developing secure web applications

Contents Introduction Course Materials ...2 Prerequisites...3 Course Outline ...5 Setup ...7 Lab Scenario ...9 Microsoft Official Curriculum...11 Microsoft Certified Professional Progra

Part Number: X08-91681

Course Number: 2300A

Released: 06/2002

Delivery Guide

Developing Secure Web

Applications

Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2002 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Course Number: 2300A Part Number: X08-91681 Released: 06/2002

Contents

Introduction

Course Materials 2

Prerequisites 3

Course Outline 5

Setup 7

Lab Scenario 9

Microsoft Official Curriculum 11

Microsoft Certified Professional Program 12

Facilities 15

Module 1: Introduction to Web Security Overview 1

Lesson: Why Build Secure Web Applications? 2

Lesson: Using the STRIDE Model to Determine Threats 17

Lesson:Implementing Security: An Overview 26

Review 38

Module 2: Planning for Web Application Security Overview 1

Lesson: A Design Process for Building Secure Web Applications 2

Review 22

Module 3: Validating User Input Overview 1

Lesson: User Input 2

Lesson: Types of User Input Attacks 8

Lesson: Performing Validation 23

Lesson: Revealing As Little Information As Possible to Users 38

Review 46

Lab 3: Verifying User Input 48

Module 4: Internet Information Services Authentication Overview 1

Lesson: Introduction to Web Client Authentication 3

Lesson: Configuring Access Permissions for a Web Server 16

Lesson: Selecting a Secure Client Authentication Method 25

Lesson: Running Services As an Authenticated User 45

Review 54

Lab 4: Authentication and Access Control 56

Module 5: Securing Web Pages Overview 1

Lesson: ASP Forms-Based Authentication 2

Lesson: NET Code Access and Role-Based Security 9

Lesson: Overview of ASP.NET Authentication Methods 16

Lesson: Working with Windows-Based Authentication in ASP.NET 30

Lesson: Working with ASP.NET Forms-Based Authentication 37

Review 55

Lab 5: Securing Web Pages 57

Module 6: Securing File System Data

Overview 1

Lesson: Overview of Securing Files 2

Lesson: Windows Access Control 6

Lesson: Creating ACLs Programmatically 19

Lesson: Protecting ASP.NET Web Application Files 27

Review 38

Lab 6: Securing Files with ACLs 39

Module 7: Securing Microsoft SQL Server Overview 1

Lesson: SQL Server Connections and Security 2

Lesson: SQL Server Role-Based Security 15

Lesson: Securing SQL Server Communication 32

Lesson: Preventing SQL Injection Attacks 36

Review 46

Lab 7: Securing Microsoft SQL Server Data 48

Module 8: Protecting Communication Privacy and Data Integrity Overview 1

Lesson: Introduction to Cryptography 3

Lesson: Working with Digital Certificates 15

Lab 8.1: Obtaining a Server Certificate 35

Lesson: Using the Secure Sockets Layer/Transport Layer Security Protocols 39

Lesson: Using Internet Protocol Security 58

Review 63

Lab 8.2: Protecting Communication Privacy and Data Integrity 65

Course Evaluation 76

Module 9: Encrypting, Hashing, and Signing Data Overview 1

Lesson: Encryption and Digital Signing Libraries 2

Lesson: Using CAPICOM 9

Lesson: Using the System.Security.Cryptography Namespace to Hash Data 21

Lab 9: Hashing Data 26

Lesson: Using the System.Security.Cryptography Namespace to Encrypt and Sign Data 42

Review 62

Module 10: Testing Web Applications for Security Overview 1

Lesson: Testing Security in a Web Application 2

Lesson:Creating a Security Test Plan 7

Lesson:Performing Security Testing 17

Review 20

Lab 10: Test Cases for Security Testing 22

Course Evaluation 31

Appendix: Isolated Storage

About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives

This course teaches developers the knowledge and skills that are required to build Web applications by using secure coding techniques and the security mechanisms that are provided in Microsoft® Windows® 2000, Internet Information Services (IIS), and Microsoft SQL Server™ 2000 Students will learn how to identify Web application security vulnerabilities and choose the appropriate security methods to protect against these vulnerabilities Students will also get hands-on experience in creating secure Web applications by using Active Server Pages (ASP) and Microsoft ASP.NET

This course is intended for individuals who are responsible for the design and development of Web applications These individuals typically have three to five years of experience in developing or designing distributed Web applications Actual job roles and titles will vary throughout the technology industry, and may include, but may not be limited to, Web developers and solutions architects

This course requires that students meet the following prerequisites:

! Familiarity with N-tier application architecture

! Experience in developing or designing Web applications

! Experience with one of the following programming languages:

• Microsoft Visual Basic®

• C#

• Microsoft Visual Basic NET

! Experience in writing server-side and client-side scripts by using one or both of the following technologies:

• ASP

• ASP.NET

! Familiarity with both of the following Microsoft products and technologies

is recommended:

• SQL Server 2000

• IIS

Description

Audience

Student prerequisites

After completing this course, students will be able to:

! Define the basic principals of, and motivations for, Web security

! Perform a threat analysis on Web-accessible assets

! Secure their Web applications by validating user input

! Select the best IIS authentication method for a given set of requirements

! Implement forms-based authentication in both ASP and ASP.NET Web applications

! Protect file system data by using the features that are available in Windows 2000

! Use the SQL Server security model and Microsoft ADO.NET to protect a Web application against attacks

! Protect the portions of a Web application that require private communications by using Secure Sockets Layer (SSL) security

! Use the CAPICOM cryptographic library and the

System.Security.Cryptography namespace to encrypt, hash, and sign data

! Employ a structured approach to testing for Web application security

Course objectives

Course Timing

The following schedule is an estimate of the course timing Your timing may vary

Day 1 Start End Module

8:30 9:00 Introduction 9:00 10:15 Module 1: Introduction to Web Security 10:15 10:30 Break

10:30 11:30 Module 2: Planning for Web Application Security 11:30 12:30 Lunch

12:30 2:00 Module 3: Validating User Input 2:00 2:15 Break

2:15 2:45 Lab 3: Verifying User Input 2:45 4:00 Module 4: Internet Information Services Authentication 4:00 4:15 Break

4:15 4:45 Lab 4: Authentication and Access Control

Day 2 Start End Module

8:30 8:45 Day 1 review 8:45 10:00 Module 5: Securing Web Pages 10:00 10:30 Lab 5: Securing Web Pages 10:30 10:45 Break

10:45 12:15 Module 6: Securing File System Data 12:15 1:15 Lunch

1:15 1:45 Lab 6: Securing Files with ACLs 1:45 3:00 Module 7: Securing Microsoft SQL Server 3:00 3:15 Break

3:15 3:45 Lab 7: Securing Microsoft SQL Server Data

Day 3 Start End Module

8:30 8:45 Day 2 review 8:45 9:45 Module 8: Protecting Communication Privacy and Data Integrity 9:45 10:00 Lab 8.1: Obtaining a Server Certificate

10:00 11:00 Module 8: Protecting Communication Privacy and Data Integrity

(continued)

11:00 11:15 Lab 8.2: Protecting Communication Privacy and Data Integrity 11:15 11:30 Break

11:30 12:45 Module 9: Encrypting, Hashing, and Signing Data 12:45 1:45 Lunch

1:45 2:45 Lab 9: Hashing Data 2:45 3:00 Break

3:00 3:45 Module 10: Testing Web Applications for Security 3:45 4:15 Lab 10: Test Cases for Security Testing

Trainer Materials Compact Disc Contents

The Trainer Materials compact disc contains the following files and folders:

or when you double-click the Autorun.exe file, this file opens the compact

disc and allows you to browse the Student Materials or Trainer Materials compact disc

this file opens Autorun.exe

Trainer Materials compact disc and its contents and how to open the Trainer Materials Web page

the steps for manually setting up the classroom computers

used in this course

can be used to display the PowerPoint slides if Microsoft PowerPoint 2002

is not available Do not use this version in the classroom

software to computers in a classroom setting

links to resources pertaining to this course, including additional reading, review and lab answers, lab files, multimedia presentations, and course-related Web sites

the instructor computer

Web page To open the Web page, open Windows Explorer, and in the root

directory of the compact disc, double-click Default.htm or Autorun.exe

Student Materials Compact Disc Contents

The Student Materials compact disc contains the following files and folders:

when you double-click the Autorun.exe file, this file opens the compact

disc and allows you to browse the Student Materials compact disc

this file opens Autorun.exe

you with resources pertaining to this course, including additional reading, review and lab answers, lab files, multimedia presentations, and course-related Web sites

Student Materials compact disc and its contents and how to open the Student Materials Web page

a description of classroom requirements, classroom setup instructions, and the classroom configuration

browser plug-in

Word documents that are included with this course

files may be used to prepare the student computers for the hands-on labs

for this course

Windows Media™ Player

Web page To open the Web page, open Windows Explorer, and in the root

directory of the compact disc, double-click Default.htm or Autorun.exe

view any Word document (.doc) files that are included on the compact disc

Document Conventions

The following conventions are used in course materials to distinguish elements

of the text

Convention Use Bold Represents commands, command options, and syntax that must

be typed exactly as shown It also indicates commands on menus and buttons, dialog box titles and options, and icon and menu names

Italic In syntax statements or descriptive text, indicates argument

names or placeholders for variable information Italic is also used for introducing new terms, for book titles, and for emphasis

in the text

Title Capitals Indicate domain names, user names, computer names, directory

names, and folder and file names, except when specifically referring to case-sensitive names Unless otherwise indicated, you can use lowercase letters when you type a directory name or file name in a dialog box or at a command prompt

combinations — for example, ALT+SPACEBAR

[ ] In syntax statements, enclose optional items For example,

[filename] in command syntax indicates that you can choose to

type a file name with the command Type only the information within the brackets, not the brackets themselves

{ } In syntax statements, enclose required items Type only the

information within the braces, not the braces themselves

| In syntax statements, separates an either/or choice

! Indicates a procedure with sequential steps

In syntax statements, specifies that the preceding item may be

repeated

Represents an omitted portion of a code sample

THIS PAGE INTENTIONALLY LEFT BLANK