Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by Microsoft Corporation
Building Secure Microsoft® ASP.NET Applications
Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
A Note Regarding Supplemental Files
Acknowledgements
Preface
Why We Wrote This Book
Who Should Read This Book?
How You Should Read This Book
Organization of this Book
Part I, Security Models
Part II, Application Scenarios
Part III, Securing the Tiers
Part IV, Reference
System Requirements
Installing the Sample Files
Building Secure ASP.NET Applications—Online Version
Support
1. Introduction
The Connected Landscape
The Foundations
Authentication
Authorization
Secure Communication
Tying the Technologies Together
Design Principles
Summary
2. Security Model for ASP.NET Applications
.NET Web Applications
Logical Tiers
Physical Deployment Models
The Web Server as an Application Server
Remote Application Tier
Implementation Technologies
Security Architecture
Security Across the Tiers
Authentication
ASP.NET Authentication Modes
More Information
Enterprise Services Authentication
More Information
SQL Server Authentication
More Information
Authorization
ASP.NET Authorization Options
More Information
Enterprise Services Authorization
More Information
SQL Server Authorization
More Information
Gatekeepers and Gates
Introducing .NET Framework Security
Code Access Security
Evidence and Security Policy
CAS and ASP.NET Web Applications
Principals and Identities
The IPrincipal and IIdentity Interfaces
WindowsPrincipal and WindowsIdentity
GenericPrincipal and Associated Identity Objects
ASP.NET and HttpContext.User
ASP.NET Identities
More Information
Remoting and Web Services
Summary
3. Authentication and Authorization Design
Designing an Authentication and Authorization Strategy
Identify Resources
Choose an Authorization Strategy
More Information
Choose the Identities Used for Resource Access
Consider Identity Flow
Choose an Authentication Approach
More Information
Decide How to Flow Identity
More Information
Authorization Approaches
Role Based Authorization
Resource Based Authorization
Resource Access Models
The Trusted Subsystem Model
Fixed Identities
Using Multiple Trusted Identities
The Impersonation / Delegation Model
Choosing a Resource Access Model
Advantage of the Impersonation / Delegation Model
Disadvantages of the Impersonation / Delegation Model
Advantages of the Trusted Subsystem Model
Disadvantages of the Trusted Subsystem Model
Flowing Identity
Application vs. Operating System Identity Flow
Impersonation and Delegation
Impersonation
Delegation
Role-Based Authorization
.NET Roles
.NET Roles with Windows Authentication
.NET Roles with non-Windows Authentication
Custom IPrincipal Objects
More Information
Enterprise Services (COM+) Roles
SQL Server User Defined Database Roles
SQL Server Application Roles
More Information
.NET Roles versus Enterprise Services (COM+) Roles
Using .NET Roles
More Information
Checking Role Membership
Role Checking Examples
Choosing an Authentication Mechanism
Internet Scenarios
Forms / Passport Comparison
Advantages of Forms Authentication
Advantages of Passport Authentication
More Information
Intranet / Extranet Scenarios
Authentication Mechanism Comparison
Summary
4. Secure Communication
Know What to Secure
SSL/TLS
Using SSL
IPSec
Using IPSec
RPC Encryption
Using RPC Encryption
More Information
Point to Point Security
Browser to Web Server
Web Server to Remote Application Server
Application Server to Database Server
Using SSL to SQL Server
More Information
Choosing Between IPSec and SSL
Farming and Load Balancing
More Information
Summary
5. Intranet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring SQL Server
Configuring Secure Communication
Analysis
Q&A
Related Scenarios
Non-Internet Explorer Browsers
SQL Authentication to the Database
Flowing the Original Caller to the Database
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring Enterprise Services
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
ASP.NET to Web Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server (that Hosts the Web Application)
Configuring the Application Server (that Hosts the Web Service)
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
ASP.NET to Remoting to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server
Configure the Application Server
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Flowing the Original Caller to the Database
ASP.NET to SQL Server
Using Basic Authentication at the Web Server
Using Integrated Windows Authentication at the Web Server
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Analysis
Pitfalls
Summary
6. Extranet Security
Exposing a Web Service
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Partner Application
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
More Information
Exposing a Web Application
Scenario Characteristics
Secure the Scenario
The Result
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
No Connectivity from Extranet to Corporate Network
More Information
Summary
7. Internet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication against Active Directory
More Information
.NET Roles for Authorization
More Information
Using a Domain Anonymous Account at the Web Server
More Information
ASP.NET to Remote Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configure the Application Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication Against Active Directory
More Information
Using DCOM
More Information
Using .NET Remoting
More Information
Summary
8. ASP.NET Security
ASP.NET Security Architecture
Gatekeepers
IIS
ASP.NET
UrlAuthorizationModule
FileAuthorizationModule
Principal Permission Demands and Explicit Role Checks
More Information
Authentication and Authorization Strategies
Available Authorization Options
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
Forms Authentication
Configurable Security
Programmatic Security
When to Use
More Information
Passport Authentication
When to Use
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
URL Authorization Notes
URL Authorization Examples
Secure Resources
Locking Configuration Settings
Preventing Files from Being Downloaded
Secure Communication
More information
Programming Security
An Authorization Pattern
Retrieve Credentials
Validate Credentials
Put Users in Roles
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize Based on the User Identity and/or Role Membership
More Information
Creating a Custom IPrincipal class
More Information
Windows Authentication
Identifying the Authenticated User
Forms Authentication
Development Steps for Forms Authentication
Configure IIS for Anonymous Access
Configure ASP.NET for Forms Authentication
Create a Logon Web Form and Validate the Supplied Credentials
More Information
Retrieve a Role List from the Custom Data Store
Create a Forms Authentication Ticket
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize the User Based on User Name or Role Membership
Forms Implementation Guidelines
More Information
Hosting Multiple Applications Using Forms Authentication
More Information
Cookieless Forms Authentication
More Information
Passport Authentication
Configure ASP.NET for Passport authentication
Map a Passport Identity into Roles in Global.asax
Test Role Membership
Custom Authentication
More Information
Process Identity for ASP.NET
Use a Least Privileged Account
Avoid Running as SYSTEM
More Information
Domain Controllers and the ASP.NET Process Account
Using the Default ASPNET Account
The <processModel> Element
Storing Encrypted <processModel> Credentials
More Information
Impersonation
Impersonation and Local Resources
Impersonation and Remote Resources
More Information
Impersonation and Threading
Accessing System Resources
Accessing the Event Log
Accessing the Registry
More Information
Accessing COM Objects
Apartment Model Objects
The AspCompat Directive is Required
More Information
Don’t Create COM Objects Outside of Specific Page Events
More Information
C# and VB .NET Objects in COM+
Accessing Network Resources
Using the ASP.NET Process Identity
More Information
Using a Serviced Component
Using the Anonymous Internet User Account
Hosting Multiple Web Applications
Using LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller
More Information
Accessing Files on a UNC File Share
Accessing Non-Windows Network Resources
Secure Communication
More Information
Storing Secrets
Options for Storing Secrets in ASP.NET
More Information
Consider Storing Secrets in Files on Separate Logical Volumes
Securing Session and View State
Securing View State
Securing Cookies
Securing SQL Session State
Securing the Database Connection String
Securing Session State Across the Network
More Information
Web Farm Considerations
Session State
DPAPI
More Information
Using Forms Authentication in a Web Farm
The <machineKey> Element
The validationKey Attribute
The decryptionKey Attribute
The Validation Attribute
More Information
Summary
9. Enterprise Services Security
Security Architecture
Gatekeepers and Gates
Use Server Applications for Increased Security
Security for Server and Library Applications
Assign Roles to Classes, Interfaces, or Methods
Code Access Security Requirements
Configuring Security
Configuring a Server Application
Development Time vs. Deployment Time Configuration
Configure Authentication
Configure Authorization (Component-Level Access Checks)
Create and Assign Roles
Adding Roles to an Application
Adding Roles to a Component (Class)
Adding Roles to an Interface
Adding Roles to a Method
Register Serviced Components
Populate Roles
Use Windows Groups
More Information
Configure Identity
More Information
Configuring an ASP.NET Client Application
Configure Authentication
More Information
Configure Impersonation
More Information
Configuring Impersonation Levels for an Enterprise Services Application
Programming Security
Programmatic Role-Based Security
Identifying Callers
Choosing a Process Identity
Avoid Running as the Interactive User
Use a Least-Privileged Custom Account
Accessing Network Resources
Using the Original Caller
More Information
Using the Current Process Identity
Using a Specific Service Account
Flowing the Original Caller
Calling CoImpersonateClient
More Information
RPC Encryption
More Information
Building Serviced Components
DLL Locking Problems
Versioning
More Information
QueryInterface Exceptions
DCOM and Firewalls
More Information
Calling Serviced Components from ASP.NET
Caller’s Identity
Use Windows Authentication and Impersonation Within the Web-based Application
Configure Authentication and Impersonation within Machine.config
Configuring Interface Proxies
More Information
Security Concepts
Enterprise Services (COM+) Roles and .NET Roles
Authentication
Authentication Level Promotion
Authentication Level Negotiation
More Information
Impersonation
Cloaking
More Information
Summary
10. Web Services Security
Web Service Security Model
Platform/Transport Level (Point-to-Point) Security
When to Use
Application Level Security
When to Use
Message Level (End-to-End) Security
When to Use
The Web Services Development Kit
More Information
Platform/Transport Security Architecture
Gatekeepers
More Information
Authentication and Authorization Strategies
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
More Information
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
More Information
Secure Resources
Disable HTTP-GET, HTTP-POST
More Information
Secure Communication
More information
Passing Credentials for Authentication to Web Services
Specifying Client Credentials for Windows Authentication
Using DefaultCredentials
Using Specific Credentials
Request a Specific Authentication Type
Set the PreAuthenticate Property
Using the ConnectionGroupName Property
Calling Web Services from Non-Windows Clients
Proxy Server Authentication
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Accessing System Resources
Accessing Network Resources
Accessing COM Objects
More Information
Using Client Certificates with Web Services
Authenticating Web Browser Clients with Certificates
Using the Trusted Subsystem Model
Solution Implementation
Why Use an Additional Process?
More Information
Secure Communication
Transport Level Options
Message Level Options
More Information
Summary
11. .NET Remoting Security
.NET Remoting Architecture
Remoting Sinks
Transport Channel Sinks
Comparing Transport Channel Sinks
Custom Sinks
Formatter Sinks
Anatomy of a Request When Hosting in ASP.NET
ASP.NET and the HTTP Channel
More Information
.NET Remoting Gatekeepers
Authentication
Hosting in ASP.NET
Hosting in a Windows Service
Custom Authentication
More Information
Authorization
Using File Authorization
More Information
Authentication and Authorization Strategies
More Information
Accessing System Resources
Accessing Network Resources
Passing Credentials for Authentication to Remote Objects
Specifying Client Credentials
Using DefaultCredentials
Explicit Configuration
Programmatic Configuration
Using Specific Credentials
Request a Specific Authentication Type
Set the preauthenticate Property
Using the connectiongroupname Property
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Choosing a Host
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Using a Windows Service Host
Secure Communication
Platform Level Options
Message Level Options
More Information
Choosing a Host Process
Recommendation
Hosting in ASP.NET
Advantages
Disadvantages
Hosting in a Windows Service
Advantages
Disadvantages
Hosting in a Console Application
Advantages
Disadvantages
Remoting vs. Web Services
Summary
12. Data Access Security
Introducing Data Access Security
SQL Server Gatekeepers
Trusted Subsystem vs. Impersonation/Delegation
Authentication
Windows Authentication
More Information
Using Windows Authentication
Recommendation
Using the ASP.NET Process Identity
Use Mirrored ASPNET Local Accounts
Use Mirrored, Custom Local Accounts
Use a Custom Domain Account
Implementing Mirrored ASPNET Process Identity
Connecting to SQL Server Using Windows Authentication
Using Fixed Identities within ASP.NET
Using Serviced Components
Calling LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller’s Identity
Using the Anonymous Internet User Account
More Information
When Can’t You Use Windows Authentication?
SQL Authentication
Connection String Types
More Information
Choosing a SQL Account for Your Connections
Passing Credentials over the Network
Securing SQL Connection Strings
Authenticating Against Non-SQL Server Databases
Authorization
Using Multiple Database Roles
Secure Communication
The Options
Choosing an Approach
More Information
Connecting with Least Privilege
The Database Trusts the Application
The Database Trusts Different Roles
The Database Trusts the Original Caller
Creating a Least Privilege Database Account
Storing Database Connection Strings Securely
The Options
Using DPAPI
Why Not LSA?
Machine Store vs. User Store
DPAPI Implementation Solutions
Using DPAPI from Enterprise Services
Using DPAPI Directly from ASP.NET
More Information
Using Web.config and Machine.config
Using UDL Files
ACL Granularity
More Information
Using Custom Text Files
Using the Registry
More Information
Using the COM+ Catalog
More Information
Authenticating Users against a Database
Store One-way Password Hashes (with Salt)
Creating a Salt Value
Creating a Hash Value (with Salt)
More Information
SQL Injection Attacks
The Problem
Anatomy of a SQL Script Injection Attack
The Solution
Additional Best Practices
Protecting Pattern Matching Statements
Auditing
Process Identity for SQL Server
Summary
13. Troubleshooting Security Issues
Process for Troubleshooting
Searching for Implementation Solutions
Troubleshooting Authentication Issues
IIS Authentication Issues
Using Windows Authentication
Using Forms Authentication
Kerberos Troubleshooting
Troubleshooting Authorization Issues
Check Windows ACLs
Check Identity
More Information
Check the <authorization> Element
ASP.NET
Enable Tracing
More Information
Configuration Settings
Determining Identity
Determining Identity in a Web Page
Determining Identity in a Web service
More Information
Determining Identity in a Visual Basic 6 COM Object
.NET Remoting
More Information
SSL
More Information
IPSec
Auditing and Logging
Windows Security Logs
More Information
SQL Server Auditing
Sample Log Entries
IIS Logging
Troubleshooting Tools
File Monitor (FileMon.exe)
More Information
Fusion Log Viewer (Fuslogvw.exe)
ISQL.exe
Connecting Using SQL Authentication
Connecting Using Windows Authentication
Running a Simple Query
Windows Task Manager
Network Monitor (NetMon.exe)
More Information
Registry Monitor (regmon.exe)
WFetch.exe
More Information
Visual Studio .NET Tools
More Information
WebServiceStudio
Windows 2000 Resource Kit
Index of How Tos
ASP.NET
Authentication and Authorization
Cryptography
Enterprise Services Security
Web Services Security
Remoting Security
Secure Communication
How To: Create a Custom Account to Run ASP.NET
ASP.NET Worker Process Identity
Impersonating Fixed Identities
Notes
Summary
1. Create a New Local Account
2. Assign Minimum Privileges
3. Assign NTFS Permissions
4. Configure ASP.NET to Run Using the New Account
How To: Use Forms Authentication with Active Directory
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop LDAP Authentication Code to Look Up the User in Active Directory
4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
5. Authenticate the User and Create a Forms Authentication Ticket
6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
7. Test the Application
How To: Use Forms Authentication with SQL Server 2000
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop Functions to Generate a Hash and Salt value
4. Create a User Account Database
5. Use ADO.NET to Store Account Details in the Database
6. Authenticate User Credentials Against the Database
7. Test the Application
Additional Resources
How To: Create GenericPrincipal Objects with Forms Authentication
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Construct GenericPrincipal and FormsIdentity Objects
5. Test the Application
Additional Resources
How To: Implement Kerberos Delegation for Windows 2000
Notes
Requirements
Summary
1. Confirm that the Client Account is Configured for Delegation
2. Confirm that the Server Process Account is Trusted for Delegation
References
How To: Implement IPrincipal
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Create a Class that Implements and Extends IPrincipal
5. Create the CustomPrincipal Object
5. Test the Application
Additional Resources
How To: Create a DPAPI Library
Notes
Requirements
Summary
1. Create a C# Class Library
2. Strong Name the Assembly (Optional)
References
How To: Use DPAPI (Machine Store) from ASP.NET
Notes
Requirements
Summary
1. Create an ASP.NET Client Web Application
2. Test the Application
3. Modify the Web Application to Read an Encrypted Connection String from Web.Config
References
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
Notes
Why Use Enterprise Services?
Why Use a Windows Service?
Requirements
Summary
1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
2. Call the Managed DPAPI Class Library
3. Create a Dummy Class that will Launch the Serviced Component
4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
5. Configure, Strong Name, and Register the Serviced Component
6. Create a Windows Service Application that will Launch the Serviced Component
7. Install and Start the Windows Service Application
8. Write a Web Application to Test the Encryption and Decryption Routines
9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
References
How To: Create an Encryption Library
Requirements
Summary
1. Create a C# Class Library
2. Create a Console Test Application
References
How To: Store an Encrypted Connection String in the Registry
Notes
Requirements
Summary
1. Store the Encrypted Data in the Registry
2. Create an ASP.NET Web Application
References
How To: Use Role-based Security with Enterprise Services
Notes
Requirements
Summary
1. Create a C# Class Library Application to Host the Serviced Component
2. Create the Serviced Component
3. Configure the Serviced Component
4. Generate a Strong Name for the Assembly
5. Build the Assembly and Add it to the Global Assembly Cache
6. Manually Register the Serviced Component
7. Examine the Configured Application
8. Create a Test Client Application
How To: Call a Web Service Using Client Certificates from ASP.NET
Why Use a Serviced Component?
Why is a User Profile Required?
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require Client Certificates
3. Create a Custom Account for Running the Serviced Component
4. Request a Client Certificate for the Custom Account
5. Test the Client Certificate Using a Browser
6. Export the Client Certificate to a File
7. Develop the Serviced Component Used to Call the Web Service
8. Configure and Install the Serviced Component
9. Develop a Web Application to Call the Serviced Component
Additional Resources
How To: Call a Web Service Using SSL
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require SSL
3. Test the Web Service Using a Browser
4. Install the Certificate Authority’s Certificate on the Client Computer
5. Develop a Web Application to Call the Web Service
Additional Resources
How To: Host a Remote Object in a Windows Service
Notes
Requirements
Summary
1. Create the Remote Object Class
2. Create a Windows Service Host Application
3. Create a Windows Account to Run the Service
4. Install the Windows Service
5. Create a Test Client Application
References
How To: Set Up SSL on a Web Server
Requirements
Summary
1. Generate a Certificate Request
2. Submit a Certificate Request
3. Issue the Certificate
4. Install the Certificate on the Web Server
5. Configure Resources to Require SSL Access
How To: Set Up Client Certificates
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application to Require Client Certificates
3. Request and Install a Client Certificate
4. Verify Client Certificate Operation
Additional Resources
How To: Use IPSec to Provide Secure Communication Between Two Servers
Notes
Requirements
Summary
1. Create an IP Filter
2. Create Filter Actions
3. Create Rules
4. Export the IPSec Policy to the Remote Computer
5. Assign Policies
6. Verify that it Works
Additional Resources
How To: Use SSL to Secure Communication with SQL Server 2000
Notes
Requirements
Summary
1. Install a Server Authentication Certificate
2. Verify that the Certificate Has Been Installed
3. Install the Issuing CA’s Certificate on the Client
4. Force All Clients to Use SSL
5. Allow Clients to Determine Whether to Use SSL
6. Verify that Communication is Encrypted
Additional Resources
Base Configuration
Configuration Stores and Tools
Reference Hub
Searching the Knowledge Base
Tips
.NET Security
Hubs
Active Directory
Hubs
Key Notes
Articles
ADO.NET
Roadmaps and Overviews
Seminars and WebCasts
ASP.NET
Hubs
Roadmaps and Overviews
Knowledge Base
Articles
How Tos
Seminars and WebCasts
Enterprise Services
Knowledge Base
Roadmaps and Overviews
How Tos
FAQs
Seminars and WebCasts
IIS (Internet Information Server)
Hubs
Remoting
Roadmaps and Overviews
How Tos
Seminars and WebCasts
SQL Server
Hubs
Seminars and WebCasts
Visual Studio .NET
Hubs
Roadmaps and Overviews:
Web Services
Hubs
Roadmaps and Overviews
How Tos
Seminars and WebCasts
Windows 2000
Hubs
How Does It Work?
IIS and ASP.NET Processing
Application Isolation
The ASP.NET ISAPI Extension
IIS 6.0 and Windows .NET Server
More Information
ASP.NET Pipeline Processing
The Anatomy of a Web Request
Forms Authentication Processing
Windows Authentication Processing
Event Handling
Implementing a Custom HTTP Module
Implementing a Custom HTTP Handler
ASP.NET Identity Matrix
Cryptography and Certificates
Keys and Certificates
X.509 Digital Certificates
Certificate Stores
More Information
Cryptography
Technical Choices
Cryptography in .NET
Symmetric Algorithm Support
Asymmetric Algorithm Support
Hashing Algorithm Support
Summary
.NET Web Application Security
Glossary
Microsoft® patterns & practices
Index
About the Author
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
S
sa account,
Connection String Types
,
Connecting with Least Privilege
,
The Database Trusts Different Roles
,
Additional Best Practices
salt values, generating,
Storing Secrets
,
Store One-way Password Hashes (with Salt)
,
Configure the Web Application for Forms Authentication
scalability,
The Foundations
,
Disadvantages of the Impersonation / Delegation Model
,
Hosting Multiple Web Applications
,
Accessing Network Resources
scenarios, configuration.,
Base Configuration
(see )
screened subnets,
Physical Deployment Models
,
Key Notes
script injection attacks,
Design Principles
secrets,
Accessing Non-Windows Network Resources
,
Why Use a Serviced Component?
secure communication,
Authorization
,
Implementation Technologies
,
Security Architecture
,
Authentication
,
Secure Communication
,
Secure Communication
,
Secure Communication
,
Know What to Secure
,
SSL/TLS
,
IPSec
,
Using IPSec
,
Using RPC Encryption
,
Using RPC Encryption
,
Web Server to Remote Application Server
,
Web Server to Remote Application Server
,
Application Server to Database Server
,
Choosing Between IPSec and SSL
,
Choosing Between IPSec and SSL
,
Intranet Security
,
Configuring ASP.NET
,
Configuring Secure Communication
,
Configure SQL Server
,
Configure SQL Server
,
Configuring SQL Server
,
Configuring SQL Server
,
Configuring SQL Server
,
Configure the Application Server
,
Configuring Security
,
Preventing Files from Being Downloaded
,
Accessing Non-Windows Network Resources
,
Securing the Database Connection String
,
Enterprise Services Security
,
Platform/Transport Level (Point-to-Point) Security
,
Platform/Transport Security Architecture
,
Disable HTTP-GET, HTTP-POST
,
Solution Implementation
,
ASP.NET and the HTTP Channel
,
Using a Windows Service Host
,
Hosting in a Windows Service
,
Hosting in a Windows Service
,
Using Multiple Database Roles
,
SSL
,
How To: Set Up Client Certificates
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
,
Configuration Stores and Tools
,
.NET Web Application Security
,
.NET Web Application Security
.NET Framework security,
.NET Web Application Security
.NET remoting security,
ASP.NET and the HTTP Channel
,
Using a Windows Service Host
,
Hosting in a Windows Service
application server to database server,
Web Server to Remote Application Server
ASP.NET security,
Accessing Non-Windows Network Resources
Basic authentication and,
Authentication
browser to Web server,
Using RPC Encryption
configuration stores and tools,
Configuration Stores and Tools
configuring,
Configuring Security
,
Preventing Files from Being Downloaded
data access security,
Using Multiple Database Roles
Enterprise Services security,
Enterprise Services Security
extranet security,
Configuring SQL Server
,
Configuring SQL Server
Internet security,
Configuring SQL Server
,
Configure the Application Server
intranet security,
Intranet Security
,
Configuring ASP.NET
,
Configuring Secure Communication
,
Configure SQL Server
,
Configure SQL Server
IPSec,
IPSec
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
(see also )
IPSec vs. SSL,
Secure Communication
,
Choosing Between IPSec and SSL
RPC encryption,
Using IPSec
scenarios,
Using RPC Encryption
setting up client certificates,
How To: Set Up Client Certificates
SQL Server session state and,
Securing the Database Connection String
SSL,
SSL/TLS
,
Application Server to Database Server
(see also )
technologies,
Authorization
,
Implementation Technologies
,
Security Architecture
,
Secure Communication
,
.NET Web Application Security
troubleshooting,
SSL
Web application deployment models,
Know What to Secure
Web farming and load balancing,
Choosing Between IPSec and SSL
Web server to application server,
Web Server to Remote Application Server
Web services,
Platform/Transport Level (Point-to-Point) Security
,
Platform/Transport Security Architecture
,
Disable HTTP-GET, HTTP-POST
,
Solution Implementation
Windows service features,
Hosting in a Windows Service
Secure Hash Algorithm (SHA1),
Securing Session and View State
,
The decryptionKey Attribute
secure resources.,
Resource Based Authorization
(see )
Secure Sockets Layer.,
Accessing Non-Windows Network Resources
(see )
SecureMethod attribute,
Adding Roles to an Application
security blanket settings,
Configuring Interface Proxies
security contexts.,
ASP.NET and HttpContext.User
(see )
security logs.,
Choose the Identities Used for Resource Access
(see )
security policies, CAS,
Gatekeepers and Gates
Security Service Provider Interface (SSPI),
More Information
,
Advantages
security.,
Security Architecture
(see )
SecurityRole attribute,
Configure Authorization (Component-Level Access Checks)
semicolon (;),
Anatomy of a SQL Script Injection Attack
seminars.,
Reference Hub
(see )
sensitive data.,
Secure Communication
(see )
server applications, Enterprise Services,
More Information
,
Gatekeepers and Gates
,
Configuring Security
,
Development Time vs. Deployment Time Configuration
,
Development Time vs. Deployment Time Configuration
,
Development Time vs. Deployment Time Configuration
,
Configure Authorization (Component-Level Access Checks)
,
Register Serviced Components
,
Register Serviced Components
,
Use Windows Groups
,
Security Concepts
,
Impersonation
authentication,
Development Time vs. Deployment Time Configuration
authorization,
Development Time vs. Deployment Time Configuration
cloaking,
Impersonation
configuring,
Configuring Security
creating and assigning roles,
Configure Authorization (Component-Level Access Checks)
development time vs. deployment time,
Development Time vs. Deployment Time Configuration
identity,
Use Windows Groups
library applications vs.,
More Information
,
Gatekeepers and Gates
,
Security Concepts
populating roles,
Register Serviced Components
registering serviced components,
Register Serviced Components
server certificates.,
SSL/TLS
,
Web Server to Remote Application Server
,
Configure IIS Settings
,
Authenticating Web Browser Clients with Certificates
,
How To: Set Up SSL on a Web Server
,
How To: Set Up SSL on a Web Server
,
Generate a Certificate Request
,
Submit a Certificate Request
,
Submit a Certificate Request
,
Install the Certificate on the Web Server
,
Requirements
,
Install a Server Authentication Certificate
,
Verify that the Certificate Has Been Installed
(see also , )
configuring resources to require,
Install the Certificate on the Web Server
generating requests,
How To: Set Up SSL on a Web Server
IIS settings,
Configure IIS Settings
installing,
Submit a Certificate Request
,
Requirements
,
Verify that the Certificate Has Been Installed
issuing,
Submit a Certificate Request
SSL and,
SSL/TLS
,
Web Server to Remote Application Server
,
How To: Set Up SSL on a Web Server
submitting requests,
Generate a Certificate Request
verifying installation of,
Install a Server Authentication Certificate
server compromise,
Disadvantages of the Trusted Subsystem Model
server process account, delegation and,
Requirements
servers.,
Configuring the Web Server
(see , , , )
service accounts,
Choose the Identities Used for Resource Access
,
The Trusted Subsystem Model
,
Using the Current Process Identity
Service Control Manager (SCM),
Security Architecture
Service Principal Names (SPNs),
Using Forms Authentication
serviced components.,
More Information
,
Security Configuration Steps
,
Using the ASP.NET Process Identity
,
Options for Storing Secrets in ASP.NET
,
Enterprise Services Security
,
Register Serviced Components
,
RPC Encryption
,
RPC Encryption
,
Versioning
,
More Information
,
Calling Serviced Components from ASP.NET
,
Calling Serviced Components from ASP.NET
,
Calling Serviced Components from ASP.NET
,
Calling Serviced Components from ASP.NET
,
Using Fixed Identities within ASP.NET
,
Requirements
,
Create a Windows Account to Run the Enterprise Services Application and Windows Service
,
Configure, Strong Name, and Register the Serviced Component
,
How To: Use Role-based Security with Enterprise Services
,
Create the Serviced Component
,
Develop the Serviced Component Used to Call the Web Service
,
How To: Set Up Client Certificates
(see also )
accessing network resources using,
Using the ASP.NET Process Identity
authentication,
More Information
building,
RPC Encryption
caller identity,
Calling Serviced Components from ASP.NET
calling, from ASP.NET Web applications,
Calling Serviced Components from ASP.NET
client certificates and.,
How To: Set Up Client Certificates
(see )
configuring,
Security Configuration Steps
,
Create the Serviced Component
configuring and installing,
Develop the Serviced Component Used to Call the Web Service
configuring interface proxies,
Calling Serviced Components from ASP.NET
configuring, strong naming, and registering,
Create a Windows Account to Run the Enterprise Services Application and Windows Service
creating Windows service to launch,
Configure, Strong Name, and Register the Serviced Component
creating, with encryption and decryption methods,
Requirements
DLL locking problems,
RPC Encryption
QueryInterface exceptions,
More Information
registering,
Register Serviced Components
role-based authorization with,
How To: Use Role-based Security with Enterprise Services
storing secrets with,
Options for Storing Secrets in ASP.NET
versioning,
Versioning
Windows authentication and impersonation,
Calling Serviced Components from ASP.NET
,
Using Fixed Identities within ASP.NET
session state,
Storing Secrets
,
Securing Session and View State
,
Securing the Database Connection String
,
Web Farm Considerations
as secret,
Storing Secrets
networks and,
Securing the Database Connection String
SQL,
Securing Session and View State
Web farms and,
Web Farm Considerations
Setspn.exe,
Using Forms Authentication
settings.,
Intranet Security
(see , )
SHA1 (Secure Hash Algorithm),
Securing Session and View State
,
The decryptionKey Attribute
signing certificates,
Keys and Certificates
single quotation (’),
Anatomy of a SQL Script Injection Attack
sinks, .NET remoting,
.NET Remoting Architecture
,
.NET Remoting Architecture
,
Transport Channel Sinks
,
Transport Channel Sinks
custom,
Transport Channel Sinks
formatter,
Transport Channel Sinks
transport channel,
.NET Remoting Architecture
Sn.exe tool,
Create a C# Class Library
,
Create a Windows Account to Run the Enterprise Services Application and Windows Service
,
Configure the Serviced Component
,
Develop the Serviced Component Used to Call the Web Service
SOAP headers,
Application Level Security
,
Platform/Transport Security Architecture
,
Using the ConnectionGroupName Property
SoapFormatter class,
Formatter Sinks
software configuration, base,
Base Configuration
specific credentials,
The <processModel> Element
,
Using Specific Credentials
,
Using DefaultCredentials
SQL authentication,
More Information
,
Application Server to Database Server
,
Non-Internet Explorer Browsers
,
Analysis
,
Storing Secrets
,
Securing SQL Session State
,
Trusted Subsystem vs. Impersonation/Delegation
,
Using the Anonymous Internet User Account
,
Connection String Types
,
Connection String Types
,
Choosing a SQL Account for Your Connections
,
Choosing a SQL Account for Your Connections
,
Fusion Log Viewer (Fuslogvw.exe)
choosing SQL accounts,
Connection String Types
connection strings,
Storing Secrets
,
Securing SQL Session State
,
Connection String Types
,
Choosing a SQL Account for Your Connections
data access security and,
Using the Anonymous Internet User Account
intranet security and,
Non-Internet Explorer Browsers
,
Analysis
ISQL.exe and,
Fusion Log Viewer (Fuslogvw.exe)
options,
More Information
passing credentials over networks,
Choosing a SQL Account for Your Connections
SSL and,
Application Server to Database Server
Windows authentication vs.,
Trusted Subsystem vs. Impersonation/Delegation
SQL injection attacks,
Design Principles
,
SQL Injection Attacks
SQL Server 2000, Forms authentication with,
Configurable Security
,
How To: Use Forms Authentication with SQL Server 2000
,
How To: Use Forms Authentication with SQL Server 2000
,
Requirements
,
Requirements
,
Create a Web Application with a Logon Page
,
Configure the Web Application for Forms Authentication
,
Create a User Account Database
,
Create a User Account Database
,
Authenticate User Credentials Against the Database
,
Test the Application
authenticating user against database,
Authenticate User Credentials Against the Database
configuring Web application for,
Create a Web Application with a Logon Page
creating user account database,
Create a User Account Database
creating Web application with logon page,
Requirements
developing functions to generate hash and salt values,
Configure the Web Application for Forms Authentication
requirements,
Requirements
storing credentials,
How To: Use Forms Authentication with SQL Server 2000
testing,
Test the Application
using ADO.NET to store account details in database,
Create a User Account Database
SQL Server 2000.,
Design Principles
,
Design Principles
,
Implementation Technologies
,
Security Architecture
,
Security Across the Tiers
,
More Information
,
More Information
,
Gatekeepers and Gates
,
The Trusted Subsystem Model
,
Enterprise Services (COM+) Roles
,
Enterprise Services (COM+) Roles
,
Web Server to Remote Application Server
,
Configuring ASP.NET
,
Configuring Enterprise Services
,
Configuring the Application Server (that Hosts the Web Service)
,
Configure the Application Server
,
Related Scenarios
,
Security Configuration Steps
,
Configuring SQL Server
,
Configuring SQL Server
,
Configuring SQL Server
,
Configure the Application Server
,
Storing Secrets
,
Storing Secrets
,
Securing Session and View State
,
Data Access Security
,
Data Access Security
,
SQL Server Gatekeepers
,
Implementing Mirrored ASPNET Process Identity
,
Connection String Types
,
Connection String Types
,
Authorization
,
Authorization
,
Authorization
,
Connecting with Least Privilege
,
Creating a Least Privilege Database Account
,
SQL Injection Attacks
,
Auditing
,
Auditing
,
Auditing
,
Windows Security Logs
,
Windows Security Logs
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
,
How To: Use SSL to Secure Communication with SQL Server 2000
,
Verify that Communication is Encrypted
,
Verify that Communication is Encrypted
,
Base Configuration
,
Configuration Stores and Tools
,
How Tos
,
.NET Web Application Security
(see also )
accounts,
Connection String Types
application roles,
Enterprise Services (COM+) Roles
,
Storing Secrets
,
Authorization
as implementation technology,
Implementation Technologies
,
Security Architecture
auditing,
Auditing
,
Windows Security Logs
authentication,
More Information
,
Connection String Types
(see also )
authorization,
More Information
base configuration,
Base Configuration
configuration stores and tools,
Configuration Stores and Tools
database roles,
Authorization
database trust,
Connecting with Least Privilege
Enterprise Manager,
Creating a Least Privilege Database Account
,
Auditing
,
Windows Security Logs
,
Verify that Communication is Encrypted
extranet settings,
Configuring SQL Server
,
Configuring SQL Server
fixed identities,
The Trusted Subsystem Model
Forms authentication with.,
Data Access Security
(see )
gates and gatekeepers,
Gatekeepers and Gates
,
SQL Server Gatekeepers
Internet settings,
Configuring SQL Server
,
Configure the Application Server
(see also )
intranet settings,
Configuring ASP.NET
,
Configuring Enterprise Services
,
Configuring the Application Server (that Hosts the Web Service)
,
Configure the Application Server
,
Security Configuration Steps
(see also )
IPSec and,
How To: Use IPSec to Provide Secure Communication Between Two Servers
Network Utility,
Verify that Communication is Encrypted
original caller identity flow,
Related Scenarios
process identity,
Auditing
reference information,
How Tos
security options,
Design Principles
,
Security Across the Tiers
,
.NET Web Application Security
session state,
Storing Secrets
,
Securing Session and View State
SQL injection attacks,
Design Principles
,
SQL Injection Attacks
SSL to,
Web Server to Remote Application Server
,
How To: Use SSL to Secure Communication with SQL Server 2000
(see also )
user defined database roles,
Enterprise Services (COM+) Roles
,
Authorization
Windows authentication and,
Implementing Mirrored ASPNET Process Identity
SSL (Secure Sockets Layer).,
Implementation Technologies
,
Security Architecture
,
ASP.NET Authentication Modes
,
Secure Communication
,
Secure Communication
,
SSL/TLS
,
Using RPC Encryption
,
Application Server to Database Server
,
Choosing Between IPSec and SSL
,
Choosing Between IPSec and SSL
,
Preventing Files from Being Downloaded
,
Accessing Non-Windows Network Resources
,
SSL
,
How To: Call a Web Service Using Client Certificates from ASP.NET
,
How To: Call a Web Service Using SSL
,
How To: Call a Web Service Using SSL
,
Summary
,
Configure the Web Service Virtual Directory to Require SSL
,
Install the Certificate Authority’s Certificate on the Client Computer
,
How To: Set Up SSL on a Web Server
,
How To: Set Up SSL on a Web Server
,
How To: Set Up SSL on a Web Server
,
Generate a Certificate Request
,
Submit a Certificate Request
,
Submit a Certificate Request
,
Install the Certificate on the Web Server
,
How To: Set Up Client Certificates
,
How To: Use SSL to Secure Communication with SQL Server 2000
,
How To: Use SSL to Secure Communication with SQL Server 2000
,
How To: Use SSL to Secure Communication with SQL Server 2000
,
Requirements
,
Requirements
,
Install a Server Authentication Certificate
,
Verify that the Certificate Has Been Installed
,
Verify that the Certificate Has Been Installed
,
Force All Clients to Use SSL
,
Allow Clients to Determine Whether to Use SSL
(see also )
as implementation technology,
Implementation Technologies
,
Security Architecture
ASP.NET security and,
Accessing Non-Windows Network Resources
browser to Web server scenario,
Using RPC Encryption
client certificates and,
How To: Call a Web Service Using Client Certificates from ASP.NET
(see also )
configuring,
Preventing Files from Being Downloaded
configuring resources to require,
Summary
,
Install the Certificate on the Web Server
configuring server to allow clients to choose whether to use,
Force All Clients to Use SSL
configuring server to force clients to use,
Verify that the Certificate Has Been Installed
Forms authentication and,
ASP.NET Authentication Modes
generating certificate request,
How To: Set Up SSL on a Web Server
installing certificate on client,
Install the Certificate Authority’s Certificate on the Client Computer
,
Verify that the Certificate Has Been Installed
installing certificate on Web server,
Submit a Certificate Request
installing server authentication certificate,
Requirements
IPSec vs.,
Secure Communication
,
Choosing Between IPSec and SSL
,
How To: Use SSL to Secure Communication with SQL Server 2000
issues,
SSL/TLS
,
How To: Use SSL to Secure Communication with SQL Server 2000
issuing certificate,
Submit a Certificate Request
requirements,
How To: Call a Web Service Using SSL
,
How To: Set Up SSL on a Web Server
,
Requirements
setting up, on Web server,
How To: Set Up SSL on a Web Server
SQL Server and,
Application Server to Database Server
,
How To: Use SSL to Secure Communication with SQL Server 2000
submitting certificate request,
Generate a Certificate Request
testing,
Configure the Web Service Virtual Directory to Require SSL
troubleshooting,
SSL
verifying encryption,
Allow Clients to Determine Whether to Use SSL
verifying server certificate installation,
Install a Server Authentication Certificate
Web farming and load balancing and,
Choosing Between IPSec and SSL
Web services security and,
How To: Call a Web Service Using SSL
,
How To: Set Up Client Certificates
SSPI (Security Service Provider Interface),
More Information
state, securing session and view,
Securing Session and View State
static cloaking,
Impersonation
stored procedures,
Choose an Authentication Approach
,
Disadvantages of the Trusted Subsystem Model
,
Flowing the Caller’s Identity
,
SQL Injection Attacks
identity flow and,
Choose an Authentication Approach
,
Disadvantages of the Trusted Subsystem Model
,
Flowing the Caller’s Identity
SQL injection attacks and,
SQL Injection Attacks
stores.,
The Foundations
,
Retrieve a Role List from the Custom Data Store
,
Using DPAPI from Enterprise Services
,
Configuration Stores and Tools
,
Keys and Certificates
(see also )
certificate,
Keys and Certificates
configuration.,
Configuration Stores and Tools
(see )
DPAPI.,
Using DPAPI from Enterprise Services
(see , )
role lists in custom data,
Retrieve a Role List from the Custom Data Store
strings, connection.,
Modify the Web Application to Read an Encrypted Connection String from Web.Config
(see )
strong names,
Gatekeepers and Gates
,
Create a C# Class Library
,
Create a Windows Account to Run the Enterprise Services Application and Windows Service
,
Configure the Serviced Component
,
Develop the Serviced Component Used to Call the Web Service
strong passwords,
Using the ASP.NET Process Identity
,
Summary
Support Center,
Process for Troubleshooting
,
Searching for Implementation Solutions
surface area, reducing,
Design Principles
symmetric encryption,
SSL/TLS
,
Technical Choices
,
Symmetric Algorithm Support
sysadmin role,
Connection String Types
,
Connecting with Least Privilege
,
Additional Best Practices
SYSTEM account,
Design Principles
,
Avoid Running as SYSTEM
,
The <processModel> Element
,
Auditing
,
ASP.NET Worker Process Identity
,
How To: Implement Kerberos Delegation for Windows 2000
system resources,
The Foundations
,
Authentication and Authorization Design
,
Accessing System Resources
,
Accessing the Registry
,
Configuring the Web Server
,
Authentication and Authorization Strategies
.NET remoting and,
Authentication and Authorization Strategies
accessing event log,
Accessing System Resources
accessing registry,
Accessing the Registry
authorization and,
The Foundations
identifying,
Authentication and Authorization Design
Web services and,
Configuring the Web Server
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset