Claus Brabrand (ITU Copenhagen) & Jakob G. Thomsen (Aarhus University)
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus [email protected] Best...
-
Upload
clara-davis -
Category
Documents
-
view
218 -
download
0
Transcript of Jonas Thomsen, Ph.d. student Computer Science University of Aarhus [email protected] Best...
Jonas Thomsen, Ph.d. studentJonas Thomsen, Ph.d. studentComputer ScienceComputer ScienceUniversity of AarhusUniversity of Aarhus
[email protected]@daimi.au.dk
Best Practices and Best Practices and Techniques for Building Techniques for Building Secure MicrosoftSecure Microsoft®® ASP.NET ASP.NET ApplicationsApplications
What We Will CoverWhat We Will Cover
Why Web application security?Why Web application security? Planning for Web application securityPlanning for Web application security Authentication and authorization Authentication and authorization
strategiesstrategies Using the ASP.NET process identityUsing the ASP.NET process identity Secure communicationSecure communication Securing secrets and state informationSecuring secrets and state information
So Why This Presentation?So Why This Presentation? Web application security is more important than everWeb application security is more important than ever Ensure that security is a consideration in application designEnsure that security is a consideration in application design Creating secure Web applications is a series of complex tasksCreating secure Web applications is a series of complex tasks Promote best techniques for securityPromote best techniques for security Let developers know about new resources availableLet developers know about new resources available
msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.aspmsdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp
AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application
securitysecurity Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Authentication / authorization request Authentication / authorization request
flowflow
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Identify resources exposed to clientIdentify resources exposed to client Identify resource for applicationIdentify resource for application Choose authorization strategyChoose authorization strategy
Role-basedRole-based Resource-basedResource-based
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Choose Identities Used to Access Choose Identities Used to Access
ResourcesResources ASP.NET process identity (default)ASP.NET process identity (default) Custom identityCustom identity Original callerOriginal caller Fixed identityFixed identity
Decide on identity flowDecide on identity flow To the applicationTo the application To the operating systemTo the operating system
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Choosing an authentication approachChoosing an authentication approach
Internet scenariosInternet scenarios
StartStartUsers don’t have Users don’t have Windows accounts Windows accounts or certificatesor certificates
InteractiveInteractive Web app?Web app?
Use GXA WS-Use GXA WS-SecuritySecurity
AuthenticationAuthentication
Use Use Passport orPassport or
FormsFormsAuthentication Authentication
No – Web ServiceNo – Web Service
YesYes
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Authentication and AuthorizationAuthentication and Authorization Choosing an authentication approachChoosing an authentication approach
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Secure Communication StrategiesSecure Communication Strategies From client to Web serverFrom client to Web server From Web server to database and From Web server to database and
application servers application servers
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Threat ModelingThreat Modeling An iterative processAn iterative process
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Specific ThreatsSpecific Threats Common attacks against Web Common attacks against Web
applicationsapplications
Planning for ASP.NET Web Planning for ASP.NET Web Application Security Application Security Specific ThreatsSpecific Threats SQL injection attacksSQL injection attacks
Alters existing query or creates new queryAlters existing query or creates new query SOL: Use stored procedures with parametersSOL: Use stored procedures with parameters
Cross-site scriptingCross-site scripting Malicious script sent to application as inputMalicious script sent to application as input Frequently part of cookie replay attacksFrequently part of cookie replay attacks SOL: Server-side input validationSOL: Server-side input validation SOL: Encode all output that includes inputSOL: Encode all output that includes input
Buffer overflowsBuffer overflows Unmanaged code can cause arbitrary code Unmanaged code can cause arbitrary code SOL: Server-side input validationSOL: Server-side input validation
Example: Example: SQL injectionSQL injectionSqlCommand cmd = new SqlCommand(SqlCommand cmd = new SqlCommand(
"SELECT * FROM users WHERE username = '" + "SELECT * FROM users WHERE username = '" +
suppliedUserName + "';", suppliedUserName + "';",
conn);conn);
Set: Set: suppliedUserName = "' OR true '"suppliedUserName = "' OR true '"
SqlCommand cmd = new SqlCommand("LookupUser", SqlCommand cmd = new SqlCommand("LookupUser", conn);conn);
cmd.CommandType = CommandType.StoredProcedure;cmd.CommandType = CommandType.StoredProcedure;
SqlParameter sqlParam = SqlParameter sqlParam = cmd.Parameters.Add("@userName", cmd.Parameters.Add("@userName",
SqlDbType.VarChar, 255);SqlDbType.VarChar, 255);
sqlParam.Value = suppliedUserName;sqlParam.Value = suppliedUserName;
AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application
securitysecurity Configuring securityConfiguring security Securing secretsSecuring secrets Using the ASP.NET process identityUsing the ASP.NET process identity ImpersonationImpersonation
Configuring Web Configuring Web Application Security Application Security Configure IIS SettingsConfigure IIS Settings Optionally install a Web server Optionally install a Web server
certificate for SSLcertificate for SSL Configure IIS authenticationConfigure IIS authentication Optionally configure client certificate Optionally configure client certificate
mappingmapping Set NTFS permissions on files and Set NTFS permissions on files and
foldersfolders
Configuring Web Configuring Web Application Security Application Security ASP.NET Settings in Web.configASP.NET Settings in Web.config Configure authentication modeConfigure authentication mode
<authentication mode="Windows|Passport|Forms|None" /><authentication mode="Windows|Passport|Forms|None" />
Configure impersonationConfigure impersonation<identity impersonate="true" /><identity impersonate="true" />
Configure authorizationConfigure authorization<authorization><authorization> <allow users="DomainName\Bob", "DomainName\Mary" /><allow users="DomainName\Bob", "DomainName\Mary" /> <deny users="*" /><deny users="*" /></authorization></authorization>
AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application
security security Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation
Storing Secrets Storing Secrets Secret ExamplesSecret Examples Database connection stringsDatabase connection strings Credentials for SQL rolesCredentials for SQL roles Fixed identities in Web.configFixed identities in Web.config Process identity in Machine.configProcess identity in Machine.config Keys used to store data securelyKeys used to store data securely SQL Server session stateSQL Server session state Passwords used for forms Passwords used for forms
authentication against a database authentication against a database
Storing Secrets Storing Secrets Storage Methods and TipsStorage Methods and Tips Install Web application directories on a Install Web application directories on a
separate logical volume from the OSseparate logical volume from the OS
Secret storage methods for ASP.NET appsSecret storage methods for ASP.NET apps Data Protection API (DPAPI)Data Protection API (DPAPI) COM+ constructor stringsCOM+ constructor strings .NET cryptography classes.NET cryptography classes CAPICOMCAPICOM Crypto APICrypto API
AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application
security security Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation
ASP.NET Process Identity ASP.NET Process Identity GuidelinesGuidelines
Configured in <processModel> elementConfigured in <processModel> element Always run ASP.NET as a least-Always run ASP.NET as a least-
privileged accountprivileged account Never run ASP.NET as SYSTEMNever run ASP.NET as SYSTEM Using the default ASPNET account to Using the default ASPNET account to
access remote resourcesaccess remote resources Create duplicate accounts on remote Create duplicate accounts on remote
computerscomputers Use a least-privileged domain accountUse a least-privileged domain account
AgendaAgenda Planning for ASP.NET application Planning for ASP.NET application
security security Configuring securityConfiguring security Securing secretsSecuring secrets ASP.NET process identityASP.NET process identity ImpersonationImpersonation
ImpersonationImpersonationFlowing Client IdentityFlowing Client Identity
Inherent performance issuesInherent performance issues Consider instead:Consider instead:
URL or file authorization with role-based URL or file authorization with role-based checkschecks
Efficient management of gatekeepers and Efficient management of gatekeepers and trust boundariestrust boundaries
ImpersonationImpersonationFlowing Client IdentityFlowing Client Identity Four reasons to use impersonationFour reasons to use impersonation
Audit on the OS levelAudit on the OS level Flow original caller to access resourcesFlow original caller to access resources Use a fixed identityUse a fixed identity Save default behavior of a ported classic ASP application Save default behavior of a ported classic ASP application
For local resourcesFor local resources Create ACE with read access for userCreate ACE with read access for user Better to avoid impersonation and use URL or File Better to avoid impersonation and use URL or File
authorization with role-based checksauthorization with role-based checks
For remote resourcesFor remote resources Must use basic, forms or Kerberos authenticationMust use basic, forms or Kerberos authentication
Threading considerationThreading consideration Child threads inherit the ASP.NET process account’s Child threads inherit the ASP.NET process account’s
security contextsecurity context
Session SummarySession Summary
Planning for security is part of Planning for security is part of designing a Web applicationdesigning a Web application
Threat modeling can help your team Threat modeling can help your team focus resources on securityfocus resources on security
Creating a secure Web application is Creating a secure Web application is demanding—Microsoft and others demanding—Microsoft and others provides resources to help youprovides resources to help you
Wrong security is worse than no Wrong security is worse than no security!security!
For More Information…For More Information…
ASP.NET Web siteASP.NET Web site www.asp.netwww.asp.net
TechNet Security home pageTechNet Security home page www.microsoft.com/technet/securitywww.microsoft.com/technet/security
Microsoft Security and Privacy home Microsoft Security and Privacy home pagepage www.microsoft.com/security/www.microsoft.com/security/
For More Information…For More Information…
Improving Web Application Security: Improving Web Application Security: Threats and CountermeasuresThreats and Countermeasures msdn.microsoft.com/library/en-us/msdn.microsoft.com/library/en-us/
dnnetsec/html/ThreatCounter.aspdnnetsec/html/ThreatCounter.asp
Building Secure ASP.NET ApplicationsBuilding Secure ASP.NET Applications msdn.microsoft.com/library/en-us/msdn.microsoft.com/library/en-us/
dnnetsec/html/secnetlpMSDN.aspdnnetsec/html/secnetlpMSDN.asp