380 likes | 564 Views
Best Practices and Techniques for Building Secure ASP.NET Applications. Patrick Hynds, CriticalSites MSDN Regional Director for Boston, MCSD, MCSE+I, MCDBA, MCT, MCP + Site Builder. Experience / Background. Services Integration (Design, Best Practices) Development (Ecommerce, Commercial)
E N D
Best Practices and Techniques for Building Secure ASP.NET Applications Patrick Hynds, CriticalSites MSDN Regional Director for Boston, MCSD, MCSE+I, MCDBA, MCT, MCP + Site Builder
Experience / Background • Services • Integration (Design, Best Practices) • Development (Ecommerce, Commercial) • Technology Consultant Coaching • Notables • Built 1st Windows logo certified .Net app • Regularly present at: • TechEd US and TechEd Hong Kong • .Net User’s Groups worldwide (INETA Speaker) • and many other international events • Security Editor for .Net Developer’s Journal
Agenda • Threat modeling • Security Starting with IIS • Beyond the Web Server • Authentication • Authorization • Configuration settings • Storing secrets • Data validation
Internal Threats • Disgruntled employee • Bad faith business partner • Human engineering • Virus proliferation • Credential reuse outside your org • Improper configuration of security settings • At home backups
External Threats • Random script kiddie • Slighted prospect • Unscrupulous Competitor • Zombie Army Enlistment • Warez Hijacking • Determined, Professional Attack • Being first to get hit by a new exploit
Agenda • Threat modeling • Security Starting with IIS • Beyond the Web Server • Authentication • Authorization • Configuration settings • Storing secrets • Data validation
Anonymous Authentication • Resource Access as anonyomous • IUSR_Machinename (i.e. IUSR_Typhon) • Process identity: • LocalSystem or • IWAM_Machinename (i.e. IWAM_Typhon) • Anonymous user is completely configurable
Basic Authentication • Process identity: IWAM or LocalSystem • Resource access as authenticated user • Pros • Least common denominator • All HTTP clients support basic auth • Supports one hop delegation • Cons • Clear text password (Base64 Encoded) • Over the wire • On the server • Needs to be protected via SSL
Digest Authentication • Pros • No clear text password over the wire • Works through proxies • Password is not known to IIS • Cons • Medium secure • Internet Explorer 5 and higher • No delegation • Requires Active Directory • Password in AD (reversible encryption)
Windows Integrated Authentication • Security Support Provider (SSPI)-based • NTLM or Kerberos • IIS asks the client what protocol it supports • Protocol can be enforced • NTAuthenticationProviders • Negotiate • NTLM • Kerberos
NTLM Authentication • Pros • Works out-of-the-box • Provides automatic logon/no logon dialog box • Cons • Enterprise only – does not work through Proxy Servers (keep-alive connection required) • No delegation • Configured to be compatible with older clients
Kerberos Authentication • Strong, scalable, fast, supports delegation • Limited client support • Internet Explorer 5 and Windows 2000 • Issues • DC has to be client accessible Service Principal Name • Domain Administrator needs to be involved • Delegation needs to be enabled • Unconstrained! • Setup • Best description in “designing secure Web-based applications”
Client Certificate Authentication • Pros • Very secure • Flexible • Integrity, confidentiality • Cons • Higher management costs for PKI • Usability • Scalability and performance
Agenda • Threat modeling • Security Starting with IIS • Beyond the Web Server • Authentication • Authorization • Configuration settings • Storing secrets • Data validation
Windows Authentication • Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forth • User is authenticated by IIS • Easiest of all • Request flow • Client makes request • IIS authenticates request, forwards to ASP.NET • Impersonation turned on? • ASP.NET returns response to client
Forms Authentication • Uses cookie to authenticate • Enables SSL for logon page • Often used for personalization
Forms Authentication Configuration • Enable anonymous access in IIS • Configure <authentication> section • Set mode to “Forms” • Add the <forms> section • Configure <authorization> section • Deny access to anonymous user • Create logon page • Validate the user • Provide authentication cookie • Redirect the user to the requested page
<forms> Section Attributes • loginUrl: unauthenticated request are redirected to this page • name: name of the authentication cookie • path: path of the authentication cookie • protection: All | None | Encryption | Validation • timeout: authentication cookie expiration (min) <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" /> </authentication>
demo Forms Authentication
Authorization • Process of determining whether a user is allowed to perform a requested action • File-based authorization • Performed by FileAuthorizationModule • Performs checks against Windows ACLs • Custom – handle AuthorizeRequest event • Application level (global.asax) • HTTP module (implement IHttpModule) • URL-based authorization • Performed by UrlAuthorizationModule
Windows Users(Check Roles) If User.IsInRole("BUILTIN\Administrators") then Response.Write("You are an Admin") Else If User.IsInRole("BUILTIN\Users") then Response.Write("You are a User") Else Response.Write("Invalid user") End if
Non-Windows Users(Attach Roles) • Handle AuthenticateRequest event • Create GenericPrinciple • Attach roles to Identity • Assign new Principle to User Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If Not (User Is Nothing) Then If User.Identity.AuthenticationType = "Forms" Then Dim Roles(1) As String Roles(0) = "Admin" User = new GenericPrinciple(User.Identity,Roles) End If End If End Sub
Non-Windows Users (Check Roles) if User.IsInRole("Admin") then Response.Write ("You are an Administrator") Else Response.Write ("You do not have any role assigned") End if
demo Custom Authentication with Roles
Configuration Settings • Review production configuration: • <customErrors> RemoteOnly or On • Make sure that verbose remote errors are not enabled • Do not reveal exception details in custom error pages • <compilation> disable debugging • Review IIS scriptmaps • Only enable ones you need • Use IIS lockdown (Windows 2000/IIS 5) • Shared servers • Use configuration lockdown • <location allowOverride=“false”/> • Isolate by process (IIS 6) and/or with <trust> level
Machine.Config • Some settings vary by .Net Framework version • HTTPGet • HTTPPost • HTTPSoap
demo Machine.Config for Security
Accounts • Administrator • Deception planning against hackers • Service Accounts
Storing Secrets • Do avoid secrets when you can • Consider using integrated authentication • Use layered protection when you need secrets • Access control settings • Data Protection API (DPAPI) • Use aspnet_setreg for ASP.NET secrets • <processModel>, <identity>, <sessionState> • http://support.microsoft.com/default.aspx?scid=kb;EN-US;329290
demo Random Salt in the DB
Data Validation • Validate all input data • Use ASP.NET validation controls • Use regular expressions for other cases (e.g., web service parameters) • Use parameterized stored procedures or queries for data access to prevent SQL Injection
The Future / Whidbey • Indigo • NGSCB (Next Generation Secure Computing Base) • Dynamic Compilation Switch • New Login controls
Summary • Security is a war! Don’t fight fair. • Defense in Layers • Not a part time job or “nice to have” feature anymore • Make Security part of every aspect of your projects • should be about 12% of effort per project
Resources • How ASP Security Works • An overview of ASP Security http://msdn.microsoft.com/library/dotnet/cpguide/cpconhowaspnetsecurityworks.htm • Key Concepts in Application Security • A basic review of the major components needed to secure applications http://msdn.microsoft.com/library/dotnet/cpguide/cpconkeyconceptsinsecurity.htm