Beruflich Dokumente
Kultur Dokumente
Vimal Rajyaguru
Security Engineer
Microsoft ACE Security Team
Agenda
ASP.NET Security
IIS Security
Summary
Common attacks
Code injection
Session hijacking
Identity spoofing
Parameter manipulation
Network eavesdropping
ASP.NET Security
Why ASP.NET?
ASP.NET as a Web Platform consists of security as an
in-built mechanism for many of the common
requirements.
ASP.NET Security
Secured by Design
Form Validation
View State Tampering
Input Validation
Secured by Default
Web Configuration
Authentication / Authorization Techniques
Membership Provider
Secured by Deployment
Precompiled Deployment in ASP.NET 2.0
PE Verification
*Use output encoding to effectively defend against Cross-Site scripting attacks. Use Microsoft Anti-Xss library
(http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfafe11625130c25&displaylang=en) to encode output.
ViewState Protection
ViewState is tamper-proof by default. This is controlled
by the key
<pages enableViewStateMac="true"/>
loginUrl="Login.aspx
protection="All
timeout=20
slidingExpiration="false
requireSSL="true
Authorization
File authorization
URL authorization
Impersonation
Authentication
Windows
Passport
Forms
Configuring Authentication
Web.config
<configuration>
<system.web>
<!-- mode="Windows|Passport|Forms|None" -->
<authentication mode="Windows" />
</system.web>
</configuration>
ASP.NET Authorization
File authorization
Typically combined with Windows auth
Uses NTFS permissions to control access to resources based on
caller's Windows identity
URL authorization
Typically combined with forms authentication
Controls access to resources based on caller's Windows,
Passport, or forms identity
Applied in Web.config
<appSettings>
<connectionStrings>
<identity>
<sessionState>
IIS Security
Auditing/Request Tracing
Authorization
Authentication
Anonymous
Basic
Digest
SSL/TLS
IP Restrictions
X.509 Certificates
Integrated Windows
Passport (IIS 6)
Forms (IIS 7)
Should traffic be
encrypted?
Are calls from this
IP address allowed?
Request filtering
A tool like URLScan which can be used to filter requests
based on rules like URL patterns, content lengths,
encodings, verbs etc.
Hidden Namespaces/Segments: Used to prevent IIS
from serving certain sections of url.
e.g. web.config, bin, App_code, App_Data etc.
This can be used to protect sections of website which should not be
accessible to user.
Summary
ASP.Net provides a large number of security features to
enable developers to write secure code
Familiarize yourself with the security features offered by the
framework.
Use these features wisely according to your needs.
Resources
Security Developer Center:
http://msdn.microsoft.com/security
Threats & Countermeasures:
http://msdn2.microsoft.com/en-us/library/ms994921.aspx
Building Secure ASP.NET Applications
http://msdn2.microsoft.com/en-us/library/Aa302415.aspx
http://www.iis.net
http://blogs.msdn.com/ace_team/
Contact
vimalr@microsoft.com
SDL-IT@microsoft.com
Questions?
Email: vimalr@microsoft.com
Blog: http://blogs.msdn.com/ace_team