Best Practices and Techniques for Building Secure Microsoft ASP'NET Applications Name Mohammed Abdel - PowerPoint PPT Presentation
1 / 29
Title:
Best Practices and Techniques for Building Secure Microsoft ASP'NET Applications Name Mohammed Abdel
Description:
Impersonation. Securing all tiers. Planning for ASP.NET Web ... Better to avoid impersonation and use URL or File authorization with role-based checks ... – PowerPoint PPT presentation
Number of Views:178
Avg rating:3.0/5.0
Title: Best Practices and Techniques for Building Secure Microsoft ASP'NET Applications Name Mohammed Abdel
1
Best Practices and Techniques for Building Secure
Microsoft ASP.NET ApplicationsName Mohammed
AbdelhadiDeveloper .NET EvangelistMicrosoft
Corporation
2
Best Practices and Techniques for Building Secure
Microsoft ASP.NET Applications
Microsoft Corporation
3
Agenda
- General ASP.NET
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- ASP.NET process identity
- Impersonation
- Securing all tiers
4
ASP.NET Features
- ASPX, ASP side by side
- Simplified programming model
- Simplified deployment - XCopy
- Better performance
- Compiled code
- Caching - native support
- Security number of ways, but all use the same
code - Powerful controls data grids, calendars
5
ASP.NET Features
- Simplified browser support
- Simplified form validation
- Code behind pages
- More powerful data access
- Web services
- Better session management
6
ASP.NETFeatures
- No DLL locking replaced on the fly
- No DLL registration
- Simplified configuration ConfigWeb in the root
directory of the site - Pagelets
7
Agenda
- General ASP.NET
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- ASP.NET process identity
- Impersonation
- Securing all tiers
8
Planning for ASP.NET Web Application Security
Authentication and Authorization
- Authentication / authorization request flow
9
Planning for ASP.NET Web Application Security
Authentication and Authorization
- Identify resources exposed to client
- Identify resource for app
- Choose authorization strategy
- Role-based
- Resource-based
10
Planning for ASP.NET Web Application Security
Authentication and Authorization
- Choose Identities Used to Access Resources
- ASP.NET process identity (default)
- Custom identity
- Original caller
- Fixed identity
- Decide on identity flow
- To the application
- To the operating system
11
Planning for ASP.NET Web Application Security
Authentication and Authorization
- Choosing an authentication approach
- Internet scenarios
Users dont have Windows accounts or certificates
Start
Interactive Web app?
Use Passport or Forms Authentication
Yes
No Web Service
Use GXA WS- Security Authentication
12
Planning for ASP.NET Web Application Security
Authentication and Authorization
- Choosing an authentication approach
13
Planning for ASP.NET Web Application Security
Secure Communication Strategies
- From client to Web server
- From Web server to database and application
servers
14
Agenda
- General ASP.NET
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- Using the ASP.NET process identity
- Impersonation
- Securing all tiers
15
Configuring Security IIS to Secure Communication
16
Configuring Web Application Security Configure
IIS Settings
- Optionally install a Web server certificate for
SSL - Configure IIS authentication
- Optionally configure client certificate mapping
- Set NTFS permissions on files and folders
17
Configuring Web Application Security ASP.NET
Settings in Web.config
- Configure authentication mode
- ltauthentication mode"WindowsPassportFormsNone"
/gt - Configure impersonation
- ltidentity impersonate"true" /gt
- Configure authorization
- ltauthorizationgt
- ltallow users"DomainName\Bob",
"DomainName\Mary" /gt - ltdeny users"" /gt
- lt/authorizationgt
18
Agenda
- General ASP.NET
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- Using the ASP.NET process identity
- Impersonation
- Securing all tiers
19
Programming ASP.NET Security Basic Authorization
Pattern
- Retrieve credentials
- Validate credentials
- Put users in roles
- Create an IPrincipal object
- Put the IPrincipal object into current
HttpContext - Authorize based on user identity/role
20
Agenda
- General ASP.NET
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- ASP.NET process identity
- Impersonation
- Securing all tiers
21
Storing Secrets Secret Examples
- Database connection strings
- Fixed identities in Web.config
- Process identity in Machine.config
- SQL Server session state
- Passwords used for forms authentication against a
database
22
Storing Secrets Storage Methods and Tips
- Install Web application directories on a separate
logical volume from the OS - Secret storage methods for ASP.NET apps
- Data Protection API (DPAPI)
- .NET cryptography classes
- CAPICOM
- Crypto API
23
Demonstration 1Create a Logon Page and Validate
Against Credentials Create a Logon PageCreate
a User Accounts DatabaseRegister the User Store
Connection String Store Account Details in
Database Authenticate a User
24
Demonstration 2Generate an Authentication Ticket
and Create a GenericPrincipal object Create a
GetRoles Method Create a Forms Authentication
TicketCreate GenericPrincipal and FormsIdentity
Objects Check the Logged-in User and Their Roles
25
Agenda
- General ASP.NET
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- ASP.NET process identity
- Impersonation
- Securing all tiers
26
ASP.NET Process Identity Guidelines
- Configured in ltprocessModelgt element
- Always run ASP.NET as a least-privileged account
- Never run ASP.NET as SYSTEM
- Using the default ASPNET account to access remote
resources - Create duplicate accounts on remote computers
- Use a least-privileged domain account
27
Agenda
- General ASP.NET
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- ASP.NET process identity
- Impersonation
- Securing all tiers
28
ImpersonationFlowing Client Identity
- Inherent performance issues
- Consider instead
- URL or file authorization with role-based checks
- Efficient management of gatekeepers and trust
boundaries
29
ImpersonationFlowing Client Identity
- Four reasons to use impersonation
- Audit on the OS level
- Flow original caller to access resources
- Use a fixed identity
- Save default behavior of a ported classic ASP
application - For local resources
- Create ACE with read access for user
- Better to avoid impersonation and use URL or File
authorization with role-based checks - For remote resources
- Must use basic, forms or Kerberos authentication
- Threading consideration
- Child threads inherit the ASP.NET process
accounts security context
30
Agenda
- Planning for ASP.NET application security
- Configuring security
- Programming security
- Securing secrets
- Using the ASP.NET process identity
- Impersonation
- Securing all tiers
31
Securing All TiersFrom Code to Network
- Follow published guidelines to
- Use CAS with ASP.NET
- Build secure pages and controls
- Build secure components
- Build secure Web services
- Build secure data access
- Secure the network
- Secure the Web server
- Secure the database server
- Secure the application server
- Read
- Improving Web Application Security Threats and
Countermeasures - Building Secure ASP.NET Applications
32
Session Summary
- Planning for security is part of designing a Web
application - Creating a secure Web application is
demandingMicrosoft provides resources to help you
Recommended
CrystalGraphics Presentations
