Best Practices and Techniques for Building Secure Microsoft ASP.NET Applications

Notes:	Hide Notes

Slide 1: Best Practices and Techniques for Building Secure Microsoft ASP.NET Applications ® Joe Stagner Developer Community Champion Microsoft Corporation JoeStag@Microsoft.com www.ManagedCode.com Slide 2: So Why This Presentation? Web application security is more important than ever  Ensure that security is a consideration in application design  Creating secure Web applications is a series of complex tasks  Promote best techniques for security  Let developers know about new resources available  msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp  Slide 3: What We Will Cover       Why Web application security? Planning for Web application security Authentication and authorization strategies Using the ASP.NET process identity Secure communication Securing secrets and state information Slide 4: Session Prerequisites Familiarity with Microsoft® Windows® management tools  Familiarity with IIS Management Console  C# and ASP.NET coding experience  Familiarity with Microsoft® Visual Studio® .NET  Basic understanding of Web application security issues  Level 200 Slide 5: Demonstrations     Configuring IIS for SSL Configuring ASP.NET Security Using forms authentication with Microsoft® SQL Server™ Creating a GenericPrincipal object for roles-based authorization Slide 6: Before We Start ! SSL IS NOT WEB APPLICATION SECURITY Slide 7: Required Reading Slide 8: Secure Development Slide 9: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 10: Planning for ASP.NET Web Application Security Authentication and Authorization  Authentication / authorization request flow Slide 11: Planning for ASP.NET Web Application Security Authentication and Authorization    Identify resources exposed to client Identify resource for app Choose authorization strategy   Role-based Resource-based Slide 12: Planning for ASP.NET Web Application Security Authentication and Authorization  Choose Identities Used to Access Resources     ASP.NET process identity (default) Custom identity Original caller Fixed identity To the application To the operating system  Decide on identity flow   Slide 13: Planning for ASP.NET Web Application Security Authentication and Authorization   Choosing an authentication approach Internet scenarios Start Users don’t have Windows accounts or certificates Yes Use Passport or Forms Authentication Interactive Web app? No – Web Service Use GXA WSSecurity Authentication Slide 14: Planning for ASP.NET Web Application Security Authentication and Authorization  Choosing an authentication approach Slide 15: Planning for ASP.NET Web Application Security Secure Communication Strategies   From client to Web server From Web server to database and application servers Slide 16: Planning for ASP.NET Web Application Security Threat Modeling  An iterative process Slide 17: Planning for ASP.NET Web Application Security Specific Threats  Common attacks against Web applications Slide 18: Planning for ASP.NET Web Application Security Specific Threats    SQL injection attacks Alters existing query or creates new query Use stored procedures with parameters Malicious script sent to application as input Frequently part of cookie replay attacks Server-side input validation Encode all output that includes input Unmanaged code can cause arbitrary code Server-side input validation  Cross-site scripting      Buffer overflows   Slide 19: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 20: Configuring Security IIS to Secure Communication Slide 21: Configuring Web Application Security Configure IIS Settings     Optionally install a Web server certificate for SSL Configure IIS authentication Optionally configure client certificate mapping Set NTFS permissions on files and folders Slide 22: Demo 1 Configure IIS for SSL Set Up the SecurityDemo Web Site Create a Certificate Request Configure IIS for SSL and Certificates Slide 23: Configuring Web Application Security    ASP.NET Settings in Web.config Configure authentication mode <authentication mode="Windows\|Passport\|Forms\|None" /> Configure impersonation <identity impersonate="true" /> Configure authorization <authorization> <allow users="DomainName\Bob", "DomainName\Mary" /> <deny users="" /> </authorization> Slide 24: Demo 2 Configure ASP.NET for Forms Authentication Create a Web Application in Visual Studio Edit the Application’s Web.config File Slide 25: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 26: Programming ASP.NET Security Basic Authorization Pattern       Retrieve credentials Validate credentials Put users in roles Create an IPrincipal object Put the IPrincipal object into current HttpContext Authorize based on user identity/role Slide 27: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 28: Storing Secrets Secret Examples        Database connection strings Credentials for SQL roles Fixed identities in Web.config Process identity in Machine.config Keys used to store data securely SQL Server session state Passwords used for forms authentication against a database Slide 29: Storing Secrets  Storage Methods and Tips Install Web application directories on a separate logical volume from the OS Secret storage methods for ASP.NET apps  Data Protection API (DPAPI)  COM+ constructor strings  .NET cryptography classes  CAPICOM  Crypto API Slide 30: Demonstration 3 Create a Logon Page and Validate Against Credentials Create a Logon Page Create a User Accounts Database Register the User Store Connection String Store Account Details in Database Authenticate a User Slide 31: Demonstration 4 Generate an Authentication Ticket and Create a GenericPrincipal object Create a GetRoles Method Create a Forms Authentication Ticket Create GenericPrincipal and FormsIdentity Objects Check the Logged-in User and Their Roles Slide 32: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 33: ASP.NET Process Identity Guidelines     Configured in <processModel> element Always run ASP.NET as a leastprivileged account Never run ASP.NET as SYSTEM Using the default ASPNET account to access remote resources   Create duplicate accounts on remote computers Use a least-privileged domain account Slide 34: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 35: Impersonation Flowing Client Identity   Inherent performance issues Consider instead:   URL or file authorization with role-based checks Efficient management of gatekeepers and trust boundaries Slide 36: Impersonation      Flowing Client Identity Four reasons to use impersonation Audit on the OS level Flow original caller to access resources Use a fixed identity Save default behavior of a ported classic ASP application Create ACE with read access for user Better to avoid impersonation and use URL or File authorization with role-based checks Must use basic, forms or Kerberos authentication Child threads inherit the ASP.NET process account’s security context  For local resources     For remote resources  Threading consideration  Slide 37: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 38: Accessing Resources  System Resources and COM Objects Creating event sources   At install time with a .NET installer class Grant permissions to account on registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \EventLog    For any registry key, grant account at least read access Apartment Model COM objects  <%@ Page AspCompat="true" %> Create COM objects in page event handlers Slide 39: Accessing Resources Network Resources   ASP.NET process identity Anonymous Internet user account   Use impersonation to flow anonymous account through trust boundaries Can be applied to hosting scenarios Slide 40: Accessing Resources Network Resources    Original caller using delegation Windows Authentication using Kerberos Windows Authentication using client certificates  OOP-serviced component Slide 41: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 42: Securing State Information View State  Configure validation attribute in machine.config   <machineKey validation=“SHA1” … /> <machineKey validation=“3DES” … />  Enable message authentication code (MAC) checks for pages that use view state  <% @ Page enableViewStateMac = “true” %> Slide 43: Securing State Information SQL Session State  Secure connection string using Windows authentication   Create duplicate account on database server Change connection string  sqlConectionString="server=127.0.0.1;database=StateD atabase;Integrated Security=SSPI;"  Use IPSec or SSL to protect network traffic between Web server and SQL state database server Slide 44: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 45: Web Farm Considerations Security Implications    Must use remote, OOP session state For DPAPI, consider user vs. machine store For forms authentication, <machineKey> must be the same for each computer    validationKey attribute decryptionKey attribute validation attribute should be SHA1 Slide 46: Agenda           Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Slide 47: Securing All Tiers From Code to Network           Follow published guidelines to: Use CAS with ASP.NET Build secure pages and controls Build secure components Build secure Web services Build secure data access Secure the network Secure the Web server Secure the database server Secure the application server Improving Web Application Security: Threats and Countermeasures Building Secure ASP.NET Applications  Read   Slide 48: Session Summary    Planning for security is part of designing a Web application Threat modeling can help your team focus resources on security Creating a secure Web application is demanding—Microsoft provides resources to help you Slide 49: For More Information…      MSDN Web site  msdn.microsoft.com www.asp.net www.gotdotnet.com www.microsoft.com/technet/security ASP.NET Web site  GotDotNet Web site  TechNet Security home page  Microsoft Security and Privacy home page  www.microsoft.com/security/ Slide 50: For More Information…   .NET Security home page  msdn.microsoft.com/net/security Microsoft Training and Certification in Security  www.microsoft.com/traincert/centers/security.asp  Improving Web Application Security: Threats and Countermeasures  msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp msdn.microsoft.com/library/enus/dnnetsec/html/secnetlpMSDN.asp  Building Secure ASP.NET Applications  Slide 51: Training     Training Resources for Developers Course Title: Course Number: Availability: Detailed Syllabus: www.microsoft.com/traincert Course Number: Availability: Detailed Syllabus: www.microsoft.com/traincert  Course Title:    To locate a training provider for this course, please access www.microsoft.com/traincert Microsoft Certified Technical Education Centers are Microsoft’s premier partners for training services Slide 52: MSDN Essential Resources for Developers Subscription Services Online Information Training and Events Print Publications Membership Programs Library, OS, Professional, Enterprise, Universal Delivered via CD-ROM, DVD, Web MSDN Online, MSDN Flash, How-to Resources, Download Center MSDN Webcasts, MSDN Online Seminars, Tech·Ed, PDC, Developer Days MSDN Magazine MSDN News MSDN User Groups Slide 53: How-to Resources              Simple, Step-by-Step Procedures Embedded development How-to resources General How-to resources Integration How-to resources Microsoft® JScript® .NET How-to resources Microsoft .NET development How-to resources Office development resources Security How-to resources Microsoft® Visual Basic® .NET How-to resources Microsoft® Visual C#® .NET How-to resources Microsoft Visual Studio .NET How-to resources Web development How-to resources (ASP, IIS, XML) Web services How-to resources Windows development How-to resources http://msdn.microsoft.com/howto Slide 54: MSDN Webcasts     Interactive, Live Online Events Interactive, synchronous, live online events Discuss the hottest topics from Microsoft Open and free for the general public Take place every Tuesday http://www.microsoft.com/usa/webcasts Slide 55: MSDN Subscriptions Visual Studio .NET Enterprise Architect • Software and data modeling • Enterprise templates • Architectural guidance The Way to Get Visual Studio .NET MSDN Subscriptions MSDN Universal $2799 new $2299 renewal/upgrade Enterprise Developer • Enterprise lifecycle tools • Team development support • Windows Server 2003 and SQL Server™ Professional • Tools to build applications and XML Web services for Windows and the Web MSDN Enterprise $2199 new $1599 renewal/upgrade NEW MSDN Professional $1199 new $899 renewal/upgrade Slide 56: Where Can I Get MSDN?      Visit MSDN Online at msdn.microsoft.com Register for the MSDN Flash e-mail newsletter at msdn.microsoft.com/flash Become an MSDN CD subscriber at msdn.microsoft.com/subscriptions MSDN online seminars msdn.microsoft.com/training/seminars Attend more MSDN events Slide 57: Microsoft Press ® Essential Resources for Developers Microsoft Visual Studio .NET is here! This is your chance to start building the next big thing. Develop your .NET skills, increase your productivity with .NET books from Microsoft Press www.microsoft.com/mspress Slide 58: Become a Microsoft Certified Solution Developer  What is MCSD?  Premium certification for professionals who design and develop custom business solutions Certification requires passing four exams to prove competency with Microsoft solution architecture, desktop applications, distributed application development, and development tools For more information about certification requirements, exams, and training options, visit www.microsoft.com/mcp  How do I attain MCSD certification?   Where do I get more information?  Slide 59: Get this Presentation www.ManagedCode.com Slide 60*: © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Microsoft, MSDN, Visual Basic, Windows, Windows NT, JScript, Visual Studio, Visual C#, Active Directory, Win32, and Microsoft Press are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.