Security for Microsoft Visual Basic NET ISBN:0735619190 by Ed Robinson and Michael James Bond Microsoft Press © 2003 (396 pages) With this text, readers master common security principles and techniques, such as how to do private key encryption, implement a login screen, configure Microsoft NET policy tools, and perform a security audit Companion Web Site Table of Contents Security for Microsoft Visual Basic NET Introduction Part I - Development Techniques Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 - Encryption - Role-Based Authorization - Code-Access Security - ASP.NET Authentication - Securing Web Applications Part II - Ensuring Hack- Resistant Code Application Attacks and How to Avoid Them Chapter 7 - Validating Input Chapter 8 - Handling Exceptions Chapter 6 - Chapter 9 - Testing for Attack- Resistant Code Part III - Deployment and Configuration Securing Your Application for Deployment Locking Down Windows, Chapter 11 - Internet Information Services, and NET Chapter 12 - Securing Databases Chapter 10 - Part IV - Enterprise-Level Security Ten Steps to Designing a Secure Enterprise System Threats—Analyze, Prevent, Chapter 14 Detect, and Respond Chapter 15 - Threat Analysis Exercise Chapter 16 - Future Trends Appendix A - Guide to the Code Samples Appendix B - Contents of SecurityLibrary.vb Index List of Figures List of Tables List of Sidebars Chapter 13 - Back Cover Learn essential security techniques for designing, developing, and deploying applications for Microsoft Windows and the Web Visual Basic NET experts Ed Robinson and Michael Bond introduce critical security concepts using straightforward language and step-bystep examples You get clear, end-to-end guidance— covering application design, coding techniques, testing methods, and deployment strategies, along with direction on how to help secure the operating system and related infrastructure and services Discover how to: Use techniques that help secure your application architecture Understand the most common vulnerabilities and how to write code to help prevent them Implement authentication and authorization techniques in your applications Write routines for encryption, input validation, and exception handling Add Passport, Forms, and Windows authentication to Microsoft ASP.NET applications Perform a security threat analysis and implement countermeasures Think like a hacker—and help uncover security holes Create a deployment package with security policy updates for your application Implement security-enhancing features for the Windows operating system, Microsoft IIS, Microsoft SQL Server, and Microsoft Access databases About the Authors Ed Robinson, a lead program manager for Microsoft, helped drive the development of security features for Visual Basic NET and other Microsoft products He has 13 years’ experience in the software industry and speaks at developer conferences worldwide Michael James Bond is a development lead on the Visual Basic NET team He has supported, developed, and helped secure many features of Visual Basic over the past 13 years You can find Mike in the Visual Basic chat rooms on MSDN, the Microsoft Developer Network, as well as at industry events Ed and Mike are two of the coauthors of award-winning Upgrading Microsoft Visual Basic 6.0 to Microsoft Visual Basic NET (Microsoft Press) Security for Microsoft Visual Basic NET PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2003 by Ed Robinson and Michael Bond All rights reserved No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher Library of Congress Cataloging-in-Publication Data Robinson, Ed, 1967Security for Microsoft Visual Basic NET / Ed Robinson, Michael James Bond p cm Includes index ISBN 0-7356-1919-0 Computer security Microsoft Visual Basic Basic (Computer program language) Microsoft NET I Bond, Michael, 1965- II Title QA76.9.A25R635 2003 005.8 dc21 2003043634 Printed and bound in the United States of America 1 2 3 4 5 6 7 8 9 QWE 8 7 6 5 4 3 Distributed in Canada by H.B Fenn and Company Ltd A CIP catalogue record for this book is available from the British Library Microsoft Press books are available through booksellers and distributors worldwide For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329 Visit our Web site at www.microsoft.com/mspress Send comments to mspinput@microsoft.com Microsoft, Microsoft Press, the NET logo, Visual Basic, Visual Studio, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred Acquisitions Editor: Danielle Voeller Bird Project Editor: Denise Bankaitis Technical Editor: Christoph Wille Body Part No X09-39065 To my wife, Catherine, and to my mum, Dorothy —E.S.R To my wife, Jane, for her love and support; to my daughters Sarah and Katie, for their encouragement; and to my daughter Jessica—may you be born happy and healthy this June —M.J.B About the Authors Ed Robinson Ed Robinson, a lead program manager for Microsoft, helped drive the development of security features for Visual Basic NET and other Microsoft products He has 13 years of experience in the software industry and speaks at developer conferences worldwide Michael Bond Michael Bond is a development lead on the Visual Basic NET team He has supported, developed, and helped secure many features of Visual Basic over the past 13 years You can find Mike in the Visual Basic chat rooms on MSDN, Microsoft Developer Network, as well as at industry events Introduction This book is an introduction to security for Visual Basic programmers You’ll find it useful both as a prescriptive guide for writing secure applications and as a technical reference for how to actually implement security techniques in your own code For example, in Chapter 1, “Encryption,” we explain what encryption is and when to use the different types of encryption, and we provide examples that show you how to actually encrypt and decrypt information Although there is already a wealth of information available about security, very little has been written that targets the Visual Basic programmer In writing this book, we set out to change this We have followed three principles that make this book better for the Visual Basic programmer than any other publication you will find on security: Make it simple Many security publications are shrouded in hardto-understand jargon and difficult-to-work-out acronyms, and they assume you already have a background in security This book is different: we spell out every acronym, use easy-to-understand language, and explain in clear terms each security concept Clear guidance Some security books explain security techniques without telling you where or where not to use them This book is different: we offer clear guidance on how, when, and where you should use each security technique Complete assistance Although this is an introductory-level book, it covers everything from coding techniques to designing a secure architecture to performing a security audit Our intention was to provide an end-to-end introductory guide for producing secure applications How to Use This Book The authors of this book, like you, are Visual Basic programmers We use straight, no-nonsense talk, offer clear and simple solutions, and provide step- by-step examples—written entirely in Visual Basic, of course To make it easier to find what you’re looking for, this book is divided into four sections, each section dealing with a different aspect of security: Section 1 jumps straight into programming techniques such as encryption, role-based security, code access security, Microsoft ASP.NET authentication, and securing Web applications Section 2 is about identifying threats to your Visual Basic NET application and neutralizing them by safe-guarding input, properly handling exceptions, and testing your application for security vulnerabilities Section 3 discusses how to lock down the environments that your application runs in or depends upon such as the Microsoft Windows operating system, Internet Information Services, NET runtime, Microsoft SQL Server, and Microsoft Access databases In addition, this section discusses how to lock down your application for deployment Section 4 focuses on architecture, how to design secure systems, perform a security audit of your application, come up with a contingency plan, and execute the contingency plan if an intruder does make his or her way past the security measures you have put into place Microsoft Visual Basic NET is built on a number of technologies, including the NET platform, Microsoft Visual Studio NET, and of course the Microsoft Visual Basic NET compiler For the sake of simplicity and brevity, unless the distinction is important, we refer to all of these technologies collectively as Microsoft Visual Basic NET As a Microsoft Visual Basic NET developer, you don’t need to think about these composite technologies to get your job done Chapter 13: Ten Steps to Designing a Secure Enterprise System Table 13-1: Commonly Used Ports Chapter 14: Threats—Analyze, Prevent, Detect, and Respond Table 14-1: STRIDE Threat Categories Table 14-2: Example of Common Attacks and Techniques to Mitigate Them Chapter 15: Threat Analysis Exercise Table 15-1: Visual Basic NET Keywords to Look For_ (continued) Table 15-2: Priority Scheme Table 15-3: Prioritize Threats for the Employee Management System_ (continued) Appendix A: Guide to the Code Samples Table A-1: List of Valid Usernames List of Sidebars Chapter 1: Encryption How Does a Hash Digest Work? Export Restrictions on Encryption Chapter 2: Role-Based Authorization The Identity and Principal Objects Searching Active Directory Chapter 3: Code-Access Security OS Security Restrictions Preempt Everything The Luring Attack Chapter 4: ASP.NET Authentication Anonymous Requests Chapter 5: Securing Web Applications Is It a Bug, or an Attack from a Criminal Mastermind? Global XML Architecture Windows Management Instrumentation Chapter 6: Application Attacks and How to Avoid Them Buffer Overrun Chapter 7: Validating Input Web-Based Input Attacks and SSL Chapter 8: Handling Exceptions Try…Catch or On Error GoTo Viewing the Event Log Remotely Chapter 10: Securing Your Application for Deployment Delay Signing—Securing Your Build Process Chapter 14: Threats—Analyze, Prevent, Detect, and Respond STRIDE—Categorizing Threats ... put into place Microsoft Visual Basic NET is built on a number of technologies, including the NET platform, Microsoft Visual Studio NET, and of course the Microsoft Visual Basic NET compiler For the sake of simplicity and... chat rooms on MSDN, the Microsoft Developer Network, as well as at industry events Ed and Mike are two of the coauthors of award-winning Upgrading Microsoft Visual Basic 6.0 to Microsoft Visual Basic NET (Microsoft Press) Security for Microsoft Visual Basic. .. The system requirements for running the sample code files are the same as the requirements for Visual Basic NET itself—ensure your computer has Visual Basic NET 2002 or Visual Basic NET 2003 Nothing extra is required