Best Practices and Techniques for Building Secure Microsoft ASP'NET Applications Name Mohammed Abdel
Description:
Impersonation. Securing all tiers. Planning for ASP.NET Web ... Better to avoid impersonation and use URL or File authorization with role-based checks ... – PowerPoint PPT presentation
Title: Best Practices and Techniques for Building Secure Microsoft ASP'NET Applications Name Mohammed Abdel
1 Best Practices and Techniques for Building Secure Microsoft ASP.NET ApplicationsName Mohammed AbdelhadiDeveloper .NET EvangelistMicrosoft Corporation 2 Best Practices and Techniques for Building Secure Microsoft ASP.NET Applications Microsoft Corporation 3 Agenda
General ASP.NET
Planning for ASP.NET application security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Securing all tiers
4 ASP.NET Features
ASPX, ASP side by side
Simplified programming model
Simplified deployment - XCopy
Better performance
Compiled code
Caching - native support
Security number of ways, but all use the same code
Powerful controls data grids, calendars
5 ASP.NET Features
Simplified browser support
Simplified form validation
Code behind pages
More powerful data access
Web services
Better session management
6 ASP.NETFeatures
No DLL locking replaced on the fly
No DLL registration
Simplified configuration ConfigWeb in the root directory of the site
Pagelets
7 Agenda
General ASP.NET
Planning for ASP.NET application security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Securing all tiers
8 Planning for ASP.NET Web Application Security Authentication and Authorization
Authentication / authorization request flow
9 Planning for ASP.NET Web Application Security Authentication and Authorization
Identify resources exposed to client
Identify resource for app
Choose authorization strategy
Role-based
Resource-based
10 Planning for ASP.NET Web Application Security Authentication and Authorization
Choose Identities Used to Access Resources
ASP.NET process identity (default)
Custom identity
Original caller
Fixed identity
Decide on identity flow
To the application
To the operating system
11 Planning for ASP.NET Web Application Security Authentication and Authorization
Choosing an authentication approach
Internet scenarios
Users dont have Windows accounts or certificates Start Interactive Web app? Use Passport or Forms Authentication Yes No Web Service Use GXA WS- Security Authentication 12 Planning for ASP.NET Web Application Security Authentication and Authorization
Choosing an authentication approach
13 Planning for ASP.NET Web Application Security Secure Communication Strategies
From client to Web server
From Web server to database and application servers
14 Agenda
General ASP.NET
Planning for ASP.NET application security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Securing all tiers
15 Configuring Security IIS to Secure Communication 16 Configuring Web Application Security Configure IIS Settings
Optionally install a Web server certificate for SSL
Configure IIS authentication
Optionally configure client certificate mapping
Set NTFS permissions on files and folders
17 Configuring Web Application Security ASP.NET Settings in Web.config
19 Programming ASP.NET Security Basic Authorization Pattern
Retrieve credentials
Validate credentials
Put users in roles
Create an IPrincipal object
Put the IPrincipal object into current HttpContext
Authorize based on user identity/role
20 Agenda
General ASP.NET
Planning for ASP.NET application security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Securing all tiers
21 Storing Secrets Secret Examples
Database connection strings
Fixed identities in Web.config
Process identity in Machine.config
SQL Server session state
Passwords used for forms authentication against a database
22 Storing Secrets Storage Methods and Tips
Install Web application directories on a separate logical volume from the OS
Secret storage methods for ASP.NET apps
Data Protection API (DPAPI)
.NET cryptography classes
CAPICOM
Crypto API
23 Demonstration 1Create a Logon Page and Validate Against Credentials Create a Logon PageCreate a User Accounts DatabaseRegister the User Store Connection String Store Account Details in Database Authenticate a User 24 Demonstration 2Generate an Authentication Ticket and Create a GenericPrincipal object Create a GetRoles Method Create a Forms Authentication TicketCreate GenericPrincipal and FormsIdentity Objects Check the Logged-in User and Their Roles 25 Agenda
General ASP.NET
Planning for ASP.NET application security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Securing all tiers
26 ASP.NET Process Identity Guidelines
Configured in ltprocessModelgt element
Always run ASP.NET as a least-privileged account
Never run ASP.NET as SYSTEM
Using the default ASPNET account to access remote resources
Create duplicate accounts on remote computers
Use a least-privileged domain account
27 Agenda
General ASP.NET
Planning for ASP.NET application security
Configuring security
Programming security
Securing secrets
ASP.NET process identity
Impersonation
Securing all tiers
28 ImpersonationFlowing Client Identity
Inherent performance issues
Consider instead
URL or file authorization with role-based checks
Efficient management of gatekeepers and trust boundaries
29 ImpersonationFlowing Client Identity
Four reasons to use impersonation
Audit on the OS level
Flow original caller to access resources
Use a fixed identity
Save default behavior of a ported classic ASP application
For local resources
Create ACE with read access for user
Better to avoid impersonation and use URL or File authorization with role-based checks
For remote resources
Must use basic, forms or Kerberos authentication
Threading consideration
Child threads inherit the ASP.NET process accounts security context
30 Agenda
Planning for ASP.NET application security
Configuring security
Programming security
Securing secrets
Using the ASP.NET process identity
Impersonation
Securing all tiers
31 Securing All TiersFrom Code to Network
Follow published guidelines to
Use CAS with ASP.NET
Build secure pages and controls
Build secure components
Build secure Web services
Build secure data access
Secure the network
Secure the Web server
Secure the database server
Secure the application server
Read
Improving Web Application Security Threats and Countermeasures
Building Secure ASP.NET Applications
32 Session Summary
Planning for security is part of designing a Web application
Creating a secure Web application is demandingMicrosoft provides resources to help you
PowerShow.com is a leading presentation sharing website. It has millions of presentations already uploaded and available with 1,000s more being uploaded by its users every day. Whatever your area of interest, here you’ll be able to find and view presentations you’ll love and possibly download. And, best of all, it is completely free and easy to use.
You might even have a presentation you’d like to share with others. If so, just upload it to PowerShow.com. We’ll convert it to an HTML5 slideshow that includes all the media types you’ve already added: audio, video, music, pictures, animations and transition effects. Then you can share it with your target audience as well as PowerShow.com’s millions of monthly visitors. And, again, it’s all free.
About the Developers
PowerShow.com is brought to you by CrystalGraphics, the award-winning developer and market-leading publisher of rich-media enhancement products for presentations. Our product offerings include millions of PowerPoint templates, diagrams, animated 3D characters and more.