View
3.965
Download
4
Embed Size (px)
DESCRIPTION
Deck from my Jan 2008 MSDN presentations - download presentations at http://www.msdnevents.com/resources/2008-winter-resources.aspx
Citation preview
MSDN Events – January 2008MSDN Events – January 2008
Lynn Langit Lynn Langit
SoCal MSDN dev evangelistSoCal MSDN dev evangelist
blogs.msdn.com/blogs.msdn.com/SoCalDevGalSoCalDevGal
blogs.msdn.com/geekSpeakblogs.msdn.com/geekSpeak
Today’s TopicsToday’s Topics
IIS 7.0 for developersIIS 7.0 for developers
Security Sidebars – fixing common Security Sidebars – fixing common vulnerabilitiesvulnerabilities
ASP.NET Membership Provider customizationASP.NET Membership Provider customization
Today’s Schedule – Irvine, CA (am)Today’s Schedule – Irvine, CA (am)
12 pm to 1:45 pm – IIS 7.012 pm to 1:45 pm – IIS 7.0
2:00 pm to 3:45 pm – Security Sidebars2:00 pm to 3:45 pm – Security Sidebars
4:00 pm to 5:00 pm – ASP.NET Membership 4:00 pm to 5:00 pm – ASP.NET Membership ProviderProvider
Some Housekeeping…Some Housekeeping…
Please set all cell phones to silentPlease set all cell phones to silent
Evaluations are important!!Evaluations are important!!9 = A9 = A
8 = B8 = B
7 = C7 = C
If < 7 please include commentsIf < 7 please include comments
Resource DVD – our way of saying Resource DVD – our way of saying “Thanks!”“Thanks!”
Giveaways!!Giveaways!!
BUSINESS AND TECHNICAL
EXECUTIVESSMALL BUSINESS IT PROFESSIONALS IT DEVELOPERS PARTNERS
Events Events designed to designed to show show business and business and technical technical executives executives how to how to streamline streamline operations operations and increase and increase efficiency efficiency through through technologytechnology
Information Information for small for small business business decision decision makers who makers who want to want to improve improve productivity, productivity, efficiency, efficiency, and security and security in their in their workplaceworkplace
““How-To” How-To” sessions sessions delivering delivering highly technical highly technical content -- direct content -- direct from a from a Microsoft Microsoft technology technology specialist with specialist with real-world real-world experienceexperience
Sessions Sessions designed for designed for developers to developers to get the latest get the latest tools and tools and tips, chat with tips, chat with fellow fellow developers developers and learn and learn how to create how to create rich new rich new applicationsapplications
Designed for Designed for technology technology providers who providers who are seeking to are seeking to enhance enhance technical technical knowledge, to knowledge, to improve selling improve selling skills and to skills and to learn about learn about various various programs and programs and offers for offers for partners.partners.
What’s on in West RegionWhat’s on in West Region
SoCal code camp Fullerton – Jan 26/27Sleepless SharePoint Dev Event SoCal – Jan 26/27Office Dev Conf (SanJose) – Feb 11-13Launch LA – Feb 27BarCampLA – Mar 1-2SharePoint Dev Conf (Redmond) – March 3-6Mix08 (Las Vegas) – March 5-7CodeTrip (SoCal) – March 26-31
HP Compaq dc7800 desktop PC HP Compaq dc7800 desktop PC with Intelwith Intel®® Core Core™™2 Processor with vPro2 Processor with vPro™™ Technology Technology
Special Offer:
HP Compaq dc7800 Smart Buy*:Price: $1,059.00 Save $340!www.hp.com/go/smartbuy
Intel® Core™2 Duo processor E6550 2.33 GHz 4 MB L2 cache 1333 MHz front side bus Intel Q35 Express Chipset2 GB 667 MHz DDR2 SDRAM160 GB 7200 rpm SATA3 year warrantyP/N: RU026UT
*HP Smart Buys are the easiest way to get the most popular, expertly pre-configured, ready-to-ship business solutions at discounted prices.
PromotionPromotional Offeral Offer
Visit the New Horizons CLC/Microsoft Visit the New Horizons CLC/Microsoft Learning table today and ask for your Learning table today and ask for your
40% discount exam voucher. 40% discount exam voucher.
Please visit us at: Please visit us at: www.NewHorizons.com
or or www.microsoft.com/learning
What’s new for developers in IIS7
What’s new for developers in IIS7
What Will We cover?What Will We cover?
The new processing pipeline in IIS7The new processing pipeline in IIS7
Using technologies such as PHP with IIS7Using technologies such as PHP with IIS7
Customizing IIS7 with managed codeCustomizing IIS7 with managed code
AgendaAgenda
Introducing IIS7 ArchitectureIntroducing IIS7 Architecture
Securing IIS7Securing IIS7
Extending IIS7Extending IIS7
Architecture OverviewArchitecture Overview
AuthenticationBasic NTLM Anon
CGI
Static File
ISAPI
Send Response
CompressionLog
HTTP Request
Determine Handler
aspnet_isapi.dll
Authentication
Windows
ASPX
Trace
…
Forms
Map Handler
HTTP Response
Basic
Anon
Static File
ISAPI
Send Response Compression
Log
HTTP Request
HTTP Response
Execute Handler
aspnet_isapi.dll
Authentication
Windows
ASPX
Trace
…
Forms
Map Handler
Authorization
ResolveCache
UpdateCache
Authentication
Windows Activation ServiceWindows Activation Service
Independent from IISIndependent from IIS
Application poolsApplication poolsIdentityIdentity
Isolates corruptionIsolates corruption
Message based activationMessage based activationHTTP requestsHTTP requests
Non-HTTP requestsNon-HTTP requests
Hosting a WCF Hosting a WCF Service in WASService in WAS
DemoDemo
Configuration FilesConfiguration Files
IIS/WAS global settingsIIS/WAS global settingsapplicationHost.configapplicationHost.config
Application specific settingsApplication specific settingsweb.configweb.config
No metabaseNo metabase
Remote configurationRemote configuration
Configuring IISConfiguring IIS
DemoDemo
AgendaAgenda
Introducing IIS7 ArchitectureIntroducing IIS7 Architecture
Securing IIS7Securing IIS7
Extending IIS7Extending IIS7
Secure by DefaultSecure by Default
Less surface areaLess surface area
Request filteringRequest filtering
Handler permissionsHandler permissions
Hardened listenersHardened listeners
Authentication ModulesAuthentication Modules
Method Security Level
How Passwords are Sent
Crosses Proxy Servers and Firewalls
Client Requirements
Anonymous authentication
None N/A Yes Any Browser
ASP.NET Impersonation
Medium Obscured Yes .NET
Basic authentication
Low Base64 encoded clear text
Yes Most Browsers
Digest authentication
Medium Hashed Yes IE 5.0 or later
FORMS authentication
None Plain text Yes
Windows authentication
High Hashed or Kerberos ticket
No, unless over VPN
IE 2.0 for NTLM/ W2K and IE 5.0 for Kerberos
Certificate authentication
High N/A Yes, using a SSL connection
IE and Netscape
Managing modulesManaging modules
DemoDemo
AgendaAgenda
Introducing IIS7 ArchitectureIntroducing IIS7 Architecture
Securing IIS7Securing IIS7
Extending IIS7Extending IIS7
Type of ExtensibilityType of Extensibility
Modules and HandlersModules and Handlers
Extending configurationExtending configuration
Extending IIS ManagerExtending IIS Manager
Extending DiagnosticsExtending Diagnostics
Modules and HandlersModules and Handlers
ModulesModules Similar to ISAPI filtersSimilar to ISAPI filters Broader scopeBroader scope
HandlersHandlersSimilar to ISAPI extensionSimilar to ISAPI extension
Narrower scopeNarrower scope
Extending IISExtending IISwith managed codewith managed code
DemoDemo
Session SummarySession Summary
IIS7 has a granular designIIS7 has a granular design
IIS7 has an integrated pipeline IIS7 has an integrated pipeline for handling requestsfor handling requests
IIS7 is easily extensible with IIS7 is easily extensible with managed codemanaged code
Links on Lynn’s blog – Links on Lynn’s blog – http://blogs.msdn.com/SoCalDehttp://blogs.msdn.com/SoCalDevGalvGal
Web Security SidebarsWeb Security Sidebars
MSDN EventsMSDN Events
What Will We cover?What Will We cover?
Creating Secure Web ApplicationsCreating Secure Web Applications
Common Threats FacedCommon Threats FacedHow Does It Work?How Does It Work?
What are the risks?What are the risks?
Real World ExamplesReal World Examples
How do I protect my web site?How do I protect my web site?
AgendaAgenda
Growing importance of securityGrowing importance of security
5 Most Common Threats 5 Most Common Threats
Cross Site ScriptingCross Site Scripting
SQL InjectionSQL Injection
Integer OverflowInteger Overflow
One-Click Attack / Cross Site Request One-Click Attack / Cross Site Request ForgeryForgery
Insecure Direct Object Reference & Insecure Direct Object Reference & Securing Sensitive InformationSecuring Sensitive Information
www.HelloSecureWorld.comwww.HelloSecureWorld.com
Security is an increasingly important factor Security is an increasingly important factor for web applications.for web applications.
People place an increasing dependence People place an increasing dependence on technologyon technology
Potential threats also increasing Potential threats also increasing
ASP.NET integrates a number of built-in ASP.NET integrates a number of built-in defensive barriers which make it easier to defensive barriers which make it easier to create secure web sites.create secure web sites.
How To Build Secure Web AppsHow To Build Secure Web Apps
Web Security Web Security
Facets Of Web SecurityFacets Of Web Security
5 Most Common Security Risks5 Most Common Security Risks
Cross Site ScriptingCross Site Scripting
What is it Cross Site Scripting?What is it Cross Site Scripting?
Allows hackers to run malicious script in Allows hackers to run malicious script in a client’s Web browsera client’s Web browser
Any Web page that renders dynamic Any Web page that renders dynamic HTML based on content that users submit HTML based on content that users submit is vulnerableis vulnerable
Cross Site ScriptingCross Site Scripting
Potential RisksPotential Risks
Hackers can embed <script>, <object>, Hackers can embed <script>, <object>, <applet>, and <embed> tags<applet>, and <embed> tags
Hackers can steal Web session Hackers can steal Web session information, modify the user’s screeninformation, modify the user’s screen
Cross Site ScriptingCross Site Scripting
How To MitigateHow To Mitigate
Validate and constrain inputValidate and constrain input
Properly encode outputProperly encode output
Microsoft Anti-Cross Site Scripting LibraryMicrosoft Anti-Cross Site Scripting Library
What about Server.HTMLEncode?What about Server.HTMLEncode?
Uses blacklist for exclusionUses blacklist for exclusion
Less secureLess secure
Cross Site ScriptingCross Site Scripting
Real World ExampleReal World Example• Attackers redirected PayPal visitors to a Attackers redirected PayPal visitors to a
page warning users their accounts had page warning users their accounts had been compromised. been compromised.
• Victims were then redirected to a phishing Victims were then redirected to a phishing site and prompted to enter sensitive site and prompted to enter sensitive financial data.financial data.
Source: http://www.acunetix.com/news/paypal.htmSource: http://www.acunetix.com/news/paypal.htm
DemoDemo
Cross Site ScriptingCross Site Scripting
SQL InjectionSQL Injection
What SQL Injection?What SQL Injection?
Affects dynamic SQL queries which utilize Affects dynamic SQL queries which utilize user input as part of the queryuser input as part of the query
Attacker submits data containing a Attacker submits data containing a command that SQL server executescommand that SQL server executes
Attack VectorsAttack Vectors
Query stringsQuery strings
FormsForms
Web ServicesWeb Services
SQL InjectionSQL Injection
Potential RisksPotential Risks
Probe databasesProbe databases
Bypass authorizationBypass authorization
Execute multiple SQL statementsExecute multiple SQL statements
Call built-in stored procedures (e.g. Call built-in stored procedures (e.g. xp_cmdshell)xp_cmdshell)
SQL InjectionSQL Injection
How to MitigateHow to Mitigate
Constrain and sanitize input data. Constrain and sanitize input data.
Use type-safe SQL parametersUse type-safe SQL parameters
Restrict permissions for account used to Restrict permissions for account used to access databaseaccess database
Do not disclose error informationDo not disclose error information
Use LINQ to SQL to access and interact Use LINQ to SQL to access and interact with datawith data
SQL InjectionSQL Injection
Real World ExampleReal World Example• The official government website for the The official government website for the
state of Rhode Island (www.ri.gov) was the state of Rhode Island (www.ri.gov) was the victim of a SQL Injection attack in January victim of a SQL Injection attack in January of last year.of last year.
• Hackers allegedly stole credit card data Hackers allegedly stole credit card data from individuals who have done business from individuals who have done business online with state agencies.online with state agencies.
• The hackers claimed to have stolen as The hackers claimed to have stolen as many as 53,000 credit card numbersmany as 53,000 credit card numbers
Source: http://www.webappsec.org/projects/whid/list_id_2006-3.shtmlSource: http://www.webappsec.org/projects/whid/list_id_2006-3.shtml
DemoDemo
SQL InjectionSQL Injection
Integer OverflowInteger Overflow
What is Integer Overflow?What is Integer Overflow?
Occurs when an calculation causes an integer Occurs when an calculation causes an integer to exceed the max or min value allowed by its to exceed the max or min value allowed by its data typedata type
Integer OverflowInteger Overflow
Potential RisksPotential Risks
Data corruptionData corruption
Application crashes, instabilityApplication crashes, instability
Execution of arbitrary codeExecution of arbitrary code
Preventing Integer OverflowPreventing Integer Overflow
How To MitigateHow To Mitigate
Validate user inputValidate user inputCheck for min and max valuesCheck for min and max values
Use the correct data typeUse the correct data type
Execute your code in a checked context Execute your code in a checked context
Integer OverflowInteger Overflow
Real World ExampleReal World Example
Apple’s OS X operating Apple’s OS X operating system contained a system contained a vulnerability which could be exploited vulnerability which could be exploited remotely by an attacker to compromise a remotely by an attacker to compromise a user's system. user's system. The ffs_mountfs() method was vulnerable The ffs_mountfs() method was vulnerable to an integer overflow which could to an integer overflow which could potentially allow abritrary code to be potentially allow abritrary code to be executed.executed.
Source: Source: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1238554,00.hhttp://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1238554,00.htmltml
DemoDemo
Integer OverflowInteger Overflow
Cross Site Request ForgeryCross Site Request Forgery
What is Cross Site Request Forgery?What is Cross Site Request Forgery?
Forces a logged-on victim’s browser to Forces a logged-on victim’s browser to send a request to a vulnerable web send a request to a vulnerable web applicationapplication
Request is sent by the victim, not the Request is sent by the victim, not the attackerattacker
Can be difficult to detectCan be difficult to detect
Also known as “One-Click” vulnerabilityAlso known as “One-Click” vulnerability
Cross Site Request ForgeryCross Site Request Forgery
Potential RisksPotential Risks
Exposes victims private information to Exposes victims private information to attackerattacker
Attacker can alter data, make purchases, Attacker can alter data, make purchases, retrieve account info.retrieve account info.
Victim is usually unaware any changes Victim is usually unaware any changes have taken placehave taken place
Cross Site Request ForgeryCross Site Request Forgery
How to MitigateHow to Mitigate
Include unique token which the server Include unique token which the server validates when a request is receivedvalidates when a request is received
ASP.NET: ViewStateUserKeyASP.NET: ViewStateUserKey
Ties view state content to a specific Ties view state content to a specific useruser
Must use unique value for each userMust use unique value for each user
Recommended: Recommended: ViewStateUserKey = Session.ID ViewStateUserKey = Session.ID
Require user confirmation with a shared Require user confirmation with a shared secretsecret
Cross Site Request ForgeryCross Site Request Forgery
Real World ExampleReal World Example
A security flaw at FTD.com made it A security flaw at FTD.com made it possible to access customer data simply by possible to access customer data simply by copying a cookie from one computer to copying a cookie from one computer to another.another.In addition, sequential values were used as In addition, sequential values were used as identifiers, making it easier to guess the identifiers, making it easier to guess the numbers of other valid cookies.numbers of other valid cookies.
Source: http://www.news.com/2100-1017-984585.htmlSource: http://www.news.com/2100-1017-984585.html
DemoDemo
Cross Site Request ForgeryCross Site Request Forgery
InsecureInsecure Direct Object Reference Direct Object Reference
What is Insecure Direct Object What is Insecure Direct Object Reference?Reference?
Occurs when a direct reference to a file, Occurs when a direct reference to a file, directory, database record, etc. is exposed directory, database record, etc. is exposed to usersto users
Typically exposed in the URL as a Typically exposed in the URL as a querystring or form parameterquerystring or form parameter
Hacker can manipulate reference to access Hacker can manipulate reference to access other objectsother objects
Insecure Direct Object ReferenceInsecure Direct Object Reference
Potential RisksPotential Risks• Attacker can access other files or resources Attacker can access other files or resources
on the serveron the server• Web.Config Web.Config – contains database – contains database
connection and user account infoconnection and user account info• SAM file SAM file – Holds the user names and – Holds the user names and
password hashes for every account on password hashes for every account on the local machinethe local machine
• This data can be used to create This data can be used to create additional attacksadditional attacks
InsecureInsecure Direct Object Reference Direct Object Reference
Steps To MitigateSteps To Mitigate
Avoid directly referencing objects wherever Avoid directly referencing objects wherever possiblepossible
Use an index to assign a unique id, then Use an index to assign a unique id, then reference the idreference the id
If a direct reference must be used employ If a direct reference must be used employ methods to ensure only authorized objects methods to ensure only authorized objects are shown are shown
Encrypt sensitive sections in web.configEncrypt sensitive sections in web.config
Insecure Direct Object Reference Insecure Direct Object Reference
Real World ExampleReal World Example
Cahoot (www.cahoot.com) a UK based Cahoot (www.cahoot.com) a UK based online bank, allowed online bank, allowed allowed customers to allowed customers to access other people's account simply by access other people's account simply by changing the username in the URLchanging the username in the URL
The website was closed down for 10 hours The website was closed down for 10 hours to repair the vulnerabilityto repair the vulnerability
Source: http://news.bbc.co.uk/2/hi/business/3984845.stmSource: http://news.bbc.co.uk/2/hi/business/3984845.stm
DemoDemo
Insecure Direct Object ReferenceInsecure Direct Object Reference
Session SummarySession Summary
Validate Input / Encode Output (Anti-XSS Validate Input / Encode Output (Anti-XSS library)library)
Parameterize SQL QueriesParameterize SQL Queries
Least privilege AccountLeast privilege Account
Execute in a checked contextExecute in a checked context
ViewStateUserKey = Session.IDViewStateUserKey = Session.ID
Reference objects IndirectlyReference objects Indirectly
Encrypt Web.ConfigEncrypt Web.Config
For More InformationFor More Information
Anti XSS LibraryAnti XSS Library
http://www.microsoft.com/downloads/http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en9a89-af08de2e5982&displaylang=en
Built-in ASP.NET security featuresBuilt-in ASP.NET security features
http://msdn2.microsoft.com/en-us/library/http://msdn2.microsoft.com/en-us/library/ms972969.aspxms972969.aspx
HelloSecureWorld.comHelloSecureWorld.com
http://www.hellosecureworld.comhttp://www.hellosecureworld.com
Extending ASP.NET Application ServicesExtending ASP.NET Application ServicesMSDN EventsMSDN EventsWinter, 2007Winter, 2007
What Will We cover?What Will We cover?
ASP.NET Provider ModelASP.NET Provider Model
Application ServicesApplication Services
Rich Clients in .NET 3.5Rich Clients in .NET 3.5
Level 200
Helpful ExperienceHelpful Experience
ASP.NET 2.0 Login ControlsASP.NET 2.0 Login Controls
Microsoft Ajax LibraryMicrosoft Ajax Library
SilverlightSilverlight
Building a WinForms applicationBuilding a WinForms application
AgendaAgenda
Understanding ASP.NET providers and the Understanding ASP.NET providers and the Provider ModelProvider Model
Using Built-in Providers and Application Using Built-in Providers and Application ServicesServices
Using Application Services in .NET 3.5Using Application Services in .NET 3.5
The Provider ModelThe Provider Model
Provider Design PatternProvider Design PatternMembershipProvider:ProviderBase MySQLMembershipProvider:MembershipProvider
Methods and Properties Overridden Methods and Properties
Methods and Properties
ProviderBase
Built-in ProvidersBuilt-in Providers
Custom ProvidersCustom Providers
Working with ProvidersWorking with Providers
Integration with ASP.NET 2.0 controlsIntegration with ASP.NET 2.0 controlsLogin ControlsLogin Controls
Other ControlsOther Controls
Provider ConfigurationProvider ConfigurationASP.NET Server Setup ASP.NET Server Setup
ASP.NET Configuration ToolASP.NET Configuration Tool
DemoDemo
Introducing ProvidersIntroducing Providers
AgendaAgenda
Understanding ASP.NET providers and the Understanding ASP.NET providers and the Provider ModelProvider Model
Using Built-in Providers and Application Using Built-in Providers and Application ServicesServices
Using Application Services in .NET 3.5Using Application Services in .NET 3.5
Application Service FlexibilityApplication Service Flexibility
ASP.NET Silverlight
Web Services
SOAP
Clients
Application Services
Ajax
Application Services with AjaxApplication Services with Ajax
AjaxAjaxASP.NET 2.0 – 3.5ASP.NET 2.0 – 3.5
Silverlight 1.0Silverlight 1.0
Web ServicesWeb ServicesSilverlight 2.0Silverlight 2.0
Other SOAP ClientsOther SOAP Clients
DemoDemo
Sharing Providers with Ajax and Sharing Providers with Ajax and SilverlightSilverlight
AgendaAgenda
Understanding ASP.NET providers and the Understanding ASP.NET providers and the Provider ModelProvider Model
Using Built-in Providers and Application Using Built-in Providers and Application ServicesServices
Using Application Services in .NET 3.5Using Application Services in .NET 3.5
Services in Visual Studio 2008Services in Visual Studio 2008
Application Services IntegrationApplication Services Integration
Services PageServices Page
New LibrariesNew LibrariesSystem.Web.ClientServicesSystem.Web.ClientServices
Offline SupportOffline SupportSQL/CESQL/CE
CustomizedCustomized
DemoDemo
Using Application Services from Using Application Services from a Rich Clienta Rich Client
Session SummarySession Summary
Simplified storage solutions with the Simplified storage solutions with the Provider ModelProvider Model
Using Application Services to increase Using Application Services to increase productivityproductivity
Harness Application Services from Harness Application Services from different clientsdifferent clients
http://www.msdnevents.com/resourceshttp://www.msdnevents.com/resources
Thanks for attending!
Lynn Langit MSDN Developer Evangelist – Southern Californiahttp://blogs.msdn.com/SoCalDevGal