Contents
Forewords xliii
Foreword by Mark Curphey .....................................................................................xliii
Foreword by Joel Scambray .....................................................................................xlv
Foreword by Erik Olson .......................................................................................... xlvi
Introduction xlix
Why We Wrote This Guide .......................................................................................... xlix
What Is a Hack-Resilient Application? .............................................................................l
Scope of This Guide ..................................................................................................... li
Securing the Network, Host, and Application .............................................................. li
Technologies in Scope............................................................................................. lii
Who Should Read This Guide....................................................................................... lii
How to Use This Guide ............................................................................................... liii
Applying the Guidance to Your Role ......................................................................... liii
Applying the Guidance to Your Product Life Cycle ...................................................... liv
Microsoft Solutions Framework ................................................................................ lv
Organization of This Guide ........................................................................................... lv
Solutions at a Glance.............................................................................................. lv
Fast Track............................................................................................................... lv
Parts..................................................................................................................... lvi
Checklists .............................................................................................................lvii
“How To” Articles ..................................................................................................lviii
Approach Used in This Guide .....................................................................................lviii
Secure Your Network, Host, and Application ............................................................lviii
Focus on Threats ................................................................................................... lix
Follow a Principle-Based Approach............................................................................ lx
Positioning of This Guide ............................................................................................. lx
Volume I, Building Secure ASP.NET Applications ........................................................ lx
Volume II, Improving Web Application Security .......................................................... lxi
Feedback and Support ...............................................................................................lxii
Feedback on the Guide...........................................................................................lxii
Technical Support ..................................................................................................lxii
Community and Newsgroup Support ........................................................................lxii
The Team Who Brought You This Guide .......................................................................lxiii
Contributors and Reviewers ...................................................................................lxiii
Tell Us About Your Success........................................................................................ lxiv
Summary ................................................................................................................. lxiv
Solutions at a Glance lxv
Architecture and Design Solutions...............................................................................lxv
Development Solutions ............................................................................................. lxvi
Administration Solutions.............................................................................................lxx
Fast Track — How To Implement the Guidance lxxv
Goal and Scope ....................................................................................................... lxxv
The Holistic Approach...............................................................................................lxxvi
Securing Your Network.............................................................................................lxxvii
Securing Your Host..................................................................................................lxxvii
Securing Your Application ....................................................................................... lxxviii
Identify Threats........................................................................................................lxxix
Applying the Guidance to Your Product Life Cycle ........................................................lxxxi
Implementing the Guidance .....................................................................................lxxxii
Who Does What? ................................................................................................... lxxxiii
RACI Chart ........................................................................................................ lxxxiii
Summary .............................................................................................................. lxxxiv
Part I
Introduction to Threats and Countermeasures 1
Chapter 1
Web Application Security Fundamentals 3
We Are Secure — We Have a Firewall ............................................................................ 3
What Do We Mean By Security? ................................................................................... 4
The Foundations of Security..................................................................................... 4
Threats, Vulnerabilities, and Attacks Defined................................................................. 5
How Do You Build a Secure Web Application?................................................................ 5
Secure Your Network, Host, and Application .................................................................. 6
Securing Your Network................................................................................................. 7
Network Component Categories ............................................................................... 7
Securing Your Host...................................................................................................... 7
Host Configuration Categories.................................................................................. 8
Securing Your Application ............................................................................................ 9
Application Vulnerability Categories .......................................................................... 9
Security Principles..................................................................................................... 11
Summary ................................................................................................................. 12
Additional Resources ................................................................................................ 12
Chapter 2
Threats and Countermeasures 13
In This Chapter ......................................................................................................... 13
Overview .................................................................................................................. 13
How to Use This Chapter ........................................................................................... 14
Anatomy of an Attack ................................................................................................ 14
Survey and Assess ............................................................................................... 15
Exploit and Penetrate ............................................................................................ 15
Escalate Privileges................................................................................................ 15
Maintain Access ................................................................................................... 16
Deny Service ........................................................................................................ 16
Understanding Threat Categories ............................................................................... 16
STRIDE ................................................................................................................ 16
STRIDE Threats and Countermeasures ................................................................... 17
Network Threats and Countermeasures ...................................................................... 18
Information Gathering............................................................................................ 18
Sniffing ................................................................................................................ 19
Spoofing .............................................................................................................. 19
Session Hijacking ................................................................................................. 19
Denial of Service .................................................................................................. 20
Host Threats and Countermeasures ........................................................................... 20
Viruses, Trojan Horses, and Worms ........................................................................ 21
Footprinting .......................................................................................................... 21
Password Cracking................................................................................................ 22
Denial of Service .................................................................................................. 22
Arbitrary Code Execution........................................................................................ 23
Unauthorized Access............................................................................................. 23
Application Threats and Countermeasures .................................................................. 23
Input Validation......................................................................................................... 24
Buffer Overflows ................................................................................................... 25
Cross-Site Scripting............................................................................................... 26
SQL Injection ........................................................................................................ 27
Canonicalization ................................................................................................... 28
Authentication .......................................................................................................... 29
Network Eavesdropping ......................................................................................... 29
Brute Force Attacks............................................................................................... 30
Dictionary Attacks................................................................................................. 30
Cookie Replay Attacks........................................................................................... 31
Credential Theft .................................................................................................... 31
Authorization ............................................................................................................ 31
Elevation of Privilege ............................................................................................. 32
Disclosure of Confidential Data.............................................................................. 32
Data Tampering..................................................................................................... 32
Luring Attacks....................................................................................................... 33
Configuration Management........................................................................................ 33
Unauthorized Access to Administration Interfaces ................................................... 33
Unauthorized Access to Configuration Stores .......................................................... 34
Retrieval of Plaintext Configuration Secrets ............................................................. 34
Lack of Individual Accountability ............................................................................. 34
Over-privileged Application and Service Accounts..................................................... 34
Sensitive Data .......................................................................................................... 35
Access to Sensitive Data in Storage ....................................................................... 35
Network Eavesdropping ......................................................................................... 35
Data Tampering..................................................................................................... 35
Session Management ............................................................................................... 36
Session Hijacking ................................................................................................. 36
Session Replay ..................................................................................................... 36
Man in the Middle Attacks ..................................................................................... 37
Cryptography ............................................................................................................ 37
Poor Key Generation or Key Management................................................................ 38
Weak or Custom Encryption ................................................................................... 38
Checksum Spoofing .............................................................................................. 38
Parameter Manipulation ............................................................................................ 39
Query String Manipulation ..................................................................................... 39
Form Field Manipulation ........................................................................................ 40
Cookie Manipulation ............................................................................................. 40
HTTP Header Manipulation..................................................................................... 40
Exception Management ............................................................................................. 40
Attacker Reveals Implementation Details ................................................................ 41
Denial of Service .................................................................................................. 41
Auditing and Logging ................................................................................................. 41
User Denies Performing an Operation ..................................................................... 42
Attackers Exploit an Application Without Leaving a Trace .......................................... 42
Attackers Cover Their Tracks .................................................................................. 42
Summary ................................................................................................................. 42
Additional Resources ................................................................................................ 43
Chapter 3
Threat Modeling 45
In This Chapter ......................................................................................................... 45
Overview .................................................................................................................. 45
Before You Begin ...................................................................................................... 45
How to Use This Chapter ........................................................................................... 46
Threat Modeling Principles......................................................................................... 47
The Process ......................................................................................................... 47
The Output ........................................................................................................... 48
Step 1. Identify Assets .............................................................................................. 49
Step 2. Create an Architecture Overview..................................................................... 49
Identify What the Application Does ......................................................................... 50
Create an Architecture Diagram.............................................................................. 50
Identify the Technologies ....................................................................................... 51
Step 3. Decompose the Application............................................................................ 52
Identify Trust Boundaries ....................................................................................... 53
Identify Data Flow ................................................................................................. 53
Identify Entry Points .............................................................................................. 54
Identify Privileged Code ......................................................................................... 54
Document the Security Profile ................................................................................ 55
Step 4. Identify the Threats ....................................................................................... 56
Identify Network Threats........................................................................................ 57
Identify Host Threats ............................................................................................. 58
Identify Application Threats.................................................................................... 58
Using Attack Trees and Attack Patterns................................................................... 59
Step 5. Document the Threats ................................................................................... 62
Step 6. Rate the Threats ........................................................................................... 62
Risk = Probability * Damage Potential .................................................................... 63
High, Medium, and Low Ratings ............................................................................. 63
DREAD................................................................................................................. 63
What Comes After Threat Modeling?........................................................................... 65
Generating a Work Item Report .............................................................................. 66
Summary ................................................................................................................. 66
Additional Resources ................................................................................................ 66
Part II
Designing Secure Web Applications 67
Chapter 4
Design Guidelines for Secure Web Applications 69
In This Chapter ......................................................................................................... 69
Overview .................................................................................................................. 69
How to Use This Chapter ........................................................................................... 70
Architecture and Design Issues for Web Applications ................................................... 70
Deployment Considerations ....................................................................................... 72
Security Policies and Procedures............................................................................ 73
Network Infrastructure Components ....................................................................... 73
Deployment Topologies.......................................................................................... 73
Intranet, Extranet, and Internet............................................................................... 74
Input Validation......................................................................................................... 74
Assume All Input Is Malicious ................................................................................ 75
Centralize Your Approach ....................................................................................... 75
Do Not Rely on Client-Side Validation...................................................................... 76
Be Careful with Canonicalization Issues.................................................................. 76
Constrain, Reject, and Sanitize Your Input ............................................................... 77
In Practice ............................................................................................................ 79
Authentication .......................................................................................................... 80
Separate Public and Restricted Areas..................................................................... 81
Use Account Lockout Policies for End-User Accounts ............................................... 81
Support Password Expiration Periods...................................................................... 81
Be Able to Disable Accounts .................................................................................. 82
Do Not Store Passwords in User Stores.................................................................. 82
Require Strong Passwords..................................................................................... 82
Do Not Send Passwords Over the Wire in Plaintext .................................................. 82
Protect Authentication Cookies .............................................................................. 82
Authorization ............................................................................................................ 83
Use Multiple Gatekeepers ..................................................................................... 83
Restrict User Access to System Level Resources .................................................... 83
Consider Authorization Granularity .......................................................................... 83
Configuration Management........................................................................................ 86
Secure Your Administration Interfaces .................................................................... 86
Secure Your Configuration Stores ........................................................................... 86
Separate Administration Privileges ......................................................................... 87
Use Least Privileged Process and Service Accounts................................................. 87
Sensitive Data .......................................................................................................... 87
Secrets ................................................................................................................ 87
Sensitive Per User Data......................................................................................... 89
Session Management ............................................................................................... 90
Use SSL to Protect Session Authentication Cookies ................................................ 90
Encrypt the Contents of the Authentication Cookies................................................. 90
Limit Session Lifetime........................................................................................... 91
Protect Session State from Unauthorized Access .................................................... 91
Cryptography ............................................................................................................ 91
Do Not Develop Your Own Cryptography .................................................................. 92
Keep Unencrypted Data Close to the Algorithm ....................................................... 92
Use the Correct Algorithm and Correct Key Size....................................................... 92
Secure Your Encryption Keys.................................................................................. 92
Parameter Manipulation ............................................................................................ 93
Encrypt Sensitive Cookie State .............................................................................. 93
Make Sure that Users Do Not Bypass Your Checks.................................................. 93
Validate All Values Sent from the Client .................................................................. 94
Do Not Trust HTTP Header Information.................................................................... 94
Exception Management ............................................................................................. 94
Do Not Leak Information to the Client..................................................................... 94
Log Detailed Error Messages ................................................................................. 95
Catch Exceptions .................................................................................................. 95
Auditing and Logging ................................................................................................. 95
Audit and Log Access Across Application Tiers ........................................................ 95
Consider Identity Flow ........................................................................................... 96
Log Key Events ..................................................................................................... 96
Secure Log Files ................................................................................................... 96
Back Up and Analyze Log Files Regularly................................................................. 96
Design Guidelines Summary ...................................................................................... 97
Summary ................................................................................................................. 98
Additional Resources ................................................................................................ 98
Chapter 5
Architecture and Design Review for Security 99
In This Chapter ......................................................................................................... 99
Overview .................................................................................................................. 99
How to Use This Chapter ......................................................................................... 100
Architecture and Design Review Process................................................................... 100
Deployment and Infrastructure Considerations .......................................................... 101
Does the Network Provide Secure Communication? ............................................... 102
Does Your Deployment Topology Include an Internal Firewall? ................................. 102
Does Your Deployment Topology Include a Remote Application Server? ................... 102
What Restrictions Does Infrastructure Security Impose? ........................................ 103
Have You Considered Web Farm Issues?............................................................... 104
What Trust Levels Does the Target Environment Support? ...................................... 104
Input Validation....................................................................................................... 105
How Do You Validate Input? ................................................................................. 106
What Do You Do with the Input? ........................................................................... 107
Authentication ........................................................................................................ 107
Do You Separate Public and Restricted Access?.................................................... 108
Have You Identified Service Account Requirements? .............................................. 108
How Do You Authenticate the Caller?.................................................................... 109
How Do You Authenticate with the Database? ....................................................... 109
Do You Enforce Strong Account Management Practices? ........................................ 111
Authorization .......................................................................................................... 111
How Do You Authorize End Users?........................................................................ 112
How Do You Authorize the Application in the Database?......................................... 113
How Do You Restrict Access to System-Level Resources? ...................................... 113
Configuration Management...................................................................................... 114
Do You Support Remote Administration? .............................................................. 114
Do You Secure Configuration Stores? ................................................................... 115
Do You Separate Administrator Privileges?............................................................ 115
Sensitive Data ........................................................................................................ 115
Do You Store Secrets? ........................................................................................ 116
How Do You Store Sensitive Data? ....................................................................... 117
Do You Pass Sensitive Data Over the Network? ..................................................... 117
Do You Log Sensitive Data?................................................................................. 117
Session Management ............................................................................................. 117
How Are Session Identifiers Exchanged?............................................................... 118
Do You Restrict Session Lifetime?........................................................................ 118
How Is the Session State Store Secured?............................................................. 118
Cryptography .......................................................................................................... 119
Why Do You Use Particular Algorithms?................................................................. 119
How Do You Secure Encryption Keys?................................................................... 120
Parameter Manipulation .......................................................................................... 120
Do You Validate All Input Parameters? .................................................................. 121
Do You Pass Sensitive Data in Parameters?.......................................................... 121
Do You Use HTTP Header Data for Security? ......................................................... 121
Exception Management ........................................................................................... 122
Do You Use Structured Exception Handling?.......................................................... 122
Do You Reveal Too Much Information to the Client? ............................................... 122
Auditing and Logging ............................................................................................... 123
Have You Identified Key Activities to Audit? ........................................................... 123
Have You Considered How to Flow Original Caller Identity? ..................................... 124
Have You Considered Secure Log File Management Policies? ................................. 124
Summary ............................................................................................................... 124
Additional Resources .............................................................................................. 125
Part III
Building Secure Web Applications 127
Chapter 6
.NET Security Overview 129
In This Chapter ....................................................................................................... 129
Overview ................................................................................................................ 129
How to Use This Chapter ......................................................................................... 130
Managed Code Benefits .......................................................................................... 130
User vs. Code Security ............................................................................................ 131
Role-Based Security ............................................................................................ 131
Code Access Security.......................................................................................... 132
.NET Framework Role-Based Security........................................................................ 133
Principals and Identities ...................................................................................... 134
PrincipalPermission Objects................................................................................. 134
Role-Based Security Checks................................................................................. 137
URL Authorization ............................................................................................... 138
.NET Framework Security Namespaces ..................................................................... 139
System.Security.................................................................................................. 140
System.Web.Security........................................................................................... 141
System.Security.Cryptography .............................................................................. 141
System.Security.Principal..................................................................................... 141
System.Security.Policy ......................................................................................... 142
System.Security.Permissions ............................................................................... 142
Summary ............................................................................................................... 144
Additional Resources .............................................................................................. 144
Chapter 7
Building Secure Assemblies 145
In This Chapter ....................................................................................................... 145
Overview ................................................................................................................ 145
How to Use This Chapter ......................................................................................... 146
Threats and Countermeasures................................................................................. 146
Unauthorized Access or Privilege Elevation, or both................................................ 147
Code Injection .................................................................................................... 147
Information Disclosure ........................................................................................ 148
Tampering .......................................................................................................... 149
Privileged Code....................................................................................................... 149
Privileged Resources ........................................................................................... 150
Privileged Operations .......................................................................................... 150
Assembly Design Considerations ............................................................................. 150
Identify Privileged Code ....................................................................................... 150
Identify the Trust Level of Your Target Environment................................................. 151
Sandbox Highly Privileged Code............................................................................ 152
Design Your Public Interface................................................................................. 153
Class Design Considerations ................................................................................... 153
Restrict Class and Member Visibility..................................................................... 153
Seal Non-Base Classes ....................................................................................... 153
Restrict Which Users Can Call Your Code.............................................................. 154
Expose Fields Using Properties ............................................................................ 154
Strong Names ........................................................................................................ 155
Security Benefits of Strong Names....................................................................... 156
Using Strong Names ........................................................................................... 156
Delay Signing...................................................................................................... 157
ASP.NET and Strong Names................................................................................. 158
Authenticode vs. Strong Names ........................................................................... 159
Authorization .......................................................................................................... 160
Exception Management ........................................................................................... 161
Use Structured Exception Handling....................................................................... 161
Do Not Log Sensitive Data................................................................................... 162
Do Not Reveal Sensitive System or Application Information .................................... 162
Consider Exception Filter Issues .......................................................................... 162
Consider an Exception Management Framework .................................................... 163
File I/O .................................................................................................................. 164
Avoid Untrusted Input for File Names.................................................................... 164
Do Not Trust Environment Variables...................................................................... 164
Validate Input File Names .................................................................................... 164
Constrain File I/O Within Your Application’s Context............................................... 165
Event Log ............................................................................................................... 165
Registry ................................................................................................................. 166
HKEY_LOCAL_MACHINE....................................................................................... 166
HKEY_CURRENT_USER........................................................................................ 166
Reading from the Registry ................................................................................... 167
Data Access ........................................................................................................... 167
Unmanaged Code ................................................................................................... 168
Validate Input and Output String Parameters ......................................................... 168
Validate Array Bounds ......................................................................................... 169
Check File Path Lengths ...................................................................................... 169
Compile Unmanaged Code With the /GS Switch .................................................... 169
Inspect Unmanaged Code for Dangerous APIs....................................................... 169
Delegates............................................................................................................... 169
Do Not Accept Delegates from Untrusted Sources................................................. 169
Serialization ........................................................................................................... 170
Do Not Serialize Sensitive Data............................................................................ 170
Validate Serialized Data Streams ......................................................................... 170
Partial Trust Considerations ................................................................................. 171
Threading ............................................................................................................... 171
Do Not Cache the Results of Security Checks ....................................................... 171
Consider Impersonation Tokens ........................................................................... 172
Synchronize Static Class Constructors.................................................................. 172
Synchronize Dispose Methods ............................................................................. 172
Reflection............................................................................................................... 172
Obfuscation............................................................................................................ 173
Cryptography .......................................................................................................... 174
Use Platform-provided Cryptographic Services ....................................................... 174
Key Generation ................................................................................................... 174
Key Storage........................................................................................................ 176
Key Exchange ..................................................................................................... 178
Key Maintenance ................................................................................................ 178
Summary ............................................................................................................... 179
Additional Resources .............................................................................................. 179
Chapter 8
Code Access Security in Practice 181
In This Chapter ....................................................................................................... 181
Overview ................................................................................................................ 181
How to Use This Chapter ......................................................................................... 182
Code Access Security Explained............................................................................... 182
Code.................................................................................................................. 183
Evidence ............................................................................................................ 183
Permissions ....................................................................................................... 184
Assert, Deny, and PermitOnly Methods.................................................................. 185
Policy ................................................................................................................. 185
Code Groups ...................................................................................................... 186
Code Access Security Explained (continued)
How Does It Work?.............................................................................................. 186
How Is Policy Evaluated? ..................................................................................... 187
APTCA.................................................................................................................... 191
Avoid Using APTCA .............................................................................................. 191
Diagnosing APTCA Issues .................................................................................... 192
Privileged Code....................................................................................................... 193
Privileged Resources ........................................................................................... 193
Privileged Operations .......................................................................................... 194
Requesting Permissions .......................................................................................... 194
RequestMinimum................................................................................................ 195
RequestOptional ................................................................................................. 195
RequestRefused ................................................................................................. 195
Implications of Using RequestOptional or RequestRefuse ...................................... 196
Authorizing Code..................................................................................................... 196
Restrict Which Code Can Call Your Code ............................................................... 197
Restrict Inheritance............................................................................................. 198
Consider Protecting Cached Data ......................................................................... 199
Protect Custom Resources with Custom Permissions ............................................ 199
Link Demands ........................................................................................................ 199
Luring Attacks..................................................................................................... 200
Performance and Link Demands........................................................................... 201
Calling Methods with Link Demands ..................................................................... 201
Mixing Class and Method Level Link Demands ...................................................... 201
Interfaces and Link Demands .............................................................................. 202
Structures and Link Demands.............................................................................. 202
Virtual Methods and Link Demands...................................................................... 203
Assert and RevertAssert.......................................................................................... 203
Use the Demand / Assert Pattern ........................................................................ 204
Reduce the Assert Duration................................................................................. 204
Constraining Code................................................................................................... 204
Using Policy Permission Grants ............................................................................ 205
Using Stack Walk Modifiers ................................................................................. 205
File I/O .................................................................................................................. 205
Constraining File I/O within your Application’s Context ........................................... 205
Requesting FileIOPermission................................................................................ 207
Event Log ............................................................................................................... 207
Constraining Event Logging Code ......................................................................... 208
Requesting EventLogPermission........................................................................... 208
Registry ................................................................................................................. 208
Constraining Registry Access............................................................................... 209
Requesting RegistryPermission ............................................................................ 209
Data Access ........................................................................................................... 209
Directory Services................................................................................................... 210
Constraining Directory Service Access .................................................................. 210
Requesting DirectoryServicesPermission .............................................................. 211
Environment Variables ............................................................................................. 211
Constraining Environment Variable Access ............................................................ 211
Requesting EnvironmentPermission...................................................................... 211
Web Services ......................................................................................................... 212
Constraining Web Service Connections ................................................................. 212
Sockets and DNS.................................................................................................... 213
Constraining Socket Access................................................................................. 213
Requesting SocketPermission and DnsPermission................................................. 214
Unmanaged Code ................................................................................................... 214
Use Naming Conventions to Indicate Risk ............................................................. 214
Request the Unmanaged Code Permission............................................................ 215
Sandbox Unmanaged API Calls............................................................................. 215
Use SuppressUnmanagedCodeSecurity with Caution ............................................. 216
Delegates............................................................................................................... 217
Serialization ........................................................................................................... 218
Restricting Serialization ....................................................................................... 218
Summary ............................................................................................................... 219
Additional Resources .............................................................................................. 219
Chapter 9
Using Code Access Security with ASP.NET 221
In This Chapter ....................................................................................................... 221
Overview ................................................................................................................ 221
How to Use This Chapter ......................................................................................... 223
Resource Access .................................................................................................... 223
Full Trust and Partial Trust ....................................................................................... 224
Configuring Code Access Security in ASP.NET ........................................................... 225
Configuring Trust Levels....................................................................................... 225
Locking the Trust Level ........................................................................................ 226
ASP.NET Policy Files................................................................................................ 227
ASP.NET Policy ....................................................................................................... 227
Inside an ASP.NET Policy File ............................................................................... 228
Permission State and Unrestricted Permissions .................................................... 229
The ASP.NET Named Permission Set .................................................................... 229
Substitution Parameters...................................................................................... 230
Developing Partial Trust Web Applications ................................................................. 231
Why Partial Trust? ............................................................................................... 231
Problems You Might Encounter............................................................................. 231
Trust Levels ............................................................................................................ 232
Approaches for Partial Trust Web Applications ........................................................... 234
Customize Policy..................................................................................................... 235
Sandbox Privileged Code ......................................................................................... 236
A Sandboxing Pattern .......................................................................................... 236
Deciding Which Approach to Take ............................................................................. 238
Customizing Policy .............................................................................................. 238
Sandboxing ........................................................................................................ 238
Medium Trust ......................................................................................................... 239
Reduced Attack Surface ...................................................................................... 239
Application Isolation............................................................................................ 239
Medium Trust Restrictions ....................................................................................... 240
OLE DB .............................................................................................................. 240
Event Log ........................................................................................................... 244
Web Services ..................................................................................................... 248
Registry ............................................................................................................. 250
Summary ............................................................................................................... 252
Additional Resources .............................................................................................. 252
Chapter 10
Building Secure ASP.NET Pages and Controls 253
In This Chapter ....................................................................................................... 253
Overview ................................................................................................................ 253
How to Use This Chapter ......................................................................................... 254
Threats and Countermeasures................................................................................. 254
Code Injection .................................................................................................... 255
Session Hijacking ............................................................................................... 256
Identity Spoofing................................................................................................. 257
Parameter Manipulation ...................................................................................... 258
Network Eavesdropping ....................................................................................... 259
Information Disclosure ........................................................................................ 259
Design Considerations ............................................................................................ 260
Use Server-Side Input Validation .......................................................................... 260
Partition Your Web Site ........................................................................................ 261
Consider the Identity That Is Used for Resource Access......................................... 262
Protect Credentials and Authentication Tickets...................................................... 262
Fail Securely ....................................................................................................... 262
Consider Authorization Granularity ........................................................................ 263
Place Web Controls and User Controls in Separate Assemblies .............................. 263
Place Resource Access Code in a Separate Assembly ........................................... 263
Input Validation....................................................................................................... 263
Constrain, Then Sanitize...................................................................................... 264
Regular Expressions............................................................................................ 264
String Fields ....................................................................................................... 265
Date Fields......................................................................................................... 267
Numeric Fields.................................................................................................... 267
Sanitizing Input ................................................................................................... 269
Validating HTML Controls..................................................................................... 269
Validating Input Used for Data Access .................................................................. 270
Validating Input Used For File I/O ......................................................................... 270
Common Regular Expressions.............................................................................. 271
Cross-Site Scripting................................................................................................. 272
Validate Input ..................................................................................................... 273
Encode Output.................................................................................................... 273
Defense in Depth Countermeasures..................................................................... 274
Authentication ........................................................................................................ 277
Forms Authentication .......................................................................................... 277
Partition Your Web Site ........................................................................................ 278
Secure Restricted Pages with SSL........................................................................ 279
Use URL Authorization......................................................................................... 279
Secure the Authentication Cookie......................................................................... 280
Use Absolute URLs for Navigation ........................................................................ 282
Use Secure Credential Management..................................................................... 283
Authorization .......................................................................................................... 284
Use URL Authorization for Page and Directory Access Control................................. 284
Use File Authorization with Windows Authentication ............................................... 284
Use Principal Demands on Classes and Methods.................................................. 284
Use Explicit Role Checks for Fine-Grained Authorization ......................................... 285
Impersonation ........................................................................................................ 286
Using Programmatic Impersonation ...................................................................... 286
Sensitive Data ........................................................................................................ 288
Do not Pass Sensitive Data from Page to Page...................................................... 288
Avoid Plaintext Passwords in Configuration Files.................................................... 288
Use DPAPI to Avoid Key Management ................................................................... 288
Do Not Cache Sensitive Data............................................................................... 288
Session Management ............................................................................................. 289
Require Authentication for Sensitive Pages ........................................................... 289
Do Not Rely on Client-Side State Management Options .......................................... 289
Do Not Mix Session Tokens and Authentication Tokens .......................................... 290
Use SSL Effectively ............................................................................................. 290
Secure the Session Data..................................................................................... 290
Parameter Manipulation .......................................................................................... 291
Protect View State with MACs .............................................................................. 291
Use Page.ViewStateUserKey to Counter One-Click Attacks...................................... 292
Maintain Sensitive Data on the Server.................................................................. 292
Validate Input Parameters.................................................................................... 293
Exception Management ........................................................................................... 293
Return Generic Error Pages to the Client ............................................................... 293
Implement Page-Level or Application-Level Error Handlers....................................... 294
Auditing and Logging ............................................................................................... 295
EventLogPermission ............................................................................................ 296
Summary ............................................................................................................... 296
Additional Resources .............................................................................................. 297
Chapter 11
Building Secure Serviced Components 299
In This Chapter ....................................................................................................... 299
Overview ................................................................................................................ 299
How to Use This Chapter ......................................................................................... 300
Threats and Countermeasures................................................................................. 300
Network Eavesdropping ....................................................................................... 301
Unauthorized Access........................................................................................... 301
Unconstrained Delegation.................................................................................... 301
Disclosure of Configuration Data.......................................................................... 302
Repudiation........................................................................................................ 302
Design Considerations ............................................................................................ 302
Role-Based Authorization ..................................................................................... 302
Sensitive Data Protection .................................................................................... 302
Audit Requirements............................................................................................. 303
Application Activation Type................................................................................... 303
Transactions....................................................................................................... 303
Code Access Security.......................................................................................... 303
Authentication ........................................................................................................ 304
Use (At Least) Call Level Authentication................................................................ 304
Authorization .......................................................................................................... 304
Enable Role-Based Security ................................................................................. 304
Enable Component Level Access Checks .............................................................. 305
Enforce Component Level Access Checks ............................................................. 305
Configuration Management...................................................................................... 305
Use Least Privileged Run-As Accounts .................................................................. 306
Avoid Storing Secrets in Object Constructor Strings ............................................... 306
Avoid Unconstrained Delegation ........................................................................... 306
Sensitive Data ........................................................................................................ 307
Auditing and Logging ............................................................................................... 308
Audit User Transactions....................................................................................... 308
Building a Secure Serviced Component .................................................................... 309
Assembly Implementation.................................................................................... 310
Serviced Component Class Implementation .......................................................... 311
Code Access Security Considerations ....................................................................... 313
Deployment Considerations ..................................................................................... 314
Firewall Restrictions ............................................................................................ 314
Summary ............................................................................................................... 316
Additional Resources .............................................................................................. 317
Chapter 12
Building Secure Web Services 319
In This Chapter ....................................................................................................... 319
Overview ................................................................................................................ 319
How to Use This Chapter ......................................................................................... 320
Threats and Countermeasures................................................................................. 320
Unauthorized Access........................................................................................... 321
Parameter Manipulation ...................................................................................... 322
Network Eavesdropping ....................................................................................... 322
Disclosure of Configuration Data.......................................................................... 323
Message Replay ................................................................................................. 323
Design Considerations ............................................................................................ 325
Authentication Requirements ............................................................................... 325
Privacy and Integrity Requirements ....................................................................... 325
Resource Access Identities.................................................................................. 325
Code Access Security.......................................................................................... 326
Input Validation....................................................................................................... 326
Strongly Typed Parameters................................................................................... 326
Loosely Typed Parameters ................................................................................... 328
XML Data ........................................................................................................... 328
SQL Injection ...................................................................................................... 331
Cross-Site Scripting............................................................................................. 331
Authentication ........................................................................................................ 332
Platform Level Authentication............................................................................... 332
Message Level Authentication.............................................................................. 333
Application Level Authentication ........................................................................... 335
Authorization .......................................................................................................... 335
Web Service Endpoint Authorization...................................................................... 336
Web Method Authorization ................................................................................... 336
Programmatic Authorization ................................................................................. 336
Sensitive Data ........................................................................................................ 337
XML Encryption................................................................................................... 337
Encrypting Parts of a Message............................................................................. 338
Parameter Manipulation .......................................................................................... 339
Exception Management ........................................................................................... 339
Using SoapExceptions......................................................................................... 340
Application Level Error Handling in Global.asax...................................................... 341
Auditing and Logging ............................................................................................... 341
Proxy Considerations............................................................................................... 341
Code Access Security Considerations ....................................................................... 342
Deployment Considerations ..................................................................................... 343
Intranet Deployment............................................................................................ 343
Extranet Deployment ........................................................................................... 343
Internet Deployment............................................................................................ 344
Summary ............................................................................................................... 345
Additional Resources .............................................................................................. 345
Chapter 13
Building Secure Remoted Components 347
In This Chapter ....................................................................................................... 347
Overview ................................................................................................................ 347
How to Use This Chapter ......................................................................................... 348
Threats and Countermeasures................................................................................. 349
Unauthorized Access........................................................................................... 349
Network Eavesdropping ....................................................................................... 350
Parameter Manipulation ...................................................................................... 351
Serialization ....................................................................................................... 351
Design Considerations ............................................................................................ 352
Do Not Expose Remoted Objects to the Internet.................................................... 352
Use the HttpChannel to Take Advantage of ASP.NET Security ................................. 352
Use the TcpChannel Only in Trusted Server Scenarios............................................ 352
Input Validation....................................................................................................... 354
Serialization Attacks............................................................................................ 354
MarshalByRefObject Attacks ................................................................................ 354
Authentication ........................................................................................................ 355
ASP.NET Hosting................................................................................................. 355
Custom Process Hosting ..................................................................................... 358
Authorization .......................................................................................................... 359
Use IPSec for Machine Level Access Control ......................................................... 359
Enable File Authorization for User Access Control .................................................. 359
Authorize Users with Principal-Based Role Checks ................................................. 360
Consider Limiting Remote Access ........................................................................ 360
Sensitive Data ........................................................................................................ 361
Using IPSec........................................................................................................ 361
Using SSL .......................................................................................................... 361
Using a Custom Encryption Sink........................................................................... 361
Denial of Service .................................................................................................... 364
Exception Management ........................................................................................... 364
Using a Custom Channel Sink.............................................................................. 365
Auditing and Logging ............................................................................................... 365
Using a Custom Channel Sink.............................................................................. 365
Code Access Security (CAS) Considerations .............................................................. 365
Summary ............................................................................................................... 365
Additional Resources .............................................................................................. 366
Chapter 14
Building Secure Data Access 367
In this Chapter........................................................................................................ 367
Overview ................................................................................................................ 367
How to Use This Chapter ......................................................................................... 368
Threats and Countermeasures................................................................................. 368
SQL Injection ...................................................................................................... 369
Disclosure of Configuration Data.......................................................................... 370
Disclosure of Sensitive Application Data ............................................................... 370
Disclosure of Database Schema and Connection Details ....................................... 371
Unauthorized Access........................................................................................... 371
Network Eavesdropping ....................................................................................... 372
Design Considerations ............................................................................................ 372
Use Windows Authentication................................................................................ 373
Use Least Privileged Accounts ............................................................................. 373
Use Stored Procedures........................................................................................ 373
Protect Sensitive Data in Storage......................................................................... 374
Use Separate Data Access Assemblies ................................................................ 375
Input Validation....................................................................................................... 376
SQL Injection .......................................................................................................... 376
Preventing SQL Injection ...................................................................................... 376
Constrain Input ................................................................................................... 376
Use Type Safe SQL Parameters............................................................................ 377
Using Parameter Batching.................................................................................... 378
Using Filter Routines ........................................................................................... 378
Using LIKE Clauses............................................................................................. 378
Authentication ........................................................................................................ 379
Use Windows Authentication................................................................................ 379
Protect the Credentials for SQL Authentication ...................................................... 380
Connect Using a Least Privileged Account ............................................................. 380
Authorization .......................................................................................................... 380
Restrict Unauthorized Callers............................................................................... 382
Restrict Unauthorized Code ................................................................................. 383
Restrict the Application in the Database ............................................................... 383
Configuration Management...................................................................................... 384
Use Window Authentication.................................................................................. 384
Secure Your Connection Strings ........................................................................... 384
Secure UDL Files with Restricted ACLs ................................................................. 386
Sensitive Data ........................................................................................................ 386
Encrypt Sensitive Data if You Need to Store It ....................................................... 386
Secure Sensitive Data Over the Network............................................................... 387
Store Password Hashes with Salt......................................................................... 388
Exception Management ........................................................................................... 389
Trap and Log ADO.NET Exceptions ........................................................................ 389
Ensure Database Connections Are Closed ............................................................ 391
Use a Generic Error Page in Your ASP.NET Applications.......................................... 392
Building a Secure Data Access Component............................................................... 393
Code Access Security Considerations ....................................................................... 396
Deployment Considerations ..................................................................................... 397
Firewall Restrictions ............................................................................................ 397
Connection String Management ........................................................................... 398
Login Account Configuration................................................................................. 398
Logon Auditing.................................................................................................... 398
Data Privacy and Integrity on the Network ............................................................. 399
Summary ............................................................................................................... 399
Additional Resources .............................................................................................. 399
Part IV
Securing Your Network, Host, and Application 401
Chapter 15
Securing Your Network 403
In This Chapter ....................................................................................................... 403
Overview ................................................................................................................ 403
How to Use This Chapter ......................................................................................... 404
Threats and Countermeasures................................................................................. 405
Information Gathering.......................................................................................... 405
Sniffing .............................................................................................................. 406
Spoofing ............................................................................................................ 406
Session Hijacking ............................................................................................... 407
Denial of Service ................................................................................................ 407
Methodology........................................................................................................... 408
Router................................................................................................................ 408
Firewall .............................................................................................................. 409
Switch................................................................................................................ 409
Router Considerations............................................................................................. 409
Patches and Updates .......................................................................................... 409
Protocols............................................................................................................ 410
Administrative Access ......................................................................................... 412
Services............................................................................................................. 412
Auditing and Logging ........................................................................................... 413
Intrusion Detection ............................................................................................. 413
Firewall Considerations ........................................................................................... 413
Patches and Updates .......................................................................................... 413
Filters ................................................................................................................ 414
Logging and Auditing ........................................................................................... 415
Perimeter Networks............................................................................................. 415
Switch Considerations............................................................................................. 416
Patches and Updates .......................................................................................... 416
VLANs................................................................................................................ 417
Insecure Defaults................................................................................................ 417
Services............................................................................................................. 417
Encryption .......................................................................................................... 417
Additional Considerations ........................................................................................ 417
Snapshot of a Secure Network................................................................................. 418
Summary ............................................................................................................... 419
Additional Resources .............................................................................................. 420
Chapter 16
Securing Your Web Server 421
In This Chapter ....................................................................................................... 421
Overview ................................................................................................................ 421
How to Use This Chapter ......................................................................................... 422
Threats and Countermeasures................................................................................. 422
Profiling.............................................................................................................. 423
Denial of Service ................................................................................................ 424
Unauthorized Access........................................................................................... 424
Arbitrary Code Execution...................................................................................... 425
Elevation of Privileges ......................................................................................... 425
Viruses, Worms, and Trojan Horses ...................................................................... 426
Methodology for Securing Your Web Server ............................................................... 426
Configuration Categories ..................................................................................... 427
IIS and .NET Framework Installation Considerations................................................... 430
What Does IIS Install?......................................................................................... 430
What Does the .NET Framework Install?................................................................ 431
Installation Recommendations ................................................................................. 432
IIS Installation Recommendations ........................................................................ 432
.NET Framework Installation Recommendations..................................................... 432
Including Service Packs with a Base Installation.................................................... 433
Steps for Securing Your Web Server ......................................................................... 433
Step 1. Patches and Updates .................................................................................. 434
Detect and Install Patches and Updates ............................................................... 434
Update the .NET Framework................................................................................. 435
Step 2. IISLockdown ............................................................................................... 435
Install and Run IISLockdown ................................................................................ 435
Install and Configure URLScan ............................................................................. 437
Step 3. Services ..................................................................................................... 438
Disable Unnecessary Services ............................................................................. 439
Disable FTP, SMTP, and NNTP Unless You Require Them.......................................... 439
Disable the ASP.NET State Service Unless You Require It ...................................... 440
Step 4. Protocols .................................................................................................... 440
Disable or Secure WebDAV .................................................................................. 440
Harden the TCP/IP Stack..................................................................................... 440
Disable NetBIOS and SMB................................................................................... 441
Step 5. Accounts .................................................................................................... 442
Delete or Disable Unused Accounts...................................................................... 442
Disable the Guest Account .................................................................................. 443
Rename the Administrator Account....................................................................... 443
Disable the IUSR Account .................................................................................... 443
Create a Custom Anonymous Web Account ........................................................... 443
Enforce Strong Password Policies......................................................................... 444
Restrict Remote Logons ...................................................................................... 444
Disable Null Sessions (Anonymous Logons) .......................................................... 445
Step 6. Files and Directories.................................................................................... 446
Restrict the Everyone Group ................................................................................ 446
Restrict Access to the IIS Anonymous Account ...................................................... 446
Secure or Remove Tools, Utilities and SDKs.......................................................... 447
Remove Sample Files.......................................................................................... 447
Additional Considerations .................................................................................... 447
Step 7. Shares ....................................................................................................... 448
Remove Unnecessary Shares .............................................................................. 448
Restrict Access to Required Shares...................................................................... 448
Additional Considerations .................................................................................... 448
Step 8. Ports.......................................................................................................... 449
Restrict Internet-Facing Ports to TCP 80 and 443 .................................................. 449
Encrypt or Restrict Intranet Traffic ........................................................................ 449
Step 9. Registry...................................................................................................... 449
Restrict Remote Administration of the Registry...................................................... 450
Secure the SAM (Stand-alone Servers Only) .......................................................... 450
Step 10. Auditing and Logging ................................................................................. 451
Log All Failed Logon Attempts .............................................................................. 451
Log All Failed Actions Across the File System ........................................................ 451
Relocate and Secure the IIS Log Files .................................................................. 452
Archive Log Files for Offline Analysis..................................................................... 452
Audit Access to the Metabase.bin File .................................................................. 452
Additional Considerations .................................................................................... 453
Step 11. Sites and Virtual Directories ...................................................................... 453
Move Your Web site to a Non-System Volume........................................................ 453
Disable the Parent Paths Setting.......................................................................... 453
Remove Potentially Dangerous Virtual Directories.................................................. 454
Remove or Secure RDS ....................................................................................... 454
Set Web Permissions .......................................................................................... 455
Remove or Secure FrontPage Server Extensions .................................................... 456
Step 12. Script Mappings........................................................................................ 456
Map IIS File Extensions ....................................................................................... 457
Map .NET Framework File Extensions.................................................................... 458
Step 13. ISAPI Filters.............................................................................................. 459
Remove Unused ISAPI Filters ............................................................................... 459
Step 14. IIS Metabase ............................................................................................ 460
Restrict Access to the Metabase Using NTFS Permissions ..................................... 460
Restrict Banner Information Returned by IIS.......................................................... 460
Step 15. Server Certificates .................................................................................... 461
Step 16. Machine.Config ......................................................................................... 462
Map Protected Resources to HttpForbiddenHandler ............................................... 462
Verify That Tracing Is Disabled.............................................................................. 463
Verify That Debug Compiles Are Disabled.............................................................. 463
Verify That ASP.NET Errors Are Not Returned to Clients .......................................... 464
Verify Session State Settings ............................................................................... 464
Step 17. Code Access Security ................................................................................ 464
Remove All Permissions for the Local Intranet Zone............................................... 465
Remove All Permissions for the Internet Zone ....................................................... 465
Snapshot of a Secure Web Server ............................................................................ 466
Staying Secure........................................................................................................ 469
Audit Group Membership ..................................................................................... 469
Monitor Audit Logs .............................................................................................. 469
Stay Current With Service Packs and Patches........................................................ 470
Perform Security Assessments............................................................................. 470
Use Security Notification Services ........................................................................ 470
Remote Administration ............................................................................................ 471
Securing Terminal Services .................................................................................. 472
Simplifying and Automating Security ......................................................................... 473
Summary ............................................................................................................... 474
Additional Resources .............................................................................................. 474
Chapter 17
Securing Your Application Server 475
In This Chapter ....................................................................................................... 475
Overview ................................................................................................................ 475
How to Use This Chapter ......................................................................................... 476
Threats and Countermeasures................................................................................. 477
Network Eavesdropping ....................................................................................... 477
Unauthorized Access........................................................................................... 478
Viruses, Worms, and Trojan Horses ...................................................................... 479
Methodology........................................................................................................... 480
Communication Channel Considerations................................................................... 480
Enterprise Services............................................................................................. 480
.NET Remoting.................................................................................................... 481
Web Services ..................................................................................................... 481
SQL Server......................................................................................................... 481
Firewall Considerations ........................................................................................... 482
Enterprise Services............................................................................................. 482
.NET Remoting.................................................................................................... 484
Web Services ..................................................................................................... 485
SQL Server......................................................................................................... 485
.NET Remoting Security Considerations .................................................................... 486
Hosting in a Windows Service (TCP Channel)......................................................... 486
Hosting in IIS (HTTP Channel) .............................................................................. 486
Enterprise Services (COM+) Security Considerations ................................................. 487
Secure the Component Services Infrastructure...................................................... 487
Secure Enterprise Services Applications ............................................................... 493
Summary ............................................................................................................... 499
Additional Resources .............................................................................................. 499
Chapter 18
Securing Your Database Server 501
In This Chapter ....................................................................................................... 501
Overview ................................................................................................................ 501
How to Use This Chapter ......................................................................................... 502
Threats and Countermeasures................................................................................. 502
SQL Injection ...................................................................................................... 503
Network Eavesdropping ....................................................................................... 504
Unauthorized Server Access ................................................................................ 504
Password Cracking.............................................................................................. 505
Methodology for Securing Your Server....................................................................... 506
Configuration Categories ..................................................................................... 506
SQL Server Installation Considerations..................................................................... 509
What Does SQL Server Install? ............................................................................ 509
SQL Server Installation Recommendations................................................................ 509
Before Running SQL Server Setup ........................................................................ 510
Installing SQL Server........................................................................................... 510
Steps for Securing Your Database Server.................................................................. 511
Step 1. Patches and Updates .................................................................................. 511
Detect Missing Service Packs and Updates .......................................................... 511
Patching MSDE ................................................................................................... 512
Step 2. Services ..................................................................................................... 512
Disable Unused SQL Server Services ................................................................... 513
Disable the Microsoft DTC (if not required)............................................................ 513
Step 3. Protocols .................................................................................................... 513
Restrict SQL Server to TCP/IP.............................................................................. 514
Harden the TCP/IP Stack..................................................................................... 514
Additional Considerations .................................................................................... 514
Step 4. Accounts .................................................................................................... 515
Secure the SQL Server Service Account................................................................ 515
Delete or Disable Unused Accounts...................................................................... 516
Disable the Windows Guest Account..................................................................... 516
Rename the Administrator Account....................................................................... 516
Enforce Strong Password Policy............................................................................ 516
Restrict Remote Logons ...................................................................................... 517
Disable Null Sessions (Anonymous Logons) .......................................................... 517
Additional Considerations .................................................................................... 518
Step 5. Files and Directories.................................................................................... 519
Verify Permissions on SQL Server Install Directories .............................................. 519
Verify Everyone Group Does Not Have Permissions for SQL Server Files .................. 520
Secure Setup Log Files........................................................................................ 520
Secure or Remove Tools, Utilities, and SDKs ......................................................... 520
Additional Considerations .................................................................................... 520
Step 6. Shares ....................................................................................................... 521
Remove Unnecessary Shares .............................................................................. 521
Restrict Access to Required Shares...................................................................... 521
Additional Considerations .................................................................................... 521
Step 7. Ports.......................................................................................................... 522
Restrict Access to the SQL Server Port ................................................................. 522
Configure Named Instances to Listen on the Same Port......................................... 522
Configure the Firewall to Support DTC Traffic (if necessary) .................................... 523
Additional Considerations .................................................................................... 523
Step 8. Registry...................................................................................................... 523
Verify Permissions for the SQL Server Registry Keys .............................................. 524
Secure the SAM (Stand-alone Servers Only) .......................................................... 524
Step 9. Auditing and Logging ................................................................................... 525
Log All Failed Windows Logon Attempts ................................................................ 525
Log All Failed Actions Across the File System ........................................................ 525
Enable SQL Server Login Auditing......................................................................... 526
Additional Considerations .................................................................................... 526
Step 10. SQL Server Security................................................................................... 527
Set SQL Server Authentication to Windows Only .................................................... 527
Set SQL Server Audit Level to Failure or All ........................................................... 528
Run SQL Server Using a Least Privileged Account.................................................. 528
Step 11. SQL Server Logins, Users, and Roles.......................................................... 529
Use a Strong sa (System Administrator) Password................................................. 530
Remove the SQL Guest User Account ................................................................... 530
Remove the BUILTIN\Administrators Server Login.................................................. 530
Do Not Grant Permissions for the Public Role........................................................ 531
Additional Considerations .................................................................................... 531
Step 12. SQL Server Database Objects .................................................................... 532
Remove the Sample Databases ........................................................................... 532
Secure Stored Procedures ................................................................................... 532
Secure Extended Stored Procedures..................................................................... 532
Restrict cmdExec Access to the sysadmin Role ..................................................... 532
Snapshot of a Secure Database Server .................................................................... 533
Additional Considerations ........................................................................................ 536
Staying Secure........................................................................................................ 536
Perform Regular Backups .................................................................................... 537
Audit Group Membership ..................................................................................... 537
Monitor Audit Logs .............................................................................................. 537
Stay Current with Service Packs and Patches ........................................................ 537
Staying Secure (continued)
Perform Security Assessments............................................................................. 538
Use Security Notification Services ........................................................................ 538
Remote Administration ............................................................................................ 539
Securing Terminal Services .................................................................................. 539
Summary ............................................................................................................... 540
Additional Resources .............................................................................................. 541
Chapter 19
Securing Your ASP.NET Application and Web Services 543
In This Chapter ....................................................................................................... 543
Overview ................................................................................................................ 543
How to Use This Chapter ......................................................................................... 544
Methodology........................................................................................................... 544
What You Must Know .............................................................................................. 545
ASP.NET Process Model ...................................................................................... 545
ASP.NET Account ................................................................................................ 545
Aspnet_setreg.exe and Process, Session, and Identity........................................... 546
Impersonation is Not the Default.......................................................................... 546
HttpForbiddenHandler, Urlscan, and the 404.dll..................................................... 547
AppSettings........................................................................................................ 547
Machine.Config and Web.Config Explained ................................................................ 548
Hierarchical Policy Evaluation ............................................................................... 550
Machine.Config and Web.Config Guidelines............................................................... 553
ACLs and Permissions......................................................................................... 554
Trust Levels in ASP.NET........................................................................................... 555
Process Identity for ASP.NET.................................................................................... 556
Impersonation ........................................................................................................ 558
Authentication ........................................................................................................ 560
Forms Authentication Guidelines .......................................................................... 560
Authorization .......................................................................................................... 563
File Authorization ................................................................................................ 563
URL Authorization ............................................................................................... 564
Session State......................................................................................................... 565
Securing a SQL Server Session State Store .......................................................... 565
Securing the Out-of-Process State Service ............................................................ 568
View State.............................................................................................................. 569
Machine Key........................................................................................................... 570
Use Unique Encryption Keys with Multiple Applications .......................................... 570
Set validation=“SHA1” ........................................................................................ 570
Generate Keys Manually For Web Farms................................................................ 571
Debugging .............................................................................................................. 571
Tracing ................................................................................................................... 571
Exception Management ........................................................................................... 572
Remoting ............................................................................................................... 573
Web Services ......................................................................................................... 573
Disable Web Services if They Are Not Required ..................................................... 573
Disable Unused Protocols.................................................................................... 574
Disable the Automatic Generation of WSDL........................................................... 574
Forbidden Resources............................................................................................... 575
Map Protected Resources to HttpForbiddenHandler ............................................... 575
Bin Directory........................................................................................................... 576
Secure the Bin Directory...................................................................................... 576
Event Log ............................................................................................................... 576
File Access............................................................................................................. 577
ACLs and Permissions............................................................................................. 577
Registry ................................................................................................................. 579
Data Access ........................................................................................................... 579
Configuring Data Access for Your ASP.NET Application ........................................... 579
UNC Shares............................................................................................................ 581
Accessing Files on UNC Shares............................................................................ 581
Hosting Applications on UNC Shares .................................................................... 581
COM/DCOM Resources........................................................................................... 583
Denial of Service Considerations.............................................................................. 583
Web Farm Considerations ........................................................................................ 584
Session State..................................................................................................... 584
Encryption and Verification................................................................................... 584
DPAPI................................................................................................................. 584
Snapshot of a Secure ASP.NET Application ............................................................... 585
Summary ............................................................................................................... 588
Additional Resources .............................................................................................. 588
Chapter 20
Hosting Multiple Web Applications 589
In This Chapter ....................................................................................................... 589
Overview ................................................................................................................ 589
ASP.NET Architecture on Windows 2000................................................................... 591
ASP.NET Architecture on Windows Server 2003 ........................................................ 592
Configuring ACLs for Network Service ................................................................... 593
Isolating Applications by Identity .............................................................................. 594
Anonymous Account Impersonation ...................................................................... 595
Fixed Identity Impersonation ................................................................................ 597
Isolating Applications with Application Pools ............................................................. 599
Isolating Applications with Code Access Security ....................................................... 600
Forms Authentication Issues.................................................................................... 601
UNC Share Hosting ................................................................................................. 601
Summary ............................................................................................................... 602
Part V
Assessing Your Security 603
Chapter 21
Code Review 605
In This Chapter ....................................................................................................... 605
Overview ................................................................................................................ 605
FxCop .................................................................................................................... 606
Performing Text Searches ........................................................................................ 606
Search for Hard-Coded Strings ............................................................................. 606
ILDASM.............................................................................................................. 607
Cross-Site Scripting (XSS)........................................................................................ 608
Identify Code That Outputs Input .......................................................................... 609
Identify Potentially Dangerous HTML Tags and Attributes........................................ 610
Identify Code That Handles URLs ......................................................................... 611
Check That Output Is Encoded ............................................................................. 612
Check for Correct Character Encoding................................................................... 612
Check the validateRequest Attribute..................................................................... 612
Check the HttpOnly Cookie Option........................................................................ 613
Check the Security Attribute ................................................................... 613
Check the Use of the innerText and innerHTML Properties...................................... 613
More Information ................................................................................................ 613
SQL Injection .......................................................................................................... 614
Buffer Overflows ..................................................................................................... 615
Managed Code ....................................................................................................... 616
Is Your Class Design Secure? .............................................................................. 617
Do You Create Threads? ...................................................................................... 617
Do You Use Serialization?.................................................................................... 618
Do You Use Reflection? ....................................................................................... 619
Do You Handle Exceptions? ................................................................................. 619
Do You Use Cryptography?................................................................................... 620
Do You Store Secrets? ........................................................................................ 621
Do You Use Delegates? ....................................................................................... 622
Code Access Security.............................................................................................. 622
Do You Support Partial-Trust Callers? ................................................................... 622
Do You Restrict Access to Public Types and Members? .......................................... 623
Do You Use Declarative Security Attributes?.......................................................... 624
Do You Call Assert? ............................................................................................ 624
Do You Use Permission Demands When You Should? ............................................ 625
Do You Use Link Demands?................................................................................. 625
Do You Use Potentially Dangerous Permissions? ................................................... 627
Do You Compile With the /unsafe Option? ............................................................ 627
Unmanaged Code ................................................................................................... 628
ASP.NET Pages and Controls ................................................................................... 630
Do You Disable Detailed Error Messages? ............................................................ 630
Do You Disable Tracing? ...................................................................................... 630
Do You Validate Form Field Input? ........................................................................ 631
Are You Vulnerable to XSS Attacks?...................................................................... 632
Do You Validate Query String and Cookie Input? .................................................... 632
Do You Secure View State?.................................................................................. 633
Are Your Global.asax Event Handlers Secure? ....................................................... 633
Do You Provide Adequate Authorization? ............................................................... 634
Web Services ......................................................................................................... 634
Do You Expose Restricted Operations or Data? ..................................................... 635
How Do You Authorize Callers?............................................................................. 635
Do You Constrain Privileged Operations?............................................................... 635
Do You Use Custom Authentication?..................................................................... 635
Do You Validate All Input? .................................................................................... 635
Do You Validate SOAP Headers? .......................................................................... 635
Serviced Components ............................................................................................. 636
Do You Use Assembly Level Metadata? ................................................................ 636
Do You Prevent Anonymous Access? .................................................................... 636
Do You Use a Restricted Impersonation Level?...................................................... 636
Do You Use Role-Based Security?......................................................................... 637
Do You Use Object Constructor Strings? ............................................................... 638
Do You Audit in the Middle Tier ............................................................................ 638
Remoting ............................................................................................................... 638
Do You Pass Objects as Parameters? ................................................................... 639
Do You Use Custom Authentication and Principal Objects?..................................... 639
How Do You Configure Proxy Credentials? ............................................................. 639
Data Access Code................................................................................................... 640
Do You Prevent SQL Injection? ............................................................................. 640
Do You Use Windows Authentication?................................................................... 640
Do You Secure Database Connection Strings?....................................................... 640
How Do You Restrict Unauthorized Code? ............................................................. 641
How Do You Secure Sensitive Data in the Database? ............................................ 641
Do You Handle ADO .NET Exceptions? .................................................................. 641
Do You Close Database Connections? .................................................................. 642
Summary ............................................................................................................... 642
Additional Resource ................................................................................................ 642
Chapter 22
Deployment Review 643
In This Chapter ....................................................................................................... 643
Overview ................................................................................................................ 643
Web Server Configuration ........................................................................................ 644
Patches and Updates .......................................................................................... 645
Services............................................................................................................. 645
Protocols............................................................................................................ 646
Accounts............................................................................................................ 647
Files and Directories ........................................................................................... 648
Shares............................................................................................................... 649
Ports.................................................................................................................. 649
Registry ............................................................................................................. 651
Auditing and Logging ........................................................................................... 651
IIS Configuration ..................................................................................................... 652
IISLockdown ....................................................................................................... 652
URLScan ............................................................................................................ 652
Sites and Virtual Directories ................................................................................ 653
ISAPI Filters........................................................................................................ 655
IIS Metabase...................................................................................................... 656
Server Certificates .............................................................................................. 656
Machine.Config....................................................................................................... 657
Web Services ......................................................................................................... 663
Enterprise Services................................................................................................. 664
Accounts............................................................................................................ 665
Files and Directories ........................................................................................... 665
Authentication .................................................................................................... 666
Authorization ...................................................................................................... 667
Remote Serviced Components ............................................................................. 668
Remoting ............................................................................................................... 668
Port Considerations ............................................................................................ 668
Hosting in ASP.NET with the HttpChannel ............................................................. 669
Hosting in a Custom Process with the TcpChannel ................................................ 670
Database Server Configuration ................................................................................ 670
Patches and Updates .......................................................................................... 671
Services............................................................................................................. 671
Protocols............................................................................................................ 671
Accounts............................................................................................................ 672
Files and Directories ........................................................................................... 673
Shares............................................................................................................... 673
Ports.................................................................................................................. 674
Registry ............................................................................................................. 674
Auditing and Logging ........................................................................................... 675
SQL Server Security ............................................................................................ 675
SQL Server Logins, Users, and Roles.................................................................... 676
SQL Server Database Objects.............................................................................. 677
Network Configuration ............................................................................................. 677
Router................................................................................................................ 678
Firewall .............................................................................................................. 679
Switch................................................................................................................ 679
Summary ............................................................................................................... 680
Related Security Resources 681
Related Microsoft patterns & practices Guidance ...................................................... 681
Security-Related Web Sites ...................................................................................... 681
Microsoft Security-Related Web Sites ................................................................... 681
Third-Party, Security-Related Web Sites ................................................................. 682
Microsoft Security Services ..................................................................................... 682
Partners and Service Providers ................................................................................ 682
Communities and Newsgroups................................................................................. 683
Newsgroup Home Pages...................................................................................... 683
Patches and Updates .............................................................................................. 683
Service Packs..................................................................................................... 683
Alerts and Notification............................................................................................. 684
Microsoft Security Notification Services ................................................................ 684
Third Party Security Notification Services .............................................................. 684
Additional Resources .............................................................................................. 684
Checklists and Assessment Guidelines ................................................................ 684
Common Criteria................................................................................................. 685
Reference Hub.................................................................................................... 685
Security Knowledge in Practice............................................................................. 685
Vulnerabilities..................................................................................................... 685
World Wide Web Security FAQ............................................................................... 685
Index of Checklists 687
Overview ................................................................................................................ 687
Designing Checklist................................................................................................. 687
Building Checklists.................................................................................................. 687
Securing Checklists................................................................................................. 688
Assessing Checklist ................................................................................................ 688
Checklist:
Architecture and Design Review 689
How to Use This Checklist ....................................................................................... 689
Deployment and Infrastructure Considerations .......................................................... 689
Application Architecture and Design Considerations................................................... 690
Input Validation................................................................................................... 690
Authentication .................................................................................................... 690
Authorization ...................................................................................................... 691
Configuration Management.................................................................................. 692
Sensitive Data .................................................................................................... 692
Session Management ......................................................................................... 692
Cryptography ...................................................................................................... 693
Parameter Manipulation ...................................................................................... 693
Exception Management ....................................................................................... 693
Auditing and Logging ........................................................................................... 694
Checklist
Securing ASP.NET 695
How to Use This Checklist ....................................................................................... 695
Design Considerations ............................................................................................ 695
Application Categories Considerations...................................................................... 696
Input Validation................................................................................................... 696
Authentication .................................................................................................... 696
Authorization ...................................................................................................... 697
Configuration Management.................................................................................. 697
Sensitive Data .................................................................................................... 698
Session Management ......................................................................................... 698
Parameter Manipulation ...................................................................................... 698
Exception Management ....................................................................................... 699
Auditing and Logging ........................................................................................... 699
Configuration File Settings....................................................................................... 699
Web Farm Considerations .................................................................................... 702
Hosting Multiple Applications............................................................................... 703
ACLs and Permissions......................................................................................... 703
Application Bin Directory...................................................................................... 704
Checklist
Securing Web Services 705
How to Use This Checklist ....................................................................................... 705
Design Considerations ............................................................................................ 705
Development Considerations ................................................................................... 705
Input Validation................................................................................................... 705
Authentication .................................................................................................... 706
Authorization ...................................................................................................... 706
Sensitive Data .................................................................................................... 706
Parameter Manipulation ...................................................................................... 706
Exception Management ....................................................................................... 707
Auditing and Logging ........................................................................................... 707
Proxy Considerations........................................................................................... 707
Administration Considerations ................................................................................. 707
Checklist
Securing Enterprise Services 709
How to Use This Checklist ....................................................................................... 709
Developer Checks ................................................................................................... 709
Authentication .................................................................................................... 709
Authorization ...................................................................................................... 709
Configuration Management.................................................................................. 710
Sensitive Data .................................................................................................... 710
Auditing and Logging ........................................................................................... 710
Deployment Considerations ................................................................................. 710
Impersonation .................................................................................................... 711
Administrator Checklist ........................................................................................... 711
Checklist
Securing Remoting 713
How to Use This Checklist ....................................................................................... 713
Design Considerations ............................................................................................ 713
Input Validation....................................................................................................... 713
Authentication ........................................................................................................ 714
Authorization .......................................................................................................... 714
Configuration Management...................................................................................... 714
Sensitive Data ........................................................................................................ 715
Exception Management ........................................................................................... 715
Auditing and Logging ............................................................................................... 715
Checklist
Securing Data Access 717
How to Use This Checklist ....................................................................................... 717
SQL Injection Checks .............................................................................................. 717
Authentication ........................................................................................................ 717
Authorization .......................................................................................................... 718
Configuration Management...................................................................................... 718
Sensitive Data ........................................................................................................ 718
Exception Management ........................................................................................... 719
Deployment Considerations ..................................................................................... 719
Checklist
Securing Your Network 721
How to Use This Checklist ....................................................................................... 721
Router Considerations............................................................................................. 721
Firewall Considerations ........................................................................................... 722
Switch Considerations............................................................................................. 722
Checklist
Securing Your Web Server 723
How to Use This Checklist ....................................................................................... 723
Patches and Updates .......................................................................................... 723
IISLockdown ....................................................................................................... 723
Services............................................................................................................. 723
Protocols............................................................................................................ 724
Accounts............................................................................................................ 724
Files and Directories ........................................................................................... 725
Shares............................................................................................................... 725
Ports.................................................................................................................. 725
Registry ............................................................................................................. 725
Auditing and Logging ........................................................................................... 726
Sites and Virtual Directories ................................................................................ 726
Script Mappings.................................................................................................. 726
ISAPI Filters........................................................................................................ 727
IIS Metabase...................................................................................................... 727
Server Certificates .............................................................................................. 727
Machine.config ................................................................................................... 727
Code Access Security.......................................................................................... 727
Other Check Points ............................................................................................. 728
Dos and Don’ts....................................................................................................... 728
Checklist
Securing Your Database Server 729
How to Use This Checklist ....................................................................................... 729
Installation Considerations for Production Servers..................................................... 729
Patches and Updates .............................................................................................. 729
Services................................................................................................................. 730
Protocols................................................................................................................ 730
Accounts................................................................................................................ 730
Files and Directories ............................................................................................... 731
Shares................................................................................................................... 731
Ports...................................................................................................................... 731
Registry ................................................................................................................. 731
Auditing and Logging ............................................................................................... 732
SQL Server Security ................................................................................................ 732
SQL Server Logins, Users, and Roles........................................................................ 732
SQL Server Database Objects.................................................................................. 733
Additional Considerations ........................................................................................ 733
Staying Secure........................................................................................................ 733
Checklist
Security Review for Managed Code 735
How to Use This Checklist ....................................................................................... 735
General Code Review Guidelines .............................................................................. 735
Managed Code Review Guidelines ............................................................................ 735
Assembly-Level Checks ....................................................................................... 735
Class-Level Checks ............................................................................................. 736
Cryptography ...................................................................................................... 736
Secrets .............................................................................................................. 737
Exception Management ....................................................................................... 737
Delegates........................................................................................................... 737
Serialization ....................................................................................................... 737
Threading ........................................................................................................... 738
Reflection........................................................................................................... 738
Unmanaged Code Access .................................................................................... 738
Resource Access Considerations ............................................................................. 739
File I/O .............................................................................................................. 739
Event Log ........................................................................................................... 739
Registry ............................................................................................................. 739
Environment Variables ......................................................................................... 740
Code Access Security Considerations ....................................................................... 740
How To
Index 743
How To
Implement Patch Management 745
Applies To .............................................................................................................. 745
Summary ............................................................................................................... 745
What You Must Know .............................................................................................. 745
The Patch Management Process .......................................................................... 745
The Role of MBSA in Patch Management .............................................................. 746
Backups and Patch Management ......................................................................... 746
Before You Begin .................................................................................................... 747
Tools You Will Need............................................................................................. 747
Contents ................................................................................................................ 747
Detecting ............................................................................................................... 748
MBSA Output Explained....................................................................................... 749
Assessing .............................................................................................................. 751
Acquiring ................................................................................................................ 751
Testing ................................................................................................................... 752
Methods for Testing Security Patches ................................................................... 752
Confirming the Installation of a Patch ................................................................... 752
Uninstalling a Security Patch................................................................................ 752
Deploying ............................................................................................................... 753
Using Software Update Services (SUS) ................................................................. 753
Using Systems Management Server (SMS) ........................................................... 753
Maintaining ............................................................................................................ 753
Performing Security Assessments ........................................................................ 753
Using Security Notification Services ..................................................................... 754
Additional Considerations ........................................................................................ 754
Additional Resources .............................................................................................. 754
How To
Harden the TCP/IP Stack 755
Applies To .............................................................................................................. 755
Summary ............................................................................................................... 755
What You Must Know .............................................................................................. 755
Contents ................................................................................................................ 756
Protect Against SYN Attacks .................................................................................... 756
Enable SYN Attack Protection .............................................................................. 756
Set SYN Protection Thresholds ............................................................................ 757
Set Additional Protections.................................................................................... 757
Protect Against ICMP Attacks................................................................................... 759
Protect Against SNMP Attacks.................................................................................. 759
AFD.SYS Protections ............................................................................................... 760
Additional Protections ............................................................................................. 761
Protect Screened Network Details ........................................................................ 761
Avoid Accepting Fragmented Packets .................................................................... 761
Do Not Forward Packets Destined for Multiple Hosts.............................................. 762
Only Firewalls Forward Packets Between Networks................................................. 762
Mask Network Topology Details............................................................................ 762
Pitfalls ................................................................................................................... 763
Additional Resources .............................................................................................. 763
How To
Secure Your Developer Workstation 765
Applies To .............................................................................................................. 765
Summary ............................................................................................................... 765
Before You Begin .................................................................................................... 765
Steps to Secure Your Developer Workstation............................................................. 766
Run Using a Least-Privileged Account ....................................................................... 766
Running Privileged Commands ............................................................................. 767
More Information ................................................................................................ 768
Patch and Update ................................................................................................... 768
Using Windows Update........................................................................................ 768
Using MBSA ....................................................................................................... 768
Using Automatic Updates .................................................................................... 769
Secure IIS .............................................................................................................. 770
Install and Run IISLockdown ................................................................................ 770
Configure URLScan ............................................................................................. 771
Secure SQL Server and MSDE ................................................................................. 772
Apply Patches for Each Instance of SQL Server and MSDE ..................................... 773
Analyze SQL Server and MSDE Security Configuration............................................ 773
Evaluate Your Configuration Categories..................................................................... 774
Stay Secure............................................................................................................ 775
How To
Use IPSec for Filtering Ports and Authentication 777
Applies To .............................................................................................................. 777
Summary ............................................................................................................... 777
Contents ................................................................................................................ 777
What You Must Know .............................................................................................. 778
Identify Your Protocol and Port Requirements ........................................................ 778
IPSec Does Not Secure All Communication ........................................................... 778
Firewalls and IPSec ............................................................................................. 778
Filters, Filter Actions, and Rules ........................................................................... 778
Restricting Web Server Communication .................................................................... 779
Summary of What You Just Did ............................................................................ 782
Restricting Database Server Communication............................................................. 783
Restricting Server-to-Server Communication.............................................................. 784
Using IPSec Tools ................................................................................................... 785
Netdiag.exe........................................................................................................ 785
IPSecpol.exe....................................................................................................... 785
Additional Resources .............................................................................................. 786
How To
Use the Microsoft Baseline Security Analyzer 787
Applies To .............................................................................................................. 787
Summary ............................................................................................................... 787
Contents ................................................................................................................ 788
Before You Begin .................................................................................................... 788
What You Must Know .............................................................................................. 789
Scanning for Security Updates and Patches .............................................................. 789
Using the Graphical Interface............................................................................... 789
Using the Command Line (Mbsacli.exe) ................................................................ 790
Analyzing the Output ........................................................................................... 790
Scanning Multiple Systems for Updates and Patches................................................. 790
SQL Server and MSDE Specifics .............................................................................. 791
Scanning for Secure Configuration............................................................................ 791
Performing the Scan............................................................................................ 791
Analyzing the Scan.............................................................................................. 792
Correcting Issues Found ...................................................................................... 792
Additional Information ............................................................................................. 792
False Positives From Security Update Checks........................................................ 792
Requirements for Performing Remote Scans ......................................................... 792
Password Scans ................................................................................................. 793
Differences Between Mbsa.exe and Mbsacli.exe ................................................... 793
Additional Resources .............................................................................................. 793
How To
Use IISLockdown.exe 795
Applies To .............................................................................................................. 795
Summary ............................................................................................................... 795
What Does IISLockdown Do? ................................................................................... 795
Installing IISLockdown ............................................................................................. 796
Running IISLockdown .............................................................................................. 797
Log Files ................................................................................................................ 798
Undoing IISLockdown Changes................................................................................. 798
Unattended Execution ............................................................................................. 798
Pitfalls ................................................................................................................... 799
How To
Use URLScan 801
Applies To .............................................................................................................. 801
Summary ............................................................................................................... 801
Contents ................................................................................................................ 801
Installing URLScan .................................................................................................. 801
Log Files ................................................................................................................ 802
Removing URLScan ................................................................................................. 802
Configuring URLScan............................................................................................... 802
Throttling Request Sizes with URLScan..................................................................... 803
Debugging VS .NET with URLScan Installed............................................................... 803
Masking Content Headers (Banners) ........................................................................ 804
Pitfalls ................................................................................................................... 804
References............................................................................................................. 804
How To
Create a Custom Encryption Permission 805
Applies To .............................................................................................................. 805
Summary ............................................................................................................... 805
Before You Begin .................................................................................................... 805
Summary of Steps .................................................................................................. 806
Step 1. Create the EncryptionPermission Class..................................................... 807
Step 2. Create the EncryptionPermissionAttribute Class ........................................ 815
Step 3. Install the Permission Assembly in the GAC............................................... 817
Step 4. Update the DPAPI Managed Wrapper Code ................................................ 817
Step 5. Call DPAPI from a Medium Trust Web Application ....................................... 819
How To
Use Code Access Security Policy to Constrain an Assembly 823
Applies To .............................................................................................................. 823
Summary ............................................................................................................... 823
Before You Begin .................................................................................................... 824
Summary of Steps .................................................................................................. 825
Step 1. Create an Assembly That Performs File I/O ................................................... 825
Step 2. Create a Web Application ............................................................................. 827
Step 3. Test File I/O with No Code Access Security Constraints.................................. 827
Step 4. Configure Code Access Security Policy to Constrain File I/O ........................... 828
Step 5. Test File I/O With Code Access Security Constraints ...................................... 830
Additional Resources 833
Download
Another Web Programming Books
Another Computer Security Books
No comments:
Post a Comment