improving web application security threats and countermeasures by microsoft corporation

Improving Web Application Security Threats and Countermeasures Forewords by Mark Curphey, Joel Scambray, and Erik Olson... Improving Web Application Security Threats and Countermeasur

Improving Web

Application Security Threats and Countermeasures

Forewords by Mark Curphey, Joel Scambray,

and Erik Olson

Improving Web

Application Security

Threats and Countermeasures

patterns & practices

J.D Meier, Microsoft Corporation Alex Mackman, Content Master Srinath Vasireddy, Microsoft Corporation Michael Dunner, Microsoft Corporation Ray Escamilla, Microsoft Corporation Anandha Murukan, Satyam Computer Services

Information in this document, including URL and other Internet Web site references,

is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission

of Microsoft Corporation

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BizTalk, IntelliSense, MSDN, Visual Basic, Visual C#, Visual C++, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries

© 2003 Microsoft Corporation All rights reserved

Version 1.0 6/30/2003 The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Contents

Forewords xliii

Foreword by Mark Curphey xliiiForeword by Joel Scambray xlvForeword by Erik Olson xlvi

Introduction xlix

Why We Wrote This Guide xlixWhat Is a Hack-Resilient Application? lScope of This Guide liSecuring the Network, Host, and Application liTechnologies in Scope liiWho Should Read This Guide liiHow to Use This Guide liiiApplying the Guidance to Your Role liiiApplying the Guidance to Your Product Life Cycle livMicrosoft Solutions Framework lvOrganization of This Guide lvSolutions at a Glance lvFast Track lvParts lviChecklists lvii

“How To” Articles lviiiApproach Used in This Guide lviiiSecure Your Network, Host, and Application lviiiFocus on Threats lixFollow a Principle-Based Approach lxPositioning of This Guide lxVolume I, Building Secure ASP.NET Applications lxVolume II, Improving Web Application Security lxiFeedback and Support lxiiFeedback on the Guide lxiiTechnical Support lxiiCommunity and Newsgroup Support lxiiThe Team Who Brought You This Guide lxiiiContributors and Reviewers lxiiiTell Us About Your Success lxivSummary lxiv

Solutions at a Glance lxv

Architecture and Design Solutions lxv Development Solutions lxvi Administration Solutions lxx

Fast Track — How To Implement the Guidance lxxv

Goal and Scope lxxv The Holistic Approach lxxvi Securing Your Network lxxvii Securing Your Host lxxvii Securing Your Application lxxviii Identify Threats lxxix Applying the Guidance to Your Product Life Cycle lxxxi Implementing the Guidance lxxxii Who Does What? lxxxiii RACI Chart lxxxiii Summary lxxxiv

Part I

Introduction to Threats and Countermeasures 1

Chapter 1

We Are Secure — We Have a Firewall 3

What Do We Mean By Security? 4

The Foundations of Security 4

Threats, Vulnerabilities, and Attacks Defined 5

How Do You Build a Secure Web Application? 5

Secure Your Network, Host, and Application 6

Securing Your Network 7

Network Component Categories 7

Securing Your Host 7

Host Configuration Categories 8

Securing Your Application 9

Application Vulnerability Categories 9

Security Principles 11

Summary 12

Additional Resources 12

Chapter 2 Threats and Countermeasures 13 In This Chapter 13

Contents vii

How to Use This Chapter 14

Anatomy of an Attack 14

Survey and Assess 15

Exploit and Penetrate 15

Escalate Privileges 15

Maintain Access 16

Deny Service 16

Understanding Threat Categories 16

STRIDE 16

STRIDE Threats and Countermeasures 17

Network Threats and Countermeasures 18

Information Gathering 18

Sniffing 19

Spoofing 19

Session Hijacking 19

Denial of Service 20

Host Threats and Countermeasures 20

Viruses, Trojan Horses, and Worms 21

Footprinting 21

Password Cracking 22

Denial of Service 22

Arbitrary Code Execution 23

Unauthorized Access 23

Application Threats and Countermeasures 23

Input Validation 24

Buffer Overflows 25

Cross-Site Scripting 26

SQL Injection 27

Canonicalization 28

Authentication 29

Network Eavesdropping 29

Brute Force Attacks 30

Dictionary Attacks 30

Cookie Replay Attacks 31

Credential Theft 31

Authorization 31

Elevation of Privilege 32

Disclosure of Confidential Data 32

Data Tampering 32

Luring Attacks 33

Configuration Management 33

Unauthorized Access to Administration Interfaces 33

Unauthorized Access to Configuration Stores 34

Retrieval of Plaintext Configuration Secrets 34

Lack of Individual Accountability 34

Sensitive Data 35

Access to Sensitive Data in Storage 35

Network Eavesdropping 35

Data Tampering 35

Session Management 36

Session Hijacking 36

Session Replay 36

Man in the Middle Attacks 37

Cryptography 37

Poor Key Generation or Key Management 38

Weak or Custom Encryption 38

Checksum Spoofing 38

Parameter Manipulation 39

Query String Manipulation 39

Form Field Manipulation 40

Cookie Manipulation 40

HTTP Header Manipulation 40

Exception Management 40

Attacker Reveals Implementation Details 41

Denial of Service 41

Auditing and Logging 41

User Denies Performing an Operation 42

Attackers Exploit an Application Without Leaving a Trace 42

Attackers Cover Their Tracks 42

Summary 42

Additional Resources 43

Chapter 3 Threat Modeling 45 In This Chapter 45

Overview 45

Before You Begin 45

How to Use This Chapter 46

Threat Modeling Principles 47

The Process 47

The Output 48

Step 1 Identify Assets 49

Step 2 Create an Architecture Overview 49

Identify What the Application Does 50

Create an Architecture Diagram 50

Identify the Technologies 51

Contents ix

Step 3 Decompose the Application 52

Identify Trust Boundaries 53

Identify Data Flow 53

Identify Entry Points 54

Identify Privileged Code 54

Document the Security Profile 55

Step 4 Identify the Threats 56

Identify Network Threats 57

Identify Host Threats 58

Identify Application Threats 58

Using Attack Trees and Attack Patterns 59

Step 5 Document the Threats 62

Step 6 Rate the Threats 62

Risk = Probability * Damage Potential 63

High, Medium, and Low Ratings 63

DREAD 63

What Comes After Threat Modeling? 65

Generating a Work Item Report 66

Summary 66

Additional Resources 66

Part II Designing Secure Web Applications 67 Chapter 4 Design Guidelines for Secure Web Applications 69 In This Chapter 69

Overview 69

How to Use This Chapter 70

Architecture and Design Issues for Web Applications 70

Deployment Considerations 72

Security Policies and Procedures 73

Network Infrastructure Components 73

Deployment Topologies 73

Intranet, Extranet, and Internet 74

Input Validation 74

Assume All Input Is Malicious 75

Centralize Your Approach 75

Do Not Rely on Client-Side Validation 76

Be Careful with Canonicalization Issues 76

Constrain, Reject, and Sanitize Your Input 77

In Practice 79

Authentication 80

Separate Public and Restricted Areas 81

Use Account Lockout Policies for End-User Accounts 81

Support Password Expiration Periods 81

Be Able to Disable Accounts 82

Do Not Store Passwords in User Stores 82

Require Strong Passwords 82

Do Not Send Passwords Over the Wire in Plaintext 82

Protect Authentication Cookies 82

Authorization 83

Use Multiple Gatekeepers 83

Restrict User Access to System Level Resources 83

Consider Authorization Granularity 83

Configuration Management 86

Secure Your Administration Interfaces 86

Secure Your Configuration Stores 86

Separate Administration Privileges 87

Use Least Privileged Process and Service Accounts 87

Sensitive Data 87

Secrets 87

Sensitive Per User Data 89

Session Management 90

Use SSL to Protect Session Authentication Cookies 90

Encrypt the Contents of the Authentication Cookies 90

Limit Session Lifetime 91

Protect Session State from Unauthorized Access 91

Cryptography 91

Do Not Develop Your Own Cryptography 92

Keep Unencrypted Data Close to the Algorithm 92

Use the Correct Algorithm and Correct Key Size 92

Secure Your Encryption Keys 92

Parameter Manipulation 93

Encrypt Sensitive Cookie State 93

Make Sure that Users Do Not Bypass Your Checks 93

Validate All Values Sent from the Client 94

Do Not Trust HTTP Header Information 94

Exception Management 94

Do Not Leak Information to the Client 94

Log Detailed Error Messages 95

Catch Exceptions 95

Auditing and Logging 95

Audit and Log Access Across Application Tiers 95

Consider Identity Flow 96

Log Key Events 96

Secure Log Files 96

Contents xi

Design Guidelines Summary 97

Summary 98

Additional Resources 98

Chapter 5 Architecture and Design Review for Security 99 In This Chapter 99

Overview 99

How to Use This Chapter 100

Architecture and Design Review Process 100

Deployment and Infrastructure Considerations 101

Does the Network Provide Secure Communication? 102

Does Your Deployment Topology Include an Internal Firewall? 102

Does Your Deployment Topology Include a Remote Application Server? 102

What Restrictions Does Infrastructure Security Impose? 103

Have You Considered Web Farm Issues? 104

What Trust Levels Does the Target Environment Support? 104

Input Validation 105

How Do You Validate Input? 106

What Do You Do with the Input? 107

Authentication 107

Do You Separate Public and Restricted Access? 108

Have You Identified Service Account Requirements? 108

How Do You Authenticate the Caller? 109

How Do You Authenticate with the Database? 109

Do You Enforce Strong Account Management Practices? 111

Authorization 111

How Do You Authorize End Users? 112

How Do You Authorize the Application in the Database? 113

How Do You Restrict Access to System-Level Resources? 113

Configuration Management 114

Do You Support Remote Administration? 114

Do You Secure Configuration Stores? 115

Do You Separate Administrator Privileges? 115

Sensitive Data 115

Do You Store Secrets? 116

How Do You Store Sensitive Data? 117

Do You Pass Sensitive Data Over the Network? 117

Do You Log Sensitive Data? 117

Session Management 117

How Are Session Identifiers Exchanged? 118

Do You Restrict Session Lifetime? 118

How Is the Session State Store Secured? 118

Cryptography 119

Why Do You Use Particular Algorithms? 119

How Do You Secure Encryption Keys? 120

Parameter Manipulation 120

Do You Validate All Input Parameters? 121

Do You Pass Sensitive Data in Parameters? 121

Do You Use HTTP Header Data for Security? 121

Exception Management 122

Do You Use Structured Exception Handling? 122

Do You Reveal Too Much Information to the Client? 122

Auditing and Logging 123

Have You Identified Key Activities to Audit? 123

Have You Considered How to Flow Original Caller Identity? 124

Have You Considered Secure Log File Management Policies? 124

Summary 124

Additional Resources 125

Part III Building Secure Web Applications 127 Chapter 6 NET Security Overview 129 In This Chapter 129

Overview 129

How to Use This Chapter 130

Managed Code Benefits 130

User vs Code Security 131

Role-Based Security 131

Code Access Security 132

.NET Framework Role-Based Security 133

Principals and Identities 134

PrincipalPermission Objects 134

Role-Based Security Checks 137

URL Authorization 138

.NET Framework Security Namespaces 139

System.Security 140

System.Web.Security 141

System.Security.Cryptography 141

System.Security.Principal 141

System.Security.Policy 142

System.Security.Permissions 142

Summary 144

Additional Resources 144

Contents xiii

Chapter 7 Building Secure Assemblies 145 In This Chapter 145

Overview 145

How to Use This Chapter 146

Threats and Countermeasures 146

Unauthorized Access or Privilege Elevation, or both 147

Code Injection 147

Information Disclosure 148

Tampering 149

Privileged Code 149

Privileged Resources 150

Privileged Operations 150

Assembly Design Considerations 150

Identify Privileged Code 150

Identify the Trust Level of Your Target Environment 151

Sandbox Highly Privileged Code 152

Design Your Public Interface 153

Class Design Considerations 153

Restrict Class and Member Visibility 153

Seal Non-Base Classes 153

Restrict Which Users Can Call Your Code 154

Expose Fields Using Properties 154

Strong Names 155

Security Benefits of Strong Names 156

Using Strong Names 156

Delay Signing 157

ASP.NET and Strong Names 158

Authenticode vs Strong Names 159

Authorization 160

Exception Management 161

Use Structured Exception Handling 161

Do Not Log Sensitive Data 162

Do Not Reveal Sensitive System or Application Information 162

Consider Exception Filter Issues 162

Consider an Exception Management Framework 163

File I/O 164

Avoid Untrusted Input for File Names 164

Do Not Trust Environment Variables 164

Validate Input File Names 164

Constrain File I/O Within Your Application’s Context 165

Event Log 165

Registry 166

HKEY_LOCAL_MACHINE 166

HKEY_CURRENT_USER 166

Reading from the Registry 167

Data Access 167

Unmanaged Code 168

Validate Input and Output String Parameters 168

Validate Array Bounds 169

Check File Path Lengths 169

Compile Unmanaged Code With the /GS Switch 169

Inspect Unmanaged Code for Dangerous APIs 169

Delegates 169

Do Not Accept Delegates from Untrusted Sources 169

Serialization 170

Do Not Serialize Sensitive Data 170

Validate Serialized Data Streams 170

Partial Trust Considerations 171

Threading 171

Do Not Cache the Results of Security Checks 171

Consider Impersonation Tokens 172

Synchronize Static Class Constructors 172

Synchronize Dispose Methods 172

Reflection 172

Obfuscation 173

Cryptography 174

Use Platform-provided Cryptographic Services 174

Key Generation 174

Key Storage 176

Key Exchange 178

Key Maintenance 178

Summary 179

Additional Resources 179

Chapter 8 Code Access Security in Practice 181 In This Chapter 181

Overview 181

How to Use This Chapter 182

Code Access Security Explained 182

Code 183

Evidence 183

Permissions 184

Assert, Deny, and PermitOnly Methods 185

Policy 185

Code Groups 186

Contents xv

Code Access Security Explained (continued) How Does It Work? 186

How Is Policy Evaluated? 187

APTCA 191

Avoid Using APTCA 191

Diagnosing APTCA Issues 192

Privileged Code 193

Privileged Resources 193

Privileged Operations 194

Requesting Permissions 194

RequestMinimum 195

RequestOptional 195

RequestRefused 195

Implications of Using RequestOptional or RequestRefuse 196

Authorizing Code 196

Restrict Which Code Can Call Your Code 197

Restrict Inheritance 198

Consider Protecting Cached Data 199

Protect Custom Resources with Custom Permissions 199

Link Demands 199

Luring Attacks 200

Performance and Link Demands 201

Calling Methods with Link Demands 201

Mixing Class and Method Level Link Demands 201

Interfaces and Link Demands 202

Structures and Link Demands 202

Virtual Methods and Link Demands 203

Assert and RevertAssert 203

Use the Demand / Assert Pattern 204

Reduce the Assert Duration 204

Constraining Code 204

Using Policy Permission Grants 205

Using Stack Walk Modifiers 205

File I/O 205

Constraining File I/O within your Application’s Context 205

Requesting FileIOPermission 207

Event Log 207

Constraining Event Logging Code 208

Requesting EventLogPermission 208

Registry 208

Constraining Registry Access 209

Requesting RegistryPermission 209

Data Access 209

Directory Services 210

Constraining Directory Service Access 210

Environment Variables 211

Constraining Environment Variable Access 211

Requesting EnvironmentPermission 211

Web Services 212

Constraining Web Service Connections 212

Sockets and DNS 213

Constraining Socket Access 213

Requesting SocketPermission and DnsPermission 214

Unmanaged Code 214

Use Naming Conventions to Indicate Risk 214

Request the Unmanaged Code Permission 215

Sandbox Unmanaged API Calls 215

Use SuppressUnmanagedCodeSecurity with Caution 216

Delegates 217

Serialization 218

Restricting Serialization 218

Summary 219

Additional Resources 219

Chapter 9 Using Code Access Security with ASP.NET 221 In This Chapter 221

Overview 221

How to Use This Chapter 223

Resource Access 223

Full Trust and Partial Trust 224

Configuring Code Access Security in ASP.NET 225

Configuring Trust Levels 225

Locking the Trust Level 226

ASP.NET Policy Files 227

ASP.NET Policy 227

Inside an ASP.NET Policy File 228

Permission State and Unrestricted Permissions 229

The ASP.NET Named Permission Set 229

Substitution Parameters 230

Developing Partial Trust Web Applications 231

Why Partial Trust? 231

Problems You Might Encounter 231

Trust Levels 232

Approaches for Partial Trust Web Applications 234

Customize Policy 235

Sandbox Privileged Code 236

A Sandboxing Pattern 236

Contents xvii

Deciding Which Approach to Take 238

Customizing Policy 238

Sandboxing 238

Medium Trust 239

Reduced Attack Surface 239

Application Isolation 239

Medium Trust Restrictions 240

OLE DB 240

Event Log 244

Web Services 248

Registry 250

Summary 252

Additional Resources 252

Chapter 10 Building Secure ASP.NET Pages and Controls 253 In This Chapter 253

Overview 253

How to Use This Chapter 254

Threats and Countermeasures 254

Code Injection 255

Session Hijacking 256

Identity Spoofing 257

Parameter Manipulation 258

Network Eavesdropping 259

Information Disclosure 259

Design Considerations 260

Use Server-Side Input Validation 260

Partition Your Web Site 261

Consider the Identity That Is Used for Resource Access 262

Protect Credentials and Authentication Tickets 262

Fail Securely 262

Consider Authorization Granularity 263

Place Web Controls and User Controls in Separate Assemblies 263

Place Resource Access Code in a Separate Assembly 263

Input Validation 263

Constrain, Then Sanitize 264

Regular Expressions 264

String Fields 265

Date Fields 267

Numeric Fields 267

Sanitizing Input 269

Validating HTML Controls 269

Validating Input Used for Data Access 270

Validating Input Used For File I/O 270

Cross-Site Scripting 272

Validate Input 273

Encode Output 273

Defense in Depth Countermeasures 274

Authentication 277

Forms Authentication 277

Partition Your Web Site 278

Secure Restricted Pages with SSL 279

Use URL Authorization 279

Secure the Authentication Cookie 280

Use Absolute URLs for Navigation 282

Use Secure Credential Management 283

Authorization 284

Use URL Authorization for Page and Directory Access Control 284

Use File Authorization with Windows Authentication 284

Use Principal Demands on Classes and Methods 284

Use Explicit Role Checks for Fine-Grained Authorization 285

Impersonation 286

Using Programmatic Impersonation 286

Sensitive Data 288

Do not Pass Sensitive Data from Page to Page 288

Avoid Plaintext Passwords in Configuration Files 288

Use DPAPI to Avoid Key Management 288

Do Not Cache Sensitive Data 288

Session Management 289

Require Authentication for Sensitive Pages 289

Do Not Rely on Client-Side State Management Options 289

Do Not Mix Session Tokens and Authentication Tokens 290

Use SSL Effectively 290

Secure the Session Data 290

Parameter Manipulation 291

Protect View State with MACs 291

Use Page.ViewStateUserKey to Counter One-Click Attacks 292

Maintain Sensitive Data on the Server 292

Validate Input Parameters 293

Exception Management 293

Return Generic Error Pages to the Client 293

Implement Page-Level or Application-Level Error Handlers 294

Auditing and Logging 295

EventLogPermission 296

Summary 296

Additional Resources 297

Contents xix

Chapter 11 Building Secure Serviced Components 299 In This Chapter 299

Overview 299

How to Use This Chapter 300

Threats and Countermeasures 300

Network Eavesdropping 301

Unauthorized Access 301

Unconstrained Delegation 301

Disclosure of Configuration Data 302

Repudiation 302

Design Considerations 302

Role-Based Authorization 302

Sensitive Data Protection 302

Audit Requirements 303

Application Activation Type 303

Transactions 303

Code Access Security 303

Authentication 304

Use (At Least) Call Level Authentication 304

Authorization 304

Enable Role-Based Security 304

Enable Component Level Access Checks 305

Enforce Component Level Access Checks 305

Configuration Management 305

Use Least Privileged Run-As Accounts 306

Avoid Storing Secrets in Object Constructor Strings 306

Avoid Unconstrained Delegation 306

Sensitive Data 307

Auditing and Logging 308

Audit User Transactions 308

Building a Secure Serviced Component 309

Assembly Implementation 310

Serviced Component Class Implementation 311

Code Access Security Considerations 313

Deployment Considerations 314

Firewall Restrictions 314

Summary 316

Additional Resources 317

Chapter 12 Building Secure Web Services 319 In This Chapter 319

Overview 319

Threats and Countermeasures 320

Unauthorized Access 321

Parameter Manipulation 322

Network Eavesdropping 322

Disclosure of Configuration Data 323

Message Replay 323

Design Considerations 325

Authentication Requirements 325

Privacy and Integrity Requirements 325

Resource Access Identities 325

Code Access Security 326

Input Validation 326

Strongly Typed Parameters 326

Loosely Typed Parameters 328

XML Data 328

SQL Injection 331

Cross-Site Scripting 331

Authentication 332

Platform Level Authentication 332

Message Level Authentication 333

Application Level Authentication 335

Authorization 335

Web Service Endpoint Authorization 336

Web Method Authorization 336

Programmatic Authorization 336

Sensitive Data 337

XML Encryption 337

Encrypting Parts of a Message 338

Parameter Manipulation 339

Exception Management 339

Using SoapExceptions 340

Application Level Error Handling in Global.asax 341

Auditing and Logging 341

Proxy Considerations 341

Code Access Security Considerations 342

Deployment Considerations 343

Intranet Deployment 343

Extranet Deployment 343

Internet Deployment 344

Summary 345

Additional Resources 345

Contents xxi

Chapter 13 Building Secure Remoted Components 347 In This Chapter 347

Overview 347

How to Use This Chapter 348

Threats and Countermeasures 349

Unauthorized Access 349

Network Eavesdropping 350

Parameter Manipulation 351

Serialization 351

Design Considerations 352

Do Not Expose Remoted Objects to the Internet 352

Use the HttpChannel to Take Advantage of ASP.NET Security 352

Use the TcpChannel Only in Trusted Server Scenarios 352

Input Validation 354

Serialization Attacks 354

MarshalByRefObject Attacks 354

Authentication 355

ASP.NET Hosting 355

Custom Process Hosting 358

Authorization 359

Use IPSec for Machine Level Access Control 359

Enable File Authorization for User Access Control 359

Authorize Users with Principal-Based Role Checks 360

Consider Limiting Remote Access 360

Sensitive Data 361

Using IPSec 361

Using SSL 361

Using a Custom Encryption Sink 361

Denial of Service 364

Exception Management 364

Using a Custom Channel Sink 365

Auditing and Logging 365

Using a Custom Channel Sink 365

Code Access Security (CAS) Considerations 365

Summary 365

Additional Resources 366

Chapter 14 Building Secure Data Access 367 In this Chapter 367

Overview 367

How to Use This Chapter 368

Threats and Countermeasures 368SQL Injection 369Disclosure of Configuration Data 370Disclosure of Sensitive Application Data 370Disclosure of Database Schema and Connection Details 371Unauthorized Access 371Network Eavesdropping 372Design Considerations 372Use Windows Authentication 373Use Least Privileged Accounts 373Use Stored Procedures 373Protect Sensitive Data in Storage 374Use Separate Data Access Assemblies 375Input Validation 376SQL Injection 376Preventing SQL Injection 376Constrain Input 376Use Type Safe SQL Parameters 377Using Parameter Batching 378Using Filter Routines 378Using LIKE Clauses 378Authentication 379Use Windows Authentication 379Protect the Credentials for SQL Authentication 380Connect Using a Least Privileged Account 380Authorization 380Restrict Unauthorized Callers 382Restrict Unauthorized Code 383Restrict the Application in the Database 383Configuration Management 384Use Window Authentication 384Secure Your Connection Strings 384Secure UDL Files with Restricted ACLs 386Sensitive Data 386Encrypt Sensitive Data if You Need to Store It 386Secure Sensitive Data Over the Network 387Store Password Hashes with Salt 388Exception Management 389Trap and Log ADO.NET Exceptions 389Ensure Database Connections Are Closed 391Use a Generic Error Page in Your ASP.NET Applications 392Building a Secure Data Access Component 393Code Access Security Considerations 396

Contents xxiiiDeployment Considerations 397Firewall Restrictions 397Connection String Management 398Login Account Configuration 398Logon Auditing 398Data Privacy and Integrity on the Network 399Summary 399Additional Resources 399

Additional Considerations 417Snapshot of a Secure Network 418Summary 419Additional Resources 420

Chapter 16

In This Chapter 421Overview 421How to Use This Chapter 422Threats and Countermeasures 422Profiling 423Denial of Service 424Unauthorized Access 424Arbitrary Code Execution 425Elevation of Privileges 425Viruses, Worms, and Trojan Horses 426Methodology for Securing Your Web Server 426Configuration Categories 427IIS and NET Framework Installation Considerations 430What Does IIS Install? 430What Does the NET Framework Install? 431Installation Recommendations 432IIS Installation Recommendations 432.NET Framework Installation Recommendations 432Including Service Packs with a Base Installation 433Steps for Securing Your Web Server 433Step 1 Patches and Updates 434Detect and Install Patches and Updates 434Update the NET Framework 435Step 2 IISLockdown 435Install and Run IISLockdown 435Install and Configure URLScan 437Step 3 Services 438Disable Unnecessary Services 439Disable FTP, SMTP, and NNTP Unless You Require Them 439Disable the ASP.NET State Service Unless You Require It 440Step 4 Protocols 440Disable or Secure WebDAV 440Harden the TCP/IP Stack 440Disable NetBIOS and SMB 441

Contents xxvStep 5 Accounts 442Delete or Disable Unused Accounts 442Disable the Guest Account 443Rename the Administrator Account 443Disable the IUSR Account 443Create a Custom Anonymous Web Account 443Enforce Strong Password Policies 444Restrict Remote Logons 444Disable Null Sessions (Anonymous Logons) 445Step 6 Files and Directories 446Restrict the Everyone Group 446Restrict Access to the IIS Anonymous Account 446Secure or Remove Tools, Utilities and SDKs 447Remove Sample Files 447Additional Considerations 447Step 7 Shares 448Remove Unnecessary Shares 448Restrict Access to Required Shares 448Additional Considerations 448Step 8 Ports 449Restrict Internet-Facing Ports to TCP 80 and 443 449Encrypt or Restrict Intranet Traffic 449Step 9 Registry 449Restrict Remote Administration of the Registry 450Secure the SAM (Stand-alone Servers Only) 450Step 10 Auditing and Logging 451Log All Failed Logon Attempts 451Log All Failed Actions Across the File System 451Relocate and Secure the IIS Log Files 452Archive Log Files for Offline Analysis 452Audit Access to the Metabase.bin File 452Additional Considerations 453Step 11 Sites and Virtual Directories 453Move Your Web site to a Non-System Volume 453Disable the Parent Paths Setting 453Remove Potentially Dangerous Virtual Directories 454Remove or Secure RDS 454Set Web Permissions 455Remove or Secure FrontPage Server Extensions 456Step 12 Script Mappings 456Map IIS File Extensions 457Map NET Framework File Extensions 458Step 13 ISAPI Filters 459Remove Unused ISAPI Filters 459

Step 14 IIS Metabase 460Restrict Access to the Metabase Using NTFS Permissions 460Restrict Banner Information Returned by IIS 460Step 15 Server Certificates 461Step 16 Machine.Config 462Map Protected Resources to HttpForbiddenHandler 462Verify That Tracing Is Disabled 463Verify That Debug Compiles Are Disabled 463Verify That ASP.NET Errors Are Not Returned to Clients 464Verify Session State Settings 464Step 17 Code Access Security 464Remove All Permissions for the Local Intranet Zone 465Remove All Permissions for the Internet Zone 465Snapshot of a Secure Web Server 466Staying Secure 469Audit Group Membership 469Monitor Audit Logs 469Stay Current With Service Packs and Patches 470Perform Security Assessments 470Use Security Notification Services 470Remote Administration 471Securing Terminal Services 472Simplifying and Automating Security 473Summary 474Additional Resources 474

Chapter 17

In This Chapter 475Overview 475How to Use This Chapter 476Threats and Countermeasures 477Network Eavesdropping 477Unauthorized Access 478Viruses, Worms, and Trojan Horses 479Methodology 480Communication Channel Considerations 480Enterprise Services 480.NET Remoting 481Web Services 481SQL Server 481Firewall Considerations 482Enterprise Services 482.NET Remoting 484Web Services 485

Contents xxvii.NET Remoting Security Considerations 486Hosting in a Windows Service (TCP Channel) 486Hosting in IIS (HTTP Channel) 486Enterprise Services (COM+) Security Considerations 487Secure the Component Services Infrastructure 487Secure Enterprise Services Applications 493Summary 499Additional Resources 499

Chapter 18

In This Chapter 501Overview 501How to Use This Chapter 502Threats and Countermeasures 502SQL Injection 503Network Eavesdropping 504Unauthorized Server Access 504Password Cracking 505Methodology for Securing Your Server 506Configuration Categories 506SQL Server Installation Considerations 509What Does SQL Server Install? 509SQL Server Installation Recommendations 509Before Running SQL Server Setup 510Installing SQL Server 510Steps for Securing Your Database Server 511Step 1 Patches and Updates 511Detect Missing Service Packs and Updates 511Patching MSDE 512Step 2 Services 512Disable Unused SQL Server Services 513Disable the Microsoft DTC (if not required) 513Step 3 Protocols 513Restrict SQL Server to TCP/IP 514Harden the TCP/IP Stack 514Additional Considerations 514Step 4 Accounts 515Secure the SQL Server Service Account 515Delete or Disable Unused Accounts 516Disable the Windows Guest Account 516Rename the Administrator Account 516Enforce Strong Password Policy 516Restrict Remote Logons 517Disable Null Sessions (Anonymous Logons) 517

Step 5 Files and Directories 519Verify Permissions on SQL Server Install Directories 519Verify Everyone Group Does Not Have Permissions for SQL Server Files 520Secure Setup Log Files 520Secure or Remove Tools, Utilities, and SDKs 520Additional Considerations 520Step 6 Shares 521Remove Unnecessary Shares 521Restrict Access to Required Shares 521Additional Considerations 521Step 7 Ports 522Restrict Access to the SQL Server Port 522Configure Named Instances to Listen on the Same Port 522Configure the Firewall to Support DTC Traffic (if necessary) 523Additional Considerations 523Step 8 Registry 523Verify Permissions for the SQL Server Registry Keys 524Secure the SAM (Stand-alone Servers Only) 524Step 9 Auditing and Logging 525Log All Failed Windows Logon Attempts 525Log All Failed Actions Across the File System 525Enable SQL Server Login Auditing 526Additional Considerations 526Step 10 SQL Server Security 527Set SQL Server Authentication to Windows Only 527Set SQL Server Audit Level to Failure or All 528Run SQL Server Using a Least Privileged Account 528Step 11 SQL Server Logins, Users, and Roles 529Use a Strong sa (System Administrator) Password 530Remove the SQL Guest User Account 530Remove the BUILTIN\Administrators Server Login 530

Do Not Grant Permissions for the Public Role 531Additional Considerations 531Step 12 SQL Server Database Objects 532Remove the Sample Databases 532Secure Stored Procedures 532Secure Extended Stored Procedures 532Restrict cmdExec Access to the sysadmin Role 532Snapshot of a Secure Database Server 533Additional Considerations 536Staying Secure 536Perform Regular Backups 537Audit Group Membership 537Monitor Audit Logs 537Stay Current with Service Packs and Patches 537

Contents xxix

Staying Secure (continued)

Perform Security Assessments 538Use Security Notification Services 538Remote Administration 539Securing Terminal Services 539Summary 540Additional Resources 541

Chapter 19

Securing Your ASP.NET Application and Web Services 543

In This Chapter 543Overview 543How to Use This Chapter 544Methodology 544What You Must Know 545ASP.NET Process Model 545ASP.NET Account 545Aspnet_setreg.exe and Process, Session, and Identity 546Impersonation is Not the Default 546HttpForbiddenHandler, Urlscan, and the 404.dll 547AppSettings 547Machine.Config and Web.Config Explained 548Hierarchical Policy Evaluation 550

<location> 551Machine.Config and Web.Config Guidelines 553ACLs and Permissions 554Trust Levels in ASP.NET 555

<trust> 556Process Identity for ASP.NET 556

<processModel> 556Impersonation 558

<identity> 558Authentication 560

<authentication> 560Forms Authentication Guidelines 560Authorization 563File Authorization 563URL Authorization 564Session State 565

<sessionState> 565Securing a SQL Server Session State Store 565Securing the Out-of-Process State Service 568View State 569

<pages> 569

Machine Key 570Use Unique Encryption Keys with Multiple Applications 570Set validation=“SHA1” 570Generate Keys Manually For Web Farms 571Debugging 571

<compilation> 571Tracing 571

<trace> 572Exception Management 572

<customErrors> 572Remoting 573Web Services 573Disable Web Services if They Are Not Required 573Disable Unused Protocols 574Disable the Automatic Generation of WSDL 574Forbidden Resources 575Map Protected Resources to HttpForbiddenHandler 575Bin Directory 576Secure the Bin Directory 576Event Log 576File Access 577ACLs and Permissions 577Registry 579Data Access 579Configuring Data Access for Your ASP.NET Application 579UNC Shares 581Accessing Files on UNC Shares 581Hosting Applications on UNC Shares 581COM/DCOM Resources 583Denial of Service Considerations 583

<httpRuntime> 583Web Farm Considerations 584Session State 584Encryption and Verification 584DPAPI 584Snapshot of a Secure ASP.NET Application 585Summary 588Additional Resources 588

Chapter 20

In This Chapter 589Overview 589ASP.NET Architecture on Windows 2000 591

Contents xxxiASP.NET Architecture on Windows Server 2003 592Configuring ACLs for Network Service 593Isolating Applications by Identity 594Anonymous Account Impersonation 595Fixed Identity Impersonation 597Isolating Applications with Application Pools 599Isolating Applications with Code Access Security 600Forms Authentication Issues 601UNC Share Hosting 601Summary 602

Is Your Class Design Secure? 617

Do You Create Threads? 617

Do You Use Serialization? 618

Do You Use Reflection? 619

Do You Handle Exceptions? 619

Do You Use Cryptography? 620

Do You Store Secrets? 621

Do You Use Delegates? 622

Code Access Security 622

Do You Support Partial-Trust Callers? 622

Do You Restrict Access to Public Types and Members? 623

Do You Use Declarative Security Attributes? 624

Do You Call Assert? 624

Do You Use Permission Demands When You Should? 625

Do You Use Link Demands? 625

Do You Use Potentially Dangerous Permissions? 627

Do You Compile With the /unsafe Option? 627Unmanaged Code 628ASP.NET Pages and Controls 630

Do You Disable Detailed Error Messages? 630

Do You Disable Tracing? 630

Do You Validate Form Field Input? 631Are You Vulnerable to XSS Attacks? 632

Do You Validate Query String and Cookie Input? 632

Do You Secure View State? 633Are Your Global.asax Event Handlers Secure? 633

Do You Provide Adequate Authorization? 634Web Services 634

Do You Expose Restricted Operations or Data? 635How Do You Authorize Callers? 635

Do You Constrain Privileged Operations? 635

Do You Use Custom Authentication? 635

Do You Validate All Input? 635

Do You Validate SOAP Headers? 635Serviced Components 636

Do You Use Assembly Level Metadata? 636

Do You Prevent Anonymous Access? 636

Do You Use a Restricted Impersonation Level? 636

Do You Use Role-Based Security? 637

Do You Use Object Constructor Strings? 638

Do You Audit in the Middle Tier 638Remoting 638

Do You Pass Objects as Parameters? 639

Do You Use Custom Authentication and Principal Objects? 639How Do You Configure Proxy Credentials? 639Data Access Code 640

Do You Prevent SQL Injection? 640

Do You Use Windows Authentication? 640

Do You Secure Database Connection Strings? 640How Do You Restrict Unauthorized Code? 641How Do You Secure Sensitive Data in the Database? 641

Do You Handle ADO NET Exceptions? 641

Do You Close Database Connections? 642

Contents xxxiiiSummary 642Additional Resource 642

Chapter 22

In This Chapter 643Overview 643Web Server Configuration 644Patches and Updates 645Services 645Protocols 646Accounts 647Files and Directories 648Shares 649Ports 649Registry 651Auditing and Logging 651IIS Configuration 652IISLockdown 652URLScan 652Sites and Virtual Directories 653ISAPI Filters 655IIS Metabase 656Server Certificates 656Machine.Config 657

Remoting 668Port Considerations 668Hosting in ASP.NET with the HttpChannel 669Hosting in a Custom Process with the TcpChannel 670Database Server Configuration 670Patches and Updates 671Services 671Protocols 671Accounts 672Files and Directories 673Shares 673Ports 674Registry 674Auditing and Logging 675SQL Server Security 675SQL Server Logins, Users, and Roles 676SQL Server Database Objects 677Network Configuration 677Router 678Firewall 679Switch 679Summary 680

Related Microsoft patterns & practices Guidance 681Security-Related Web Sites 681Microsoft Security-Related Web Sites 681Third-Party, Security-Related Web Sites 682Microsoft Security Services 682Partners and Service Providers 682Communities and Newsgroups 683Newsgroup Home Pages 683Patches and Updates 683Service Packs 683Alerts and Notification 684Microsoft Security Notification Services 684Third Party Security Notification Services 684Additional Resources 684Checklists and Assessment Guidelines 684Common Criteria 685Reference Hub 685Security Knowledge in Practice 685Vulnerabilities 685World Wide Web Security FAQ 685

Contents xxxv

Overview 687Designing Checklist 687Building Checklists 687Securing Checklists 688Assessing Checklist 688

Checklist:

How to Use This Checklist 689Deployment and Infrastructure Considerations 689Application Architecture and Design Considerations 690Input Validation 690Authentication 690Authorization 691Configuration Management 692Sensitive Data 692Session Management 692Cryptography 693Parameter Manipulation 693Exception Management 693Auditing and Logging 694

Checklist

How to Use This Checklist 695Design Considerations 695Application Categories Considerations 696Input Validation 696Authentication 696Authorization 697Configuration Management 697Sensitive Data 698Session Management 698Parameter Manipulation 698Exception Management 699Auditing and Logging 699Configuration File Settings 699Web Farm Considerations 702Hosting Multiple Applications 703ACLs and Permissions 703Application Bin Directory 704

Checklist

How to Use This Checklist 705Design Considerations 705Development Considerations 705Input Validation 705Authentication 706Authorization 706Sensitive Data 706Parameter Manipulation 706Exception Management 707Auditing and Logging 707Proxy Considerations 707Administration Considerations 707

Checklist

How to Use This Checklist 709Developer Checks 709Authentication 709Authorization 709Configuration Management 710Sensitive Data 710Auditing and Logging 710Deployment Considerations 710Impersonation 711Administrator Checklist 711

Checklist

How to Use This Checklist 713Design Considerations 713Input Validation 713Authentication 714Authorization 714Configuration Management 714Sensitive Data 715Exception Management 715Auditing and Logging 715

Contents xxxvii

Checklist

How to Use This Checklist 717SQL Injection Checks 717Authentication 717Authorization 718Configuration Management 718Sensitive Data 718Exception Management 719Deployment Considerations 719

Checklist

How to Use This Checklist 721Router Considerations 721Firewall Considerations 722Switch Considerations 722

Checklist

How to Use This Checklist 723Patches and Updates 723IISLockdown 723Services 723Protocols 724Accounts 724Files and Directories 725Shares 725Ports 725Registry 725Auditing and Logging 726Sites and Virtual Directories 726Script Mappings 726ISAPI Filters 727IIS Metabase 727Server Certificates 727Machine.config 727Code Access Security 727Other Check Points 728Dos and Don’ts 728

Checklist

How to Use This Checklist 729Installation Considerations for Production Servers 729Patches and Updates 729Services 730Protocols 730Accounts 730Files and Directories 731Shares 731Ports 731Registry 731Auditing and Logging 732SQL Server Security 732SQL Server Logins, Users, and Roles 732SQL Server Database Objects 733Additional Considerations 733Staying Secure 733

Checklist

How to Use This Checklist 735General Code Review Guidelines 735Managed Code Review Guidelines 735Assembly-Level Checks 735Class-Level Checks 736Cryptography 736Secrets 737Exception Management 737Delegates 737Serialization 737Threading 738Reflection 738Unmanaged Code Access 738Resource Access Considerations 739File I/O 739Event Log 739Registry 739Environment Variables 740Code Access Security Considerations 740

How To

Applies To 755Summary 755What You Must Know 755Contents 756Protect Against SYN Attacks 756Enable SYN Attack Protection 756Set SYN Protection Thresholds 757Set Additional Protections 757Protect Against ICMP Attacks 759Protect Against SNMP Attacks 759

AFD.SYS Protections 760Additional Protections 761Protect Screened Network Details 761Avoid Accepting Fragmented Packets 761

Do Not Forward Packets Destined for Multiple Hosts 762Only Firewalls Forward Packets Between Networks 762Mask Network Topology Details 762Pitfalls 763Additional Resources 763

How To

Applies To 765Summary 765Before You Begin 765Steps to Secure Your Developer Workstation 766Run Using a Least-Privileged Account 766Running Privileged Commands 767More Information 768Patch and Update 768Using Windows Update 768Using MBSA 768Using Automatic Updates 769Secure IIS 770Install and Run IISLockdown 770Configure URLScan 771Secure SQL Server and MSDE 772Apply Patches for Each Instance of SQL Server and MSDE 773Analyze SQL Server and MSDE Security Configuration 773Evaluate Your Configuration Categories 774Stay Secure 775

How To

Use IPSec for Filtering Ports and Authentication 777

Applies To 777Summary 777Contents 777What You Must Know 778Identify Your Protocol and Port Requirements 778IPSec Does Not Secure All Communication 778Firewalls and IPSec 778Filters, Filter Actions, and Rules 778Restricting Web Server Communication 779Summary of What You Just Did 782