole( “ MyRole ” ); Authorization cont. (Role-Based)

24 Defense-In-Depth Approach Granular Roles Declarative Demands, Where Possible Use IsInRole If You Need to Check > 1 Role Membership Authorization cont. (Guidelines)

25 ASP.NET Forms Authentication demo

26 Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data

27 Assume all input is malicious Centralize your approach Do not rely on client-side validation Be careful with canonicalization issues Constrain, reject, and sanitize your input Input Validation

28 Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data

29 Use Stored Procedures Grant Access Only To Stored Procedures Parameterize Queries, When SPs Not Possible Use Least-Privileged Account Approach Protect Connection Strings As Secrets Hash Passwords Encrypt Sensitive Data Database

30 Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data

31 Hashing – Practically Impossible To Reverse Encryption – Can Only Decrypt With Encryption Key DPAPI – Data Protection API Sensitive Data

32 Sensitive Data Cont. I want to…RecommendationAdvantagesLimitations Store a user password securely Salt + SHA1 (One-way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values.

33 Sensitive Data Cont. I want to…RecommendationAdvantagesLimitations Store a user password securely Salt + SHA1 (One-way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values. Protect local user data DPAPI (Encryption using keys derived from user credentials) DPAPI manages keys on behalf of the application. Data can’t be decrypted by other users, or on other machines.

34 Sensitive Data Cont. I want to…RecommendationAdvantagesLimitations Store a user password securely Salt + SHA1 (One-way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values. Protect local user data DPAPI (Encryption using keys derived from user credentials) DPAPI manages keys on behalf of the application. Data can’t be decrypted by other users, or on other machines. Encrypt data that will need to decrypted later Symmetric encryption algorithms (e.g. Rijndael) Flexible: data can be decrypted by other apps / machines that have the key. Application must manage keys and transmit them securely.

35 Sensitive Data demo

36 Wrap-up & Questions … Rob Bagby Developer Evangelist Microsoft rob.bagby@microsoft.comrob.bagby@microsoft.com (email) rob.bagby@microsoft.com http://www.robbagby.comhttp://www.robbagby.com (blog) http://www.robbagby.com

Download ppt "Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )"

Similar presentations

Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.
Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
Securing Smart Client Applications Jørgen Thyme Developer & Platform Strategy Group, Microsoft

Securing Smart Client Applications Jørgen Thyme Developer & Platform Strategy Group, Microsoft
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Core Web Service Security Patterns

Core Web Service Security Patterns
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.

Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
ASP.NET Security Part 1 Dave Glover

ASP.NET Security Part 1 Dave Glover
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.

Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
.NET Mobile Application Development Security in Mobile and Distributed Applications.

.NET Mobile Application Development Security in Mobile and Distributed Applications.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.

Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Similar presentations

Ads by Google