Tài liệu Best Practices and Techniques for Building Secure Microsoft® ASP.NET Applications pdf

Session PrerequisitesLevel 200 Familiarity with Microsoft ® Windows ® management tools Familiarity with IIS Management Console C# and ASP.NET coding experience Familiarity with Micro

Best Practices and

Techniques for Building

Secure Microsoft®

ASP.NET Applications

So Why This Presentation?

Web application security is more important than ever

Ensure that security is a consideration in application design

Creating secure Web applications is a series of complex tasks

Promote best techniques for security

Let developers know about new resources available

msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp

What We Will Cover

 Planning for Web application security

 Authentication and authorization

Session Prerequisites

Level 200

Familiarity with Microsoft ® Windows ® management tools

Familiarity with IIS Management Console

C# and ASP.NET coding experience

Familiarity with Microsoft ® Visual Studio ® NET

Basic understanding of Web application security issues

 Configuring IIS for SSL

 Using forms authentication with

Microsoft ® SQL Server™

 Creating a GenericPrincipal object for

roles-based authorization

Before We Start !

SSL IS NOT WEB APPLICATION

SECURITY

Required Reading

Secure Development

 Securing state information

 Securing all tiers

Planning for ASP.NET Web Application Security

Authentication and Authorization

 Authentication / authorization request

flow

Planning for ASP.NET Web Application Security

Authentication and Authorization

 Identify resources exposed to client

 Identify resource for app

 Choose authorization strategy

Planning for ASP.NET Web Application Security

Authentication and Authorization

 Choose Identities Used to Access

Planning for ASP.NET Web Application Security

Authentication and Authorization

 Choosing an authentication approach

Start Users don’t have Windows accounts

or certificates

Interactive Web app?

Use GXA Security Authentication

WS-Use Passport or Forms Authentication

No – Web Service

Yes

Planning for ASP.NET Web Application Security

Authentication and Authorization

 Choosing an authentication approach

Planning for ASP.NET Web Application Security

Secure Communication Strategies

 From client to Web server

application servers

Planning for ASP.NET Web Application Security

Threat Modeling

 An iterative process

Planning for ASP.NET Web Application Security

Specific Threats

applications

Planning for ASP.NET Web Application Security

Specific Threats

 Securing state information

 Securing all tiers

Configuring Security

IIS to Secure Communication

Configuring Web

Application Security

Configure IIS Settings

 Optionally install a Web server

certificate for SSL

 Configure IIS authentication

 Optionally configure client certificate

mapping

 Set NTFS permissions on files and

folders

Demo 1

Configure IIS for SSL

Set Up the SecurityDemo Web Site

Create a Certificate Request Configure IIS for SSL and Certificates

Configuring Web

Application Security

ASP.NET Settings in Web.config

 Securing state information

 Securing all tiers

 Put users in roles

 Create an IPrincipal object

 Put the IPrincipal object into current

HttpContext

 Authorize based on user identity/role

 Securing state information

 Securing all tiers

Storing Secrets

Secret Examples

 Credentials for SQL roles

 Fixed identities in Web.config

 Process identity in Machine.config

 Keys used to store data securely

 SQL Server session state

authentication against a database

Storing Secrets

Storage Methods and Tips

 Install Web application directories on a

separate logical volume from the OS

Secret storage methods for ASP.NET apps

 Data Protection API (DPAPI)

Demonstration 3

Create a Logon Page

and Validate Against

Authenticate a User

 Securing state information

 Securing all tiers

ASP.NET Process Identity

Guidelines

 Configured in <processModel> element

 Always run ASP.NET as a

least-privileged account

 Using the default ASPNET account to

access remote resources

computers

 Securing state information

 Securing all tiers

Flowing Client Identity

 Inherent performance issues

Flowing Client Identity

authorization with role-based checks

context

 Securing state information

 Securing all tiers

Accessing Resources

System Resources and COM Objects

Accessing Resources

Network Resources

 ASP.NET process identity

 Anonymous Internet user account

account through trust boundaries

Accessing Resources

Network Resources

 Original caller using delegation

 Securing state information

 Securing all tiers

Securing State Information

(MAC) checks for pages that use view state

Securing State Information

 Use IPSec or SSL to protect network

traffic between Web server and SQL

state database server

 Securing state information

 Securing all tiers

Web Farm Considerations

Security Implications

 For DPAPI, consider user vs machine

store

 For forms authentication, <machineKey>

must be the same for each computer

 Securing state information

 Securing all tiers

Securing All Tiers

From Code to Network

Session Summary

 Planning for security is part of

designing a Web application

 Threat modeling can help your team

focus resources on security

 Creating a secure Web application is

demanding—Microsoft provides

resources to help you

For More Information…

For More Information…

Training and

Events

MSDN Webcasts, MSDN Online Seminars, Tech·Ed, PDC, Developer Days

How-to Resources

Simple, Step-by-Step Procedures

http://msdn.microsoft.com/howto

MSDN Webcasts

Interactive, Live Online Events

 Interactive, synchronous, live online

events

 Discuss the hottest topics from Microsoft

 Open and free for the general public

http://www.microsoft.com/usa/webcasts

MSDN Subscriptions

The Way to Get Visual Studio NET

Professional

• Tools to build applications

and XML Web services for Windows and the Web

• Enterprise lifecycle tools

• Team development support

• Windows Server 2003 and

Where Can I Get MSDN?

Microsoft Press®

Essential Resources for Developers

Microsoft Visual Studio NET is here!

This is your chance to start building the next big thing Develop your NET skills, increase your productivity with NET books from Microsoft Press

www.microsoft.com/mspress

Become a Microsoft Certified Solution Developer

and develop custom business solutions

competency with Microsoft solution architecture, desktop applications, distributed application

development, and development tools

requirements, exams, and training options, visit www.microsoft.com/mcp

Get this Presentation

www.ManagedCode.com

© 2003 Microsoft Corporation All rights reserved.

This presentation is for informational purposes only Microsoft makes no warranties, express or implied, in this summary.

Microsoft, MSDN, Visual Basic, Windows, Windows NT, JScript, Visual Studio, Visual C#, Active Directory, Win32, and Microsoft Press are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of

their respective owners.