Instructor Notes The Introduction module provides students with an overview of the course content, materials, and logistics for Course 2300, Developing Secure Web Applications.. Emphasiz
Trang 1Microsoft Official Curriculum 11
Microsoft Certified Professional Program 12
Facilities 15
Introduction
Trang 2Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2002 Microsoft Corporation All rights reserved
Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries
The names of actual companies and products mentioned herein may be the trademarks of their respective owners
Trang 3Instructor Notes
The Introduction module provides students with an overview of the course
content, materials, and logistics for Course 2300, Developing Secure Web Applications
To teach this course, you need the following materials:
! Delivery Guide
! Trainer Materials compact disc
To prepare for this course, you must complete the Course Preparation Checklist that is included with the trainer course materials
Presentation:
30 minutes
Required materials
Preparation tasks
Trang 4iv Introduction
How to Teach This Module
This section contains information that will help you to teach this module Welcome students to the course and introduce yourself Provide a brief overview of your background to establish credibility
Ask students to introduce themselves and to provide their background, product experience, and expectations of the course
Record student expectations on a white board or flip chart that you can reference later in class
Tell students that everything they will need for this course is provided at their desk
Have students write their names on both sides of the name card
Describe the contents of the student workbook and the Student Materials compact disc
Tell students where they can send comments and feedback on this course Demonstrate how to open the Web page that is provided on the Student
Materials compact disc by double-clicking Autorun.exe or Default.htm in the
StudentCD folder on the Trainer Materials compact disc
Describe the prerequisites for this course This is an opportunity for you to identify students who may not have the appropriate background or experience
to attend this course
Briefly describe each module and what students will learn Be careful not to go into too much detail because the course is introduced in detail in Module 1 of
Course 2300, Developing Secure Web Applications
Explain how this course will meet students’ expectations by relating the information that is covered in individual modules to their expectations
Describe any necessary setup information for the course, including course files and classroom configuration The biggest change from most developer courses
is that there is a common database server named Glasgow, which will be used
by all of the students Any Microsoft® SQL Server™ configurations to the database server that need to be completed during class will be done by the instructor in demonstrations
Describe the lab scenario for the course Emphasize that there are four Web applications that are built in the labs for this course: two Active Server Pages (ASP) Web applications and two Microsoft ASP.NET Web applications Also emphasize the fact that some files, such as the CreateAccount Web page in the private folder, will be added to the TailspinToysAdmin Web applications for Lab 9 As a result, there are broken links in the Web site until then
Explain the Microsoft Official Curriculum (MOC) program and present the list
of additional recommended courses
Refer students to the MOC Web page at http://www.microsoft.com/traincert/ training/ for information about curriculum paths
Trang 5Inform students about the Microsoft Certified Professional (MCP) program, any certification exams that are related to this course, and the various certification options
Explain the class hours, extended building hours for labs, parking, restroom location, meals, phones, message posting, and where smoking is or is not allowed
Let students know if your facility has Internet access that is available for them
to use during class breaks
Also, make sure that the students are aware of the recycling program if one is available
Microsoft Certified
Professional program
Facilities
Trang 7! Expectations for the course
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Trang 8***************************** ILLEGAL FOR NON - TRAINER USE ******************************
The following materials are included with your kit:
covered in class, in addition to the hands-on lab exercises
contains the Web page that provides you with links to resources pertaining
to this course, including additional readings, review and lab answers, lab files, multimedia presentations, and course-related Web sites
To open the Web page, insert the Student Materials compact disc into the CD-ROM drive, and then in the root directory of the compact disc,
double-click Autorun.exe or Default.htm
instructor, you will have the opportunity to complete an online evaluation near the end of the course
.NET is provided for your personal use only
Note
Trang 9Prerequisites
! Familiarity with N-tier application architecture
! Experience in developing or designing Web applications
! Experience with one of the following programming languages:
" Visual Basic
" C#
" Visual Basic NET
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
This course requires that you meet the following prerequisites:
! Familiarity with N-tier application architecture
! Experience in developing or designing Web applications
! Experience with one of the following programming languages:
• Microsoft Visual Basic®
• C#
• Microsoft Visual Basic NET
Trang 104 Introduction
Prerequisites (continued)
! Experience in writing server-side and client-side scripts
by using one or both of the following technologies:
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
! Experience in writing server-side and client-side code by using one or both
of the following technologies:
• Active Server Pages (ASP)
! Course 2373, Programming with Microsoft Visual Basic NET
! Course 2124, Programming with C#
Trang 11Course Outline
! Module 1: Introduction to Web Security
! Module 2: Planning for Web Application Security
! Module 3: Validating User Input
! Module 4: Internet Information Services Authentication
! Module 5: Securing Web Pages
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Module 1, “Introduction to Web Security,” provides an overview of the terms and concepts of, along with the justification for, Web application security This module includes an introduction of the STRIDE model, which can be used to categorize threats to Web applications This module also provides an overview
of the technologies and best practices that can be used to build a secure solution for Web applications After completing this module, you will be able to define the basic principals of, and motivations for, Web application security
Module 2, “Planning for Web Application Security,” explains the steps that are typically involved in the Web application design process, what role security considerations play in each of these steps, and finally, how these steps interrelate You will examine in more detail the threat analysis step in the design process by identifying Web-accessible assets and the threats that are posed to those assets, and by calculating the risks of those threats being exposed
to the assets After completing this module, you will be able to perform a threat analysis of Web-accessible assets
Module 3, “Validating User Input,” explains how to manage user input in a secure way The methods for checking user input, and a discussion of the consequences of not performing those checks, are the focus of this module
After completing this module, you will be able to secure your Web applications
by validating user input
Module 4, “Internet Information Services Authentication,” provides insight into the Web client authentication methods that are supported by IIS and Windows
2000 Server Initial Web client authentication and the flow of user identities through the Web application are the focus of this module After completing this module, you will be able to select the best IIS authentication method for a given set of requirements
Module 5, “Securing Web Pages,” shows how to secure the Web pages in your Web application through the use of ASP and ASP.NET forms-based
authentication After completing this module, you will be able to implement forms-based authentication in both ASP and ASP.NET Web applications
Trang 126 Introduction
Course Outline (continued)
! Module 6: Securing File System Data
! Module 7: Securing Microsoft SQL Server
! Module 8: Protecting Communication Privacy and Data Integrity
! Module 9: Encrypting, Hashing, and Signing Data
! Module 10: Testing Web Applications for Security
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Module 6, “Securing File System Data,” explains how to protect file system data that is a part of a Web application The two important security techniques that are covered in this module are using access control lists (ACLs) and using ASP.NET configuration files After completing this module, you will be able to protect file system data by using the features in Windows 2000 and the
Microsoft NET Framework
Module 7, “Securing Microsoft SQL Server,” describes how to use SQL Server security features to protect Web application data After completing this module, you will be able to connect securely to a SQL Server database, and use the SQL Server security model to protect a Web application against SQL injection attacks
Module 8, “Protecting Communication Privacy and Data Integrity,” begins with
an overview of cryptography and digital certificates The module then explains how you can protect data and communications between the Web browser and the Web server After completing this module, you will be able to protect the portions of a Web application that require private communications by using Secure Sockets Layer (SSL) security
Module 9, “Encrypting, Hashing, and Signing Data,” shows you how to strengthen the security of your Web applications by incorporating the programmatic use of cryptography Depending on your programming platform, you will use one of several cryptographic libraries to add encryption, hashing, and digital signing functionality to your Web application After completing this module, you will be able to use the CAPICOM cryptographic library and the
System.Security.Cryptography namespace to encrypt, hash, and sign data
Module 10, “Testing Web Applications for Security,” explains how testing the security of a Web application is different from testing features that are not related to security This module also covers how to create a security test plan and how to implement with the plan After completing this module, you will be able to employ a structured approach to testing for Web application security
Trang 13Setup
! Software
" Windows 2000 Server, with SP2
" SQL Server 2000 Developer Edition, with SP2
" Visual Studio NET, with SP1
! Classroom setup
" One shared database server on Glasgow computer
! Course files
" ASP and ASP.NET exercises in each lab
" Starter and solution code for each lab
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
The following software will be used in the classroom:
! Windows 2000 Server
! Windows 2000 Server Service Pack (SP) 2
! SQL Server 2000 Developer Edition
! SQL Server 2000 SP 2
! Visual Studio NET, Enterprise Developer Edition
! Visual Studio NET SP 1 Each student computer in the classroom has Windows 2000 Server installed as
a stand-alone server in a workgroup You will log on under the user account
2300Student with a password of P@ssw0rd This user account is in the
Administrators and TailspinAdmins groups
This course uses one shared SQL Server database for all of the students; this database is installed on a separate computer in the classroom The database server is named Glasgow
Software
Classroom setup
Trang 148 Introduction
There are files associated with the labs in this course The lab files are located
in the folder install_folder\Labfiles\LabXX on the student computers
There are two Visual Studio NET solutions, 2300Labs and 2300Labs.NET, which you will use to access the Web application files for the labs
There are both ASP and ASP.NET exercises in this course The ASP files are in
the install_folder\Labfiles\LabXX\ASP\Starter folder and the ASP.NET files are in the install_folder\Labfiles\LabXX\ASPXVB\Starter folder
For the ASP exercises, there are solution files in the install_folder\Labfiles\
LabXX\ASP\Solution folder For the ASP.NET exercises, there are
Visual Basic NET solution files in the install_folder\Labfiles\LabXX\
ASPXVB\Solution folder A C# version of the final lab solution is provided in
the install_folder\Labfiles\CSharpLabSolution folder
The install_folder\Labfiles\database folder contains an SQL script that is used
to install a backup of the TailspinToys database
Course files
Trang 15Lab Scenario
! TailspinToys, TailspinToys.NET
" Internet site to view products and log on
" Extranet site to view order status and change password
! TailspinToysAdmin, TailspinToysAdmin.NET
" Intranet site to create reseller accounts and update order status
! Database "helper" functions
" ASP inc files
" .NET class libraries: Tailspin_ReadDBUtils, Tailspin_WriteDBUtils
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
In the labs for Course 2300, Developing Secure Web Applications, you will
create two Web applications, TailspinToys and TailspinToysAdmin:
! The TailspinToys Web application consists of an Internet Web application that is accessible to all users, and an extranet Web application that is accessible only to Tailspin Toys resellers The Internet Web application has Web pages where users can view information about the company, view the products that are offered by Tailspin Toys, and log on to the Web
application as a reseller The extranet Web application contains Web pages where resellers can view the status of their orders and change their logon passwords
! The TailspinToysAdmin Web application is an intranet Web application that
is accessible to all employees of Tailspin Toys However, there are protected Web pages in the intranet Web application that allow only users in the TailspinAdmins group to create new reseller accounts, and to update the status of reseller orders
There are two versions, an ASP version and an ASP.NET version, of each Web application:
! TailspinToys
! TailspinToys.NET
! TailspinToysAdmin
! TailspinToysAdmin.NET