This book is not an introduction to security, nor is it a security reference for the Microsoft .NET Framework—for that you have the .NET Framework Software Development Kit (SDK) available from MSDN. This book picks up where the documentation leaves off and presents a scenario-based approach to sharing recommendations and proven techniques. We wanted the book to be as real world as possible and as a result it is packed full of insight, recommendations and best practices obtained from field experience, customer experience, and insight from the product teams at Microsoft.
There are many technologies used to build .NET Web applications. To build effective application-level authentication and authorization strategies, you need to understand how to fine-tune the various security features within each product and technology area, and how to make them work together to provide an effective, defense-in-depth security strategy. The focus of the book is on security and identity management across the tiers of distributed ASP.NET applications.
Specifically we have chosen to focus on authentication, authorization, and secure communication. Security is a broad topic but research has shown that early design of authentication and authorization eliminates a high percentage of application vulnerabilities. Secure communication is an integral part of securing your distributed application to protect sensitive data, including credentials, passed to and from your application, and between application tiers.
If you are a middleware developer or architect, who plans to build, or is currently building .NET Web applications using one or more of the following technologies, you should read this book.
ASP.NET
Web Services
Enterprise Services
Remoting
ADO.NET
To most effectively use this book to help you design and build secure .NET Web applications, you should already have some familiarity and experience with .NET development techniques and technologies. You should be familiar with distributed application architecture and if you have already implemented .NET Web application solutions, you should know your own application architecture and deployment pattern.
The book has been developed to be modular. This allows you to pick and choose which chapters to read. For example, if you are interested in learning about the in-depth security features provided by a specific technology, you can jump straight to Part III of the book (Chapter 8 through Chapter 12), which contains in-depth material covering ASP.NET, Enterprise Services, Web Services, .NET Remoting, and data access.
However, you are encouraged to read the early chapters (Chapter 1 through Chapter 4) in Part I of the book first, because these will help you understand the security model and identify the core technologies and security services at your disposal. Application architects should make sure they read Chapter 3, which provides some key insights into designing an authentication and authorization strategy that spans the tiers of your Web application. Part I will provide you with the foundation materials, which will allow you to extract maximum benefit from the remainder of the book.
The intranet, extranet, and Internet chapters (Chapter 5 through Chapter 7) in Part II of the book will show you how to secure specific application scenarios. If you know the architecture and deployment pattern that is or will be adopted by your application, use this part of the book to understand the security issues involved and the basic configuration steps required to secure specific scenarios.
Finally, additional information and reference material in Part IV of the book will help further your understanding of specific technology areas. It also contains a library of "How To" articles, which enable you to develop working security solutions in the shortest possible time.
This book is divided into four parts. The aim is to provide a logical partitioning, which will help you to more easily digest the content.
Part I provides a foundation for the rest of the book. Familiarity with the concepts, principles, and technologies introduced in Part I will enable you to extract maximum value from the remainder of the book. Part I contains the following chapters:
Most applications can be categorized as intranet, extranet, or Internet applications. This part of the book presents a set of common application scenarios, each of which falls into one of the aforementioned categories. The key characteristics of each scenario are described and the potential security threats analyzed.
You are then shown how to configure and implement the most appropriate authentication, authorization, and secure communication strategy for each application scenario. Each scenario also contains sections that include a detailed analysis, common pitfalls to watch out for, and frequently asked questions (FAQ). Part II contains the following chapters:
This part of the book contains detailed information that relates to the individual tiers and technologies associated with secure .NET-connected Web applications. Part III contains the following chapters:
Within each chapter, a brief overview of the security architecture as it applies to the particular technology in question is presented. Authentication and authorization strategies are discussed for each technology along with configurable security options, programmatic security options, and actionable recommendations of when to use the particular strategy.
Each chapter offers guidance and insight that will allow you to choose and implement the most appropriate authentication, authorization, and secure communication option for each technology. In addition, each chapter presents additional information specific to the particular technology. Finally, each chapter concludes with a concise recommendation summary.
This reference part of the book contains supplementary information to help further your understanding of the techniques, strategies, and security solutions presented in earlier chapters. Detailed How Tos provide step-by-step procedures that enable you to implement specific security solutions. It contains the following information:
This book will help you design and build secure ASP.NET applications for Windows 2000 using the .NET Framework. We targeted version 1 of the .NET Framework (with service pack 2) although the concepts and code will run with the next version of the .NET Framework. The book prepares you for new security features that will be provided with the next version and also for the additional features that will be provided with Windows .NET Server 2003, Microsoft’s next generation Windows server operating system.
To use this book, you need at least one computer running Windows XP Professional or Windows 2000 Server SP3. In addition you require Visual Studio .NET, the .NET Framework SP2 and SQL Server 2000 SP2.
To implement some of the solutions discussed, you also need a second computer running Windows 2000 Server SP3, Windows 2000 Advanced Server SP3 or Windows 2000 DataCenter Server SP3.
The sample files can be downloaded from the book’s Web site at http://www.microsoft.com/mspress/books/6501.asp. To download the sample files, click the "Companion Content" link in the More Information menu on the right side of the Web page. This will load the Companion Content page, which includes a link for downloading the sample files.
This guide is also available online. To read online go to: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp. To download the PDF go to
http://www.microsoft.com/downloads/release.asp?ReleaseID=44047.
Every effort has been made to ensure the accuracy of this book and the companion content. If you have questions or feedback on the content, send e-mail to [email protected].