Jonas Thomsen, Ph.d. studentJonas Thomsen, Ph.d. studentComputer ScienceComputer ScienceUniversity of AarhusUniversity of Aarhus

jonas.thomsen@daimi.au.dkjonas.thomsen@daimi.au.dk

Best Practices and Best Practices and Techniques for Building Techniques for Building Secure MicrosoftSecure Microsoft®® ASP.NET ASP.NET ApplicationsApplications

What We Will CoverWhat We Will Cover

Why Web application security?Why Web application security? Planning for Web application securityPlanning for Web application security Authentication and authorization Authentication and authorization

strategiesstrategies Using the ASP.NET process identityUsing the ASP.NET process identity Secure communicationSecure communication Securing secrets and state informationSecuring secrets and state information

So Why This Presentation?So Why This Presentation? Web application security is more important than everWeb application security is more important than ever Ensure that security is a consideration in application designEnsure that security is a consideration in application design Creating secure Web applications is a series of complex tasksCreating secure Web applications is a series of complex tasks Promote best techniques for securityPromote best techniques for security Let developers know about new resources availableLet developers know about new resources available

msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.aspmsdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp

AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application

securitysecurity Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Authentication / authorization request Authentication / authorization request

flowflow

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Identify resources exposed to clientIdentify resources exposed to client Identify resource for applicationIdentify resource for application Choose authorization strategyChoose authorization strategy

Role-basedRole-based Resource-basedResource-based

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Choose Identities Used to Access Choose Identities Used to Access

ResourcesResources ASP.NET process identity (default)ASP.NET process identity (default) Custom identityCustom identity Original callerOriginal caller Fixed identityFixed identity

Decide on identity flowDecide on identity flow To the applicationTo the application To the operating systemTo the operating system

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Choosing an authentication approachChoosing an authentication approach

Internet scenariosInternet scenarios

StartStartUsers don’t have Users don’t have Windows accounts Windows accounts or certificatesor certificates

InteractiveInteractive Web app?Web app?

Use GXA WS-Use GXA WS-SecuritySecurity

AuthenticationAuthentication

Use Use Passport orPassport or

FormsFormsAuthentication Authentication

No – Web ServiceNo – Web Service

YesYes

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Choosing an authentication approachChoosing an authentication approach

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Secure Communication StrategiesSecure Communication Strategies From client to Web serverFrom client to Web server From Web server to database and From Web server to database and

application servers application servers

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Threat ModelingThreat Modeling An iterative processAn iterative process

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Specific ThreatsSpecific Threats Common attacks against Web Common attacks against Web

applicationsapplications

Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Specific ThreatsSpecific Threats SQL injection attacksSQL injection attacks

Alters existing query or creates new queryAlters existing query or creates new query SOL: Use stored procedures with parametersSOL: Use stored procedures with parameters

Cross-site scriptingCross-site scripting Malicious script sent to application as inputMalicious script sent to application as input Frequently part of cookie replay attacksFrequently part of cookie replay attacks SOL: Server-side input validationSOL: Server-side input validation SOL: Encode all output that includes inputSOL: Encode all output that includes input

Buffer overflowsBuffer overflows Unmanaged code can cause arbitrary code Unmanaged code can cause arbitrary code SOL: Server-side input validationSOL: Server-side input validation

Example: Example: SQL injectionSQL injectionSqlCommand cmd = new SqlCommand(SqlCommand cmd = new SqlCommand(

"SELECT * FROM users WHERE username = '" + "SELECT * FROM users WHERE username = '" +

suppliedUserName + "';", suppliedUserName + "';",

conn);conn);

Set: Set: suppliedUserName = "' OR true '"suppliedUserName = "' OR true '"

SqlCommand cmd = new SqlCommand("LookupUser", SqlCommand cmd = new SqlCommand("LookupUser", conn);conn);

cmd.CommandType = CommandType.StoredProcedure;cmd.CommandType = CommandType.StoredProcedure;

SqlParameter sqlParam = SqlParameter sqlParam = cmd.Parameters.Add("@userName", cmd.Parameters.Add("@userName",

SqlDbType.VarChar, 255);SqlDbType.VarChar, 255);

sqlParam.Value = suppliedUserName;sqlParam.Value = suppliedUserName;

AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application

securitysecurity Configuring securityConfiguring security Securing secretsSecuring secrets Using the ASP.NET process identityUsing the ASP.NET process identity ImpersonationImpersonation

Configuring Security Configuring Security IIS to Secure CommunicationIIS to Secure Communication

Configuring Web Configuring Web Application Security Application Security Configure IIS SettingsConfigure IIS Settings Optionally install a Web server Optionally install a Web server

certificate for SSLcertificate for SSL Configure IIS authenticationConfigure IIS authentication Optionally configure client certificate Optionally configure client certificate

mappingmapping Set NTFS permissions on files and Set NTFS permissions on files and

foldersfolders

Configuring Web Configuring Web Application Security Application Security ASP.NET Settings in Web.configASP.NET Settings in Web.config Configure authentication modeConfigure authentication mode

<authentication mode="Windows|Passport|Forms|None" /><authentication mode="Windows|Passport|Forms|None" />

Configure impersonationConfigure impersonation<identity impersonate="true" /><identity impersonate="true" />

Configure authorizationConfigure authorization<authorization><authorization> <allow users="DomainName\Bob", "DomainName\Mary" /><allow users="DomainName\Bob", "DomainName\Mary" /> <deny users="*" /><deny users="*" /></authorization></authorization>

AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application

security security Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation

Storing Secrets Storing Secrets Secret ExamplesSecret Examples Database connection stringsDatabase connection strings Credentials for SQL rolesCredentials for SQL roles Fixed identities in Web.configFixed identities in Web.config Process identity in Machine.configProcess identity in Machine.config Keys used to store data securelyKeys used to store data securely SQL Server session stateSQL Server session state Passwords used for forms Passwords used for forms

authentication against a database authentication against a database

Storing Secrets Storing Secrets Storage Methods and TipsStorage Methods and Tips Install Web application directories on a Install Web application directories on a

separate logical volume from the OSseparate logical volume from the OS

Secret storage methods for ASP.NET appsSecret storage methods for ASP.NET apps Data Protection API (DPAPI)Data Protection API (DPAPI) COM+ constructor stringsCOM+ constructor strings .NET cryptography classes.NET cryptography classes CAPICOMCAPICOM Crypto APICrypto API

AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application

security security Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation

ASP.NET Process Identity ASP.NET Process Identity GuidelinesGuidelines

Configured in <processModel> elementConfigured in <processModel> element Always run ASP.NET as a least-Always run ASP.NET as a least-

privileged accountprivileged account Never run ASP.NET as SYSTEMNever run ASP.NET as SYSTEM Using the default ASPNET account to Using the default ASPNET account to

access remote resourcesaccess remote resources Create duplicate accounts on remote Create duplicate accounts on remote

computerscomputers Use a least-privileged domain accountUse a least-privileged domain account

AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application

security security Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation

ImpersonationImpersonationFlowing Client IdentityFlowing Client Identity

Inherent performance issuesInherent performance issues Consider instead:Consider instead:

URL or file authorization with role-based URL or file authorization with role-based checkschecks

Efficient management of gatekeepers and Efficient management of gatekeepers and trust boundariestrust boundaries

ImpersonationImpersonationFlowing Client IdentityFlowing Client Identity Four reasons to use impersonationFour reasons to use impersonation

Audit on the OS levelAudit on the OS level Flow original caller to access resourcesFlow original caller to access resources Use a fixed identityUse a fixed identity Save default behavior of a ported classic ASP application Save default behavior of a ported classic ASP application

For local resourcesFor local resources Create ACE with read access for userCreate ACE with read access for user Better to avoid impersonation and use URL or File Better to avoid impersonation and use URL or File

authorization with role-based checksauthorization with role-based checks

For remote resourcesFor remote resources Must use basic, forms or Kerberos authenticationMust use basic, forms or Kerberos authentication

Threading considerationThreading consideration Child threads inherit the ASP.NET process account’s Child threads inherit the ASP.NET process account’s

security contextsecurity context

Session SummarySession Summary

Planning for security is part of Planning for security is part of designing a Web applicationdesigning a Web application

Threat modeling can help your team Threat modeling can help your team focus resources on securityfocus resources on security

Creating a secure Web application is Creating a secure Web application is demanding—Microsoft and others demanding—Microsoft and others provides resources to help youprovides resources to help you

Wrong security is worse than no Wrong security is worse than no security!security!

For More Information…For More Information…

ASP.NET Web siteASP.NET Web site www.asp.netwww.asp.net

TechNet Security home pageTechNet Security home page www.microsoft.com/technet/securitywww.microsoft.com/technet/security

Microsoft Security and Privacy home Microsoft Security and Privacy home pagepage www.microsoft.com/security/www.microsoft.com/security/

For More Information…For More Information…

Improving Web Application Security: Improving Web Application Security: Threats and CountermeasuresThreats and Countermeasures msdn.microsoft.com/library/en-us/msdn.microsoft.com/library/en-us/

dnnetsec/html/ThreatCounter.aspdnnetsec/html/ThreatCounter.asp

Building Secure ASP.NET ApplicationsBuilding Secure ASP.NET Applications msdn.microsoft.com/library/en-us/msdn.microsoft.com/library/en-us/

dnnetsec/html/secnetlpMSDN.aspdnnetsec/html/secnetlpMSDN.asp