Best Practices and Techniques for Building Secure Microsoft ASP.NET Applications ® Joe Stagner Developer Community Champion Microsoft Corporation JoeStag@Microsoft.com www.ManagedCode.com So Why This Presentation? Web application security is more important than ever Ensure that security is a consideration in application design Creating secure Web applications is a series of complex tasks Promote best techniques for security Let developers know about new resources available msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp What We Will Cover Why Web application security? Planning for Web application security Authentication and authorization strategies Using the ASP.NET process identity Secure communication Securing secrets and state information Session Prerequisites Familiarity with Microsoft® Windows® management tools Familiarity with IIS Management Console C# and ASP.NET coding experience Familiarity with Microsoft® Visual Studio® NET Basic understanding of Web application security issues Level 200 Demonstrations Configuring IIS for SSL Configuring ASP.NET Security Using forms authentication with Microsoft ® SQL Server™ Creating a GenericPrincipal object for roles-based authorization Before We Start ! SSL IS NOT WEB APPLICATION SECURITY Required Reading Secure Development Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Planning for ASP.NET Web Application Security Authentication and Authorization Authentication / authorization request flow Web Farm Considerations Security Implications Must use remote, OOP session state For DPAPI, consider user vs machine store For forms authentication, must be the same for each computer validationKey attribute decryptionKey attribute validation attribute should be SHA1 Agenda Planning for ASP.NET application security Configuring security Programming security Securing secrets Using the ASP.NET process identity Impersonation Accessing resources Securing state information Web farm considerations Securing all tiers Securing All Tiers From Code to Network Follow published guidelines to: Use CAS with ASP.NET Build secure pages and controls Build secure components Build secure Web services Build secure data access Secure the network Secure the Web server Secure the database server Secure the application server Read Improving Web Application Security: Threats and Countermeasures Building Secure ASP.NET Applications Session Summary Planning for security is part of designing a Web application Threat modeling can help your team focus resources on security Creating a secure Web application is demanding—Microsoft provides resources to help you For More Information… MSDN Web site ASP.NET Web site www.gotdotnet.com TechNet Security home page www.asp.net GotDotNet Web site msdn.microsoft.com www.microsoft.com/technet/security Microsoft Security and Privacy home page www.microsoft.com/security/ For More Information… NET Security home page Microsoft Training and Certification in Security www.microsoft.com/traincert/centers/security.asp Improving Web Application Security: Threats and Countermeasures msdn.microsoft.com/net/security msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp Building Secure ASP.NET Applications msdn.microsoft.com/library/enus/dnnetsec/html/secnetlpMSDN.asp MSDN Essential Resources for Developers Subscription Services Library, OS, Professional, Enterprise, Universal Delivered via CD-ROM, DVD, Web Online Information MSDN Online, MSDN Flash, How-to Resources, Download Center Training and Events MSDN Webcasts, MSDN Online Seminars, Tech·Ed, PDC, Developer Days Print Publications MSDN Magazine MSDN News Membership Programs MSDN User Groups How-to Resources Simple, Step-by-Step Procedures Embedded development How-to resources General How-to resources Integration How-to resources Microsoft® JScript® NET How-to resources Microsoft NET development How-to resources Office development resources Security How-to resources Microsoft® Visual Basic® NET How-to resources Microsoft® Visual C#® NET How-to resources Microsoft Visual Studio NET How-to resources Web development How-to resources (ASP, IIS, XML) Web services How-to resources Windows development How-to resources http://msdn.microsoft.com/howto MSDN Webcasts Interactive, Live Online Events Interactive, synchronous, live online events Discuss the hottest topics from Microsoft Open and free for the general public Take place every Tuesday http://www.microsoft.com/usa/webcasts MSDN Subscriptions The Way to Get Visual Studio NET Visual Studio NET MSDN Subscriptions MSDN Universal $2799 new $2299 renewal/upgrade Enterprise Developer • Enterprise lifecycle tools • Team development support • Windows Server 2003 and SQL Server™ MSDN Enterprise $2199 new $1599 renewal/upgrade Professional • Tools to build applications and XML Web services for Windows and the Web MSDN Professional $1199 new $899 renewal/upgrade NEW Enterprise Architect • Software and data modeling • Enterprise templates • Architectural guidance Where Can I Get MSDN? Visit MSDN Online at msdn.microsoft.com Register for the MSDN Flash e-mail newsletter at msdn.microsoft.com/flash Become an MSDN CD subscriber at msdn.microsoft.com/subscriptions MSDN online seminars msdn.microsoft.com/training/seminars Attend more MSDN events Microsoft Press ® Essential Resources for Developers Microsoft Visual Studio NET is here! This is your chance to start building the next big thing Develop your NET skills, increase your productivity with NET books from Microsoft Press www.microsoft.com/mspress Become a Microsoft Certified Solution Developer What is MCSD? How I attain MCSD certification? Premium certification for professionals who design and develop custom business solutions Certification requires passing four exams to prove competency with Microsoft solution architecture, desktop applications, distributed application development, and development tools Where I get more information? For more information about certification requirements, exams, and training options, visit www.microsoft.com/mcp Get this Presentation www.ManagedCode.com © 2003 Microsoft Corporation All rights reserved This presentation is for informational purposes only Microsoft makes no warranties, express or implied, in this summary Microsoft, MSDN, Visual Basic, Windows, Windows NT, JScript, Visual Studio, Visual C#, Active Directory, Win32, and Microsoft Press are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners ... with ASP.NET Build secure pages and controls Build secure components Build secure Web services Build secure data access Secure the network Secure the Web server Secure the database server Secure. .. or Forms Authentication Planning for ASP.NET Web Application Security Authentication and Authorization Choosing an authentication approach Planning for ASP.NET Web Application Security Secure. .. security? Planning for Web application security Authentication and authorization strategies Using the ASP.NET process identity Secure communication Securing secrets and state information Session