ASP.NET 2.0 Security Practices
From Guidance Share
- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan
Contents |
[edit]
What's New in 2.0
- Forms authentication and membership
- Role manager
- DPAPI managed wrapper
- Configuration file changes
- Configuration file encryption
- Health monitoring
- Code access security changes
- Machine key enhancements
- Impersonation token can be retained in new thread
[edit]
Auditing and Logging
[edit]
Authentication
- How to choose between Windows authentication and forms authentication
- How to use Windows authentication in ASP.NET
- How to use Kerberos authentication in ASP.NET
- How to use forms authentication in ASP.NET
- How to protect forms authentication
- How to use membership in ASP.NET 2.0
- How to use forms authentication with SQL Server
- How to use forms authentication with Active Directory
- How to use forms authentication with Active Directory in multiple domains
- How to enforce strong passwords using membership
- How to configure account lockout using membership
- How to enable password reset using ActiveDirectoryMembershipProvider
[edit]
Authorization
- How to perform authorization in ASP.NET
- How to perform role-based authorization in code
- How to use role manager in ASP.NET
- How to use Windows groups for role authorization
- How to use Authorization Manager in ASP.NET
- How to cache roles in ASP.NET
- How to configure URL authorization in Web.config
- How to lock authorization settings
[edit]
Code Access Security
- How to use code access security in ASP.NET
- How to use custom trust levels with code access security in ASP.NET
- How to run in Medium trust
[edit]
Configuration
- How to encrypt sensitive data in Machine.config and Web.config
- How to choose between machine and user key storage
- How to use DPAPI with a user store to encrypt a connection string in Web.config
- How to use RSA with a user-level key container to encrypt a connection string in Web.config
- How to run an ASP.NET application with a particular identity
- How to create a service account for ASP.NET
- How to configure the machine key in Web farms
- How to lock configuration settings
[edit]
Data Access
- How to protect database connection strings
- How to access a database from ASP.NET
- How to use Windows authentication to connect to SQL Server
- How to access SQL Server by using SQL authentication
- How to use the Network Service account to connect to SQL Server
- How to prevent SQL injection
[edit]
Exception Management
- How to handle exceptions securely
- How to prevent detailed errors from returning to the client
- How to use structured exception handling
- How to create a global error handler for your application
- How to specify a default error page
[edit]
Impersonation and Delegation
- How to choose between trusted subsystem and impersonation/delegation
- How to impersonate the original caller
- How to temporarily impersonate the original caller
- How to use protocol transition and constrained delegation in ASP.NET
- How to retain impersonation in the new thread
[edit]
Input and Data Validation
- How to validate input in ASP.NET
- How to validate input in server controls
- How to validate input in HTML controls, QueryString, cookies, and HTTP headers
- How to prevent cross site scripting
[edit]
Secure Communication
- How to choose between IPSec and SSL
- How to secure communication between browser clients and Web server
- How to secure communication between servers
[edit]
