Building Secure Microsoft® ASP.NET Applications

by Microsoft Corporation

Released January 2003

Publisher(s): Microsoft Press

ISBN: 9780735618909

Start your free trial

Book description

This guide presents a practical, scenario-driven approach to designing and building security-enhanced ASP.NET applications for Microsoft® Windows® 2000 and version 1.1 of the Microsoft .NET Framework.

Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
A Note Regarding Supplemental Files
Acknowledgements
Preface
1. Why We Wrote This Book
2. Who Should Read This Book?
3. How You Should Read This Book
4. Organization of this Book
5. System Requirements
6. Installing the Sample Files
7. Building Secure ASP.NET Applications—Online Version
8. Support
1. Introduction
1. The Connected Landscape
2. The Foundations
3. Tying the Technologies Together
4. Design Principles
5. Summary
2. Security Model for ASP.NET Applications
1. .NET Web Applications
  1. Logical Tiers
  2. Physical Deployment Models
    1. The Web Server as an Application Server
    2. Remote Application Tier
2. Implementation Technologies
3. Security Architecture
4. Introducing .NET Framework Security
5. Summary
3. Authentication and Authorization Design
1. Designing an Authentication and Authorization Strategy
2. Authorization Approaches
3. Flowing Identity
  1. Application vs. Operating System Identity Flow
  2. Impersonation and Delegation
    1. Impersonation
    2. Delegation
4. Role-Based Authorization
5. Choosing an Authentication Mechanism
6. Summary
4. Secure Communication
1. Know What to Secure
2. SSL/TLS
  1. Using SSL
3. IPSec
  1. Using IPSec
4. RPC Encryption
  1. Using RPC Encryption
    1. More Information
5. Point to Point Security
6. Choosing Between IPSec and SSL
7. Farming and Load Balancing
  1. More Information
8. Summary
5. Intranet Security
1. ASP.NET to SQL Server
2. ASP.NET to Enterprise Services to SQL Server
3. ASP.NET to Web Services to SQL Server
4. ASP.NET to Remoting to SQL Server
5. Flowing the Original Caller to the Database
6. Summary
6. Extranet Security
1. Exposing a Web Service
2. Exposing a Web Application
3. Summary
7. Internet Security
1. ASP.NET to SQL Server
2. ASP.NET to Remote Enterprise Services to SQL Server
3. Summary
8. ASP.NET Security
1. ASP.NET Security Architecture
  1. Gatekeepers
    1. IIS
    2. ASP.NET
2. Authentication and Authorization Strategies
3. Configuring Security
4. Programming Security
  1. An Authorization Pattern
  2. Creating a Custom IPrincipal class
    1. More Information
5. Windows Authentication
  1. Identifying the Authenticated User
6. Forms Authentication
7. Passport Authentication
8. Custom Authentication
  1. More Information
9. Process Identity for ASP.NET
10. Impersonation
11. Accessing System Resources
  1. Accessing the Event Log
  2. Accessing the Registry
    1. More Information
12. Accessing COM Objects
  1. Apartment Model Objects
13. Accessing Network Resources
14. Secure Communication
  1. More Information
15. Storing Secrets
  1. Options for Storing Secrets in ASP.NET
    1. More Information
  2. Consider Storing Secrets in Files on Separate Logical Volumes
16. Securing Session and View State
17. Web Farm Considerations
18. Summary
9. Enterprise Services Security
1. Security Architecture
2. Configuring Security
3. Programming Security
  1. Programmatic Role-Based Security
  2. Identifying Callers
4. Choosing a Process Identity
  1. Avoid Running as the Interactive User
  2. Use a Least-Privileged Custom Account
5. Accessing Network Resources
6. Flowing the Original Caller
  1. Calling CoImpersonateClient
    1. More Information
7. RPC Encryption
  1. More Information
8. Building Serviced Components
9. DCOM and Firewalls
  1. More Information
10. Calling Serviced Components from ASP.NET
11. Security Concepts
12. Summary
10. Web Services Security
1. Web Service Security Model
2. Platform/Transport Security Architecture
  1. Gatekeepers
    1. More Information
3. Authentication and Authorization Strategies
4. Configuring Security
5. Passing Credentials for Authentication to Web Services
6. Flowing the Original Caller
  1. Default Credentials with Kerberos Delegation
    1. Configuring the Web Server
    2. Configuring the Remote Application Server
      1. More Information
  2. Explicit Credentials with Basic or Forms Authentication
7. Trusted Subsystem
  1. Flowing the Caller’s Identity
  2. Configuration Steps
    1. Configuring the Web Server
    2. Configuring the Application Server
8. Accessing System Resources
9. Accessing Network Resources
10. Accessing COM Objects
  1. More Information
11. Using Client Certificates with Web Services
  1. Authenticating Web Browser Clients with Certificates
  2. Using the Trusted Subsystem Model
12. Secure Communication
  1. Transport Level Options
  2. Message Level Options
    1. More Information
13. Summary
11. .NET Remoting Security
1. .NET Remoting Architecture
2. .NET Remoting Gatekeepers
3. Authentication
  1. Hosting in ASP.NET
  2. Hosting in a Windows Service
    1. Custom Authentication
      1. More Information
4. Authorization
  1. Using File Authorization
    1. More Information
5. Authentication and Authorization Strategies
  1. More Information
6. Accessing System Resources
7. Accessing Network Resources
8. Passing Credentials for Authentication to Remote Objects
  1. Specifying Client Credentials
9. Flowing the Original Caller
  1. Default Credentials with Kerberos Delegation
    1. Configuring the Web Server
    2. Configuring the Remote Application Server
      1. More Information
  2. Explicit Credentials with Basic or Forms Authentication
10. Trusted Subsystem
11. Secure Communication
  1. Platform Level Options
    1. Message Level Options
      1. More Information
12. Choosing a Host Process
13. Remoting vs. Web Services
14. Summary
12. Data Access Security
1. Introducing Data Access Security
  1. SQL Server Gatekeepers
  2. Trusted Subsystem vs. Impersonation/Delegation
2. Authentication
3. Authorization
  1. Using Multiple Database Roles
4. Secure Communication
  1. The Options
  2. Choosing an Approach
    1. More Information
5. Connecting with Least Privilege
6. Creating a Least Privilege Database Account
7. Storing Database Connection Strings Securely
8. Authenticating Users against a Database
  1. Store One-way Password Hashes (with Salt)
9. SQL Injection Attacks
  1. The Problem
  2. Anatomy of a SQL Script Injection Attack
10. Auditing
11. Process Identity for SQL Server
12. Summary
13. Troubleshooting Security Issues
1. Process for Troubleshooting
  1. Searching for Implementation Solutions
2. Troubleshooting Authentication Issues
3. Troubleshooting Authorization Issues
4. ASP.NET
  1. Enable Tracing
    1. More Information
  2. Configuration Settings
5. Determining Identity
6. .NET Remoting
  1. More Information
7. SSL
  1. More Information
8. IPSec
9. Auditing and Logging
10. Troubleshooting Tools
Index of How Tos
1. ASP.NET
2. Authentication and Authorization
3. Cryptography
4. Enterprise Services Security
5. Web Services Security
6. Remoting Security
7. Secure Communication
How To: Create a Custom Account to Run ASP.NET
1. ASP.NET Worker Process Identity
2. Impersonating Fixed Identities
3. Notes
4. Summary
5. 1. Create a New Local Account
6. 2. Assign Minimum Privileges
7. 3. Assign NTFS Permissions
8. 4. Configure ASP.NET to Run Using the New Account
How To: Use Forms Authentication with Active Directory
1. Requirements
2. Summary
3. 1. Create a Web Application with a Logon Page
4. 2. Configure the Web Application for Forms Authentication
5. 3. Develop LDAP Authentication Code to Look Up the User in Active Directory
6. 4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
7. 5. Authenticate the User and Create a Forms Authentication Ticket
8. 6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
9. 7. Test the Application
How To: Use Forms Authentication with SQL Server 2000
1. Requirements
2. Summary
3. 1. Create a Web Application with a Logon Page
4. 2. Configure the Web Application for Forms Authentication
5. 3. Develop Functions to Generate a Hash and Salt value
6. 4. Create a User Account Database
7. 5. Use ADO.NET to Store Account Details in the Database
8. 6. Authenticate User Credentials Against the Database
9. 7. Test the Application
10. Additional Resources
How To: Create GenericPrincipal Objects with Forms Authentication
1. Requirements
2. Summary
3. 1. Create a Web Application with a Logon Page
4. 2. Configure the Web Application for Forms Authentication
5. 3. Generate an Authentication Ticket for Authenticated Users
6. 4. Construct GenericPrincipal and FormsIdentity Objects
7. 5. Test the Application
  1. Additional Resources
How To: Implement Kerberos Delegation for Windows 2000
1. Notes
2. Requirements
3. Summary
4. 1. Confirm that the Client Account is Configured for Delegation
5. 2. Confirm that the Server Process Account is Trusted for Delegation
6. References
How To: Implement IPrincipal
1. Requirements
2. Summary
3. 1. Create a Simple Web Application
4. 2. Configure the Web Application for Forms Authentication
5. 3. Generate an Authentication Ticket for Authenticated Users
6. 4. Create a Class that Implements and Extends IPrincipal
7. 5. Create the CustomPrincipal Object
8. 5. Test the Application
9. Additional Resources
How To: Create a DPAPI Library
1. Notes
2. Requirements
3. Summary
4. 1. Create a C# Class Library
5. 2. Strong Name the Assembly (Optional)
6. References
How To: Use DPAPI (Machine Store) from ASP.NET
1. Notes
  1. Requirements
2. Summary
3. 1. Create an ASP.NET Client Web Application
4. 2. Test the Application
5. 3. Modify the Web Application to Read an Encrypted Connection String from Web.Config
6. References
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
1. Notes
  1. Why Use Enterprise Services?
  2. Why Use a Windows Service?
2. Requirements
3. Summary
4. 1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
5. 2. Call the Managed DPAPI Class Library
6. 3. Create a Dummy Class that will Launch the Serviced Component
7. 4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
8. 5. Configure, Strong Name, and Register the Serviced Component
9. 6. Create a Windows Service Application that will Launch the Serviced Component
10. 7. Install and Start the Windows Service Application
11. 8. Write a Web Application to Test the Encryption and Decryption Routines
12. 9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
13. References
How To: Create an Encryption Library
1. Requirements
2. Summary
3. 1. Create a C# Class Library
4. 2. Create a Console Test Application
5. References
How To: Store an Encrypted Connection String in the Registry
1. Notes
2. Requirements
3. Summary
4. 1. Store the Encrypted Data in the Registry
5. 2. Create an ASP.NET Web Application
6. References
How To: Use Role-based Security with Enterprise Services
1. Notes
2. Requirements
3. Summary
4. 1. Create a C# Class Library Application to Host the Serviced Component
5. 2. Create the Serviced Component
6. 3. Configure the Serviced Component
7. 4. Generate a Strong Name for the Assembly
8. 5. Build the Assembly and Add it to the Global Assembly Cache
9. 6. Manually Register the Serviced Component
10. 7. Examine the Configured Application
11. 8. Create a Test Client Application
How To: Call a Web Service Using Client Certificates from ASP.NET
1. Why Use a Serviced Component?
  1. Why is a User Profile Required?
2. Requirements
3. Summary
4. 1. Create a Simple Web Service
5. 2. Configure the Web Service Virtual Directory to Require Client Certificates
6. 3. Create a Custom Account for Running the Serviced Component
7. 4. Request a Client Certificate for the Custom Account
8. 5. Test the Client Certificate Using a Browser
9. 6. Export the Client Certificate to a File
10. 7. Develop the Serviced Component Used to Call the Web Service
11. 8. Configure and Install the Serviced Component
12. 9. Develop a Web Application to Call the Serviced Component
13. Additional Resources
How To: Call a Web Service Using SSL
1. Requirements
2. Summary
3. 1. Create a Simple Web Service
4. 2. Configure the Web Service Virtual Directory to Require SSL
5. 3. Test the Web Service Using a Browser
6. 4. Install the Certificate Authority’s Certificate on the Client Computer
7. 5. Develop a Web Application to Call the Web Service
8. Additional Resources
How To: Host a Remote Object in a Windows Service
1. Notes
2. Requirements
3. Summary
4. 1. Create the Remote Object Class
5. 2. Create a Windows Service Host Application
6. 3. Create a Windows Account to Run the Service
7. 4. Install the Windows Service
8. 5. Create a Test Client Application
9. References
How To: Set Up SSL on a Web Server
1. Requirements
2. Summary
3. 1. Generate a Certificate Request
4. 2. Submit a Certificate Request
5. 3. Issue the Certificate
6. 4. Install the Certificate on the Web Server
7. 5. Configure Resources to Require SSL Access
How To: Set Up Client Certificates
1. Requirements
2. Summary
3. 1. Create a Simple Web Application
4. 2. Configure the Web Application to Require Client Certificates
5. 3. Request and Install a Client Certificate
6. 4. Verify Client Certificate Operation
7. Additional Resources
How To: Use IPSec to Provide Secure Communication Between Two Servers
1. Notes
2. Requirements
3. Summary
4. 1. Create an IP Filter
5. 2. Create Filter Actions
6. 3. Create Rules
7. 4. Export the IPSec Policy to the Remote Computer
8. 5. Assign Policies
9. 6. Verify that it Works
10. Additional Resources
How To: Use SSL to Secure Communication with SQL Server 2000
1. Notes
2. Requirements
3. Summary
4. 1. Install a Server Authentication Certificate
5. 2. Verify that the Certificate Has Been Installed
6. 3. Install the Issuing CA’s Certificate on the Client
7. 4. Force All Clients to Use SSL
8. 5. Allow Clients to Determine Whether to Use SSL
9. 6. Verify that Communication is Encrypted
10. Additional Resources
Base Configuration
Configuration Stores and Tools
Reference Hub
1. Searching the Knowledge Base
  1. Tips
2. .NET Security
  1. Hubs
3. Active Directory
  1. Hubs
  2. Key Notes
  3. Articles
4. ADO.NET
  1. Roadmaps and Overviews
  2. Seminars and WebCasts
5. ASP.NET
6. Enterprise Services
7. IIS (Internet Information Server)
  1. Hubs
8. Remoting
9. SQL Server
  1. Hubs
  2. Seminars and WebCasts
10. Visual Studio .NET
  1. Hubs
  2. Roadmaps and Overviews:
11. Web Services
12. Windows 2000
  1. Hubs
How Does It Work?
1. IIS and ASP.NET Processing
2. ASP.NET Pipeline Processing
ASP.NET Identity Matrix
Cryptography and Certificates
1. Keys and Certificates
2. Cryptography
  1. Technical Choices
  2. Cryptography in .NET
3. Summary
.NET Web Application Security
Glossary
Microsoft® patterns & practices
Index
About the Author
Copyright

Product information

Title: Building Secure Microsoft® ASP.NET Applications
Author(s): Microsoft Corporation
Release date: January 2003
Publisher(s): Microsoft Press
ISBN: 9780735618909

book

Beginning ASP.NET Security

by Barry Dorrans

Programmers: protect and defend your Web apps against attack! You may know ASP.NET, but if you …

book

Testing ASP.NET Web Applications

by Ben Hall, Jeff McWherter

A unique resource that combines all aspects of Web testing and makes it completely specific to …

book

ASP.NET Core 5 Secure Coding Cookbook

by Roman Canlas

Learn how to secure your ASP.NET Core web app through robust and secure code Key Features …

book

Microsoft® .NET Distributed Applications: Integrating XML Web Services and .NET Remoting

by Matthew MacDonald

Make the jump to distributed application programming using the .NET Framework—and introduce a new level of …

Building Secure Microsoft® ASP.NET Applications

Book description

Table of contents

Product information

You might also like

Beginning ASP.NET Security

Testing ASP.NET Web Applications

ASP.NET Core 5 Secure Coding Cookbook

Microsoft® .NET Distributed Applications: Integrating XML Web Services and .NET Remoting

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly