Building Secure ASP.NET Applications502 10. Verify that there is exactly one certificate with the fully qualified domain name that you specified in the previous procedure. You can double-click the certificate to view its details. 3. Install the Issuing CA’s Certificate on the Client After the certificate has been installed and the SQL Server service has been re- started, SQL Server can negotiate SSL with clients. Clients that use SSL to connect to SQL Server must: ● Have MDAC 2.6 or SQL Server 2000 connectivity libraries installed. ● Trust the issuer of the SQL Server’s certificate.  To install the certificate of the issuing CA on the client computer 1. Log on to the client computer as an administrator. 2. Start Internet Explorer and browse to Microsoft Certificate Services, for example: http://MyCA/certsrv 3. Click Retrieve the CA certificate or certificate revocation list, and then click Next. 4. Click Install this CA certification path, and then click Yes in response to the confirmation dialog to install the root certificate. 4. Force All Clients to Use SSL You can configure the server to force all clients to use SSL (as described in this procedure), or you can let clients choose whether or not to use SSL on a per- connection basis (as described in the next procedure). The advantages of configur- ing the server to force clients to use SSL are: ● All communications are guaranteed to be secure. ● Any unsecured connections are rejected. The disadvantages are: ● All clients must have MDAC 2.6 or SQL Server 2000 connectivity libraries installed; earlier or generic libraries will fail to connect. ● Connections that you do not need to secure suffer a slight performance overhead due to the added encryption. How To: Use SSL to Secure Communication with SQL Server 2000 503  To force all clients to use SSL 1. On the computer running SQL Server, click Server Network Utility in the Microsoft SQL Server program group. 2. Click to select Force protocol encryption. 3. Verify that TCP/IP and/or named pipes are enabled. SSL is not supported with other protocols. 4. Click OK to close the SQL Server Network Utility, and then click OK in response to the SQL Server Network Utility message box. 5. Restart the SQL Server service. All subsequent client connections will be required to use SSL, whether they specify secure connections or not. 5. Allow Clients to Determine Whether to Use SSL This procedure shows you how to configure SSL to allow clients to choose whether or not to use SSL. You can either configure the client libraries to enforce the use of SSL on all connections, or you can let individual applications choose on a per- connection basis. The advantages of configuring the client are: ● The overhead of SSL is incurred only for connections that truly require it. ● Clients that do not support SSL with SQL Server can still connect. If you adopt this approach, make sure that you are willing to allow unsecured connections.  To reconfigure the server 1. On the computer running SQL Server, run the Server Network Utility. 2. Clear the Force protocol encryption check box. 3. Restart the SQL Server service. 4. Return to the client computer.  To use SSL for all client connections With this approach, you configure the client libraries to use SSL for all connections. This means that SQL Servers that do not support encryption and SQL Servers earlier than SQL Server 2000 will not be accessible. 1. In the Microsoft SQL Server program group, click Client Network Utility. 2. Ensure that TCP/IP and/or named pipes are enabled. 3. Select Force protocol encryption. Building Secure ASP.NET Applications504  To allow applications to choose whether or not to use encryption With this approach applications use the connection string to determine whether or not to use encryption. This allows each application to only use encryption when it is needed. 1. If you are using the OLE-DB data provider to connect to SQL Server, set Use Encryption for Data to true as shown in the following sample OLE-DB connection string. "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=Northwind;Data Source=sql01;Use Encryption for Data=True" 2. If you are using the SQL Server .NET data provider to connect to SQL Server, set Encrypt to true as shown in the following example. "Server=sql01;Integrated Security=SSPI;Persist Security Info=False;Database=Northwind;Encrypt=True" 6. Verify that Communication is Encrypted In this procedure you will use Network Monitor to verify that data sent between the application server and database server is encrypted. You will start by sending data in clear text form and then enable encryption first by configuring the server and then by configuring the client.  To verify that communication is encrypted 1. On the client computer, use Visual Studio.NET to create a new C# Console Application called SQLSecureClient. 2. Copy the following code to class1.cs replacing all of the existing code. Note: Replace server name in the connection string with the name of your database server. using System; using System.Data; using System.Data.SqlClient; namespace SQLSecureClient { class Class1 { [STAThread] static void Main(string[] args) { How To: Use SSL to Secure Communication with SQL Server 2000 505 // Replace the server name in the following connection string with the // name of your database server SqlConnection conn = new SqlConnection( "server='sql01';database=NorthWind;Integrated Security='SSPI'"); SqlCommand cmd = new SqlCommand("SELECT * FROM Products"); try { conn.Open(); cmd.Connection = conn; SqlDataReader reader = cmd.ExecuteReader(); while (reader.Read()) { Console.WriteLine("{0} {1}", reader.GetInt32(0).ToString(), reader.GetString(1) ); } reader.Close(); } catch( Exception ex) { } finally { conn.Close(); } } } } 3. On the Build menu, click Build Solution. 4. In order for Windows authentication to succeed between the two computers, you must duplicate the account that you are currently interactively logged on to the client computer with, on the database server computer. Ensure that the user name and password matches. An alternative is to use a domain account that is recognized by both computers. You must also use SQL Server Enterprise Manager to create a database logon for the newly created account and add a new database user for this logon to the Northwind database. 5. On the database server computer, use the SQL Server Network Utility to disable the use of encryption by ensuring that the Force protocol encryption option is not selected. 6. On the database server computer, click Network Monitor in the Administrative Tools program group. Building Secure ASP.NET Applications506 Note: A limited version of Network Monitor is available with Windows 2000 Server. A full version is available with Microsoft SMS. If you do not have Network Monitor installed, go to Add/Remove Programs in Control Panel, click Add/Remove Windows Components, select Management and Monitoring Tools from the Windows Components list, click Details and select Network Monitor Tools. Click OK, and then click Next, to install the limited version of Network Monitor. You may be prompted for a Windows 2000 Server CD. 7. On the Capture menu, click Filter to create a new filter configured to view TCP/IP network traffic sent between the database server and database server. 8. Click the Start Capture button. 9. Return to the client computer and run the test console application. A list of products from the Northwind database should be displayed in the console window. 10. Return to the database server and click the Stop and View Capture button within Network Monitor. 11. Double-click the first captured frame to view the captured data. 12. Scroll down through the captured frames. You should see the SELECT statement in clear text followed by the list of products retrieved from the database. 13. Now force the use of encryption for all connections by configuring the server with the SQL Server Network Utility: a. Use the SQL Server Network Utility to select Force protocol encryption. b. Stop and restart the SQL Server service. 14. Return to Network Monitor and click the Start Capture button. In the Save File dialog box, click No. 15. Return to the client computer and run the test console application once again. 16. Return to the database server computer and click Stop and View Capture within Network Monitor. 17. Confirm that the data is now unintelligible (because it is encrypted). 18. Reconfigure the server to no longer force encryption: a. Use the SQL Server Network Utility and clear the Force protocol encryption check box. b. Stop and restart the SQL Server service. 19. Start a new capture within Network Monitor and rerun the client application. Confirm that the data is once again in clear text. 20. Return to the client computer and select Client Network Utility from the Microsoft SQL Server program group. How To: Use SSL to Secure Communication with SQL Server 2000 507 21. Select Force protocol encryption, and then click OK to close the Client Network Utility. 22. Return to Network Monitor and click the Start Capture button. In the Save File dialog box, click No. 23. Return to the client computer and run the test console application once again. 24. Return to the database server computer and click Stop and View Capture within Network Monitor. 25. Confirm that the data is now unintelligible (because it is encrypted). 26. Note that, in all cases, SQL Server sends its server authentication certificate in the clear to the client at the beginning of the communication sequence. This is part of the SSL protocol. Note that this occurs even when neither the server nor the client requires encryption. Additional Resources For information about how to install Network Monitor in Windows 2000, go to the Microsoft Knowledge Base and search for the following articles: ● “HOW TO: Install Network Monitor in Windows 2000 (Q243270)” ● “HOW TO: Enable SSL Encryption for SQL Server 2000 with Certificate Server”(Q276553)” For more information about Network Monitor, see the “Network Manager” section of the Microsoft Platform SDK on MSDN (http://msdn.microsoft.com/library /default.asp?url=/library/en-us/netmon/netmon/network_monitor.asp). Base Configuration The following table illustrates the base software configuration used during the development and testing of the Building Secure ASP.NET Applications Guide. Base Configuration Notes Windows 2000 SP3 For more information, see the following Knowledge Base article: .NET Framework SP2 “INFO: Determining Whether Service Packs Are Installed on .NET Framework” (http://support.microsoft.com /default.aspx?scid=kb;en-us;Q318785) The .NET Framework Service Pack 2 can be downloaded from: http://msdn.microsoft.com/netframework/downloads/sp /default.asp ASP.NET Notes Running ASP.NET on In general, it’s not advisable to run your Web server on a domain a domain controller controller, because a compromise of the machine is a compromise of the domain. If you need to run ASP.NET on a domain controller, you need to give the ASP.NET process account appropriate privileges as outlined in the following Knowledge Base article: “BUG: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller” (http://support.microsoft.com /default.aspx?scid=kb;en-us;q315158) ASP.NET Session State http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39298 Security Update MDAC Notes MDAC 2.6 is required Visual Studio .NET installs MDAC 2.7 by the .NET Framework SQL Server 2000 Notes SQL Server 2000 SP2 Configuration Stores and Tools The combined authentication, authorization, and secure communication services available to .NET Web applications are summarized in the following tables. The tables show the various security services available to each of the core .NET Web application technologies and for each one indicates where the related security configuration settings are maintained and what tools are available to edit the settings. Note: Settings within the Internet Information Services (IIS) metabase are configured using the IIS MMC snap-in, or programmatically via script. Settings maintained within machine.config or web.config can be edited with any text editor (such as Notepad) or XML editor (such as the Microsoft Visual Studio® .NET XML editor). Table 1: IIS security configuration Authentication Configuration Tools Anonymous IIS metabase IIS MMC snap-in Basic Digest Script Windows Integrated Client Certificates Makecert.exe can be used to create test certificates Authorization Configuration Tools NTFS permissions Windows (NTFS) file Windows Explorer (Windows ACLs) system Cacls.exe Security templates Secedit.exe IP and DNS restrictions IIS metabase Group Policy Secure Communication Configuration Tools SSL Windows (NTFS) file IIS MMC snap-in system Script IPSec Machine’s local policy Local Security Policy MMC (registry) or Microsoft snap-in Active Directory® directory Domain security Policy MMC service snap-in Ipsecpol.exe [...]... http://www.microsoft.com/seminar/ ASP.NET Hubs q q MSDN : ASP.NET Developer Center: http://msdn.microsoft.com/library /default.asp?url=/nhp/default.asp?contentid=28000440 Support: ASP.NET Support Center: http://support.microsoft.com /default.aspx?scid=fh;EN-US;aspnet 520 Building Secure ASP.NET Applications Roadmaps and Overviews q q q q INFO: ASP.NET Roadmap: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305140 INFO: ASP.NET. .. NET Web applications are processed The ASP.NET ISAPI Extension The ASP.NET ISAPI extension (aspnet_isapi.dll) runs in the IIS process address space (inetinfo.exe) and forwards requests for ASP.NET file types to the ASP.NET worker process through a named pipe Specific ASP.NET file types are mapped to the ASP.NET ISAPI extension by mappings defined within the IIS metabase Mappings for standard ASP.NET. .. Knowledge Base keywords: q kbAspNet – Returns ASP.NET articles q kbAspNet kbSecurity – Returns ASP.NET articles that discuss security issues q kbAspNet impersonation – Returns ASP.NET articles that discuss impersonation Note that impersonation is not a keyword; it is simply an additional search criterion, which helps to refine the search 518 Building Secure ASP.NET Applications Tips q q q q To access additional... Integration: How NET Enterprise Services Can Help You Build Distributed Applications: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmag01/html /complus0 110. asp Understanding Enterprise Services (COM+) in NET: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html /entserv.asp 522 Building Secure ASP.NET Applications How Tos q q Q305683 – BETA-HOWTO: Create a Simple... WindowsAuthentication Module HttpApplication FileAuthorization Module HTTP Handler (Request Endpoint) HTTP Modules HttpContext AppDomain (one per v-dir) aspnet_wp.exe Figure 2 ASP.NET pipeline processing 530 Building Secure ASP.NET Applications The ASP.NET pipeline model consists of an HttpApplication object, various HTTP module objects, and an HTTP handler object, together with their associated factory objects,...512 Building Secure ASP.NET Applications Table 1: IIS security configuration (continued) Additional Gatekeepers Configuration Tools IP address and domain name restrictions IIS metabase IIS MMC snap-in Script Table 2: ASP.NET security configuration Authentication Configuration Tools Windows Forms Passport None... IUSR_MACHINE) is created by IIS Requests for ASP.NET file types are handled by an ASP.NET ISAPI extension (aspnet_isapi.dll), which runs in the IIS (inetinfo.exe) process address space This uses a named pipe to communicate with the ASP.NET worker process as shown in Figure 1 IIS passes the Windows access token that represents the caller to the ASP.NET worker process The ASP.NET Windows authentication module... the ASP.NET File authorization module uses it to perform Windows access checks to ensure the caller is authorized to access the requested file HTTP Request IIS (inetinfo.exe) ASP.NET worker process (aspnet_wp.exe) Metabase Application Mapping aspnet_isapi.dll HTTP Request Named Pipe Application Domain Authenticated caller’s Windows access token Figure 1 IIS and ASP.NET communication 528 Building Secure. .. Machine.config or Web.config Notepad Visual Studio NET Any XML editor Custom Custom data store (for example SQL Server or Active Directory) Depends on custom store 514 Building Secure ASP.NET Applications Table 4: Web Services (Implemented using ASP.NET) security configuration (continued) Authorization Configuration Tools URL Authorization Web.config Notepad Visual Studio NET Any XML editor File Authorization... http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306590 INFO: ASP.NET HTTP Modules and HTTP Handlers Overview: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307985 INFO: ASP.NET Configuration Overview: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307626 Knowledge Base The following keywords help retrieve ASP.NET articles: q Show ASP.NET articles: kbAspNet q Show ASP.NET articles related to security: . Base keywords: ● kbAspNet – Returns ASP. NET articles. ● kbAspNet kbSecurity – Returns ASP. NET articles that discuss security issues. ● kbAspNet impersonation – Returns ASP. NET articles that discuss. http://msdn.microsoft.com/library /default .asp? url=/nhp/default .asp? contentid=28000440 ● Support: ASP. NET Support Center: http://support.microsoft.com /default.aspx?scid=fh;EN-US;aspnet Building Secure ASP. NET Applications5 20 Roadmaps. keywords help retrieve ASP. NET articles: ● Show ASP. NET articles: kbAspNet ● Show ASP. NET articles related to security: kbAspNet kbSecurity Articles ● Managed Security Context in ASP. NET: http://msdn.microsoft.com/library /default .asp? url=/nhp/Default .asp? contentid=28000440 How