Jan 2008 Allup

MSDN Events – January 2008MSDN Events – January 2008

Lynn Langit Lynn Langit

SoCal MSDN dev evangelistSoCal MSDN dev evangelist

blogs.msdn.com/blogs.msdn.com/SoCalDevGalSoCalDevGal

blogs.msdn.com/geekSpeakblogs.msdn.com/geekSpeak

Today’s TopicsToday’s Topics

IIS 7.0 for developersIIS 7.0 for developers

Security Sidebars – fixing common Security Sidebars – fixing common vulnerabilitiesvulnerabilities

ASP.NET Membership Provider customizationASP.NET Membership Provider customization

Today’s Schedule – Irvine, CA (am)Today’s Schedule – Irvine, CA (am)

12 pm to 1:45 pm – IIS 7.012 pm to 1:45 pm – IIS 7.0

2:00 pm to 3:45 pm – Security Sidebars2:00 pm to 3:45 pm – Security Sidebars

4:00 pm to 5:00 pm – ASP.NET Membership 4:00 pm to 5:00 pm – ASP.NET Membership ProviderProvider

Some Housekeeping…Some Housekeeping…

Please set all cell phones to silentPlease set all cell phones to silent

Evaluations are important!!Evaluations are important!!9 = A9 = A

8 = B8 = B

7 = C7 = C

If < 7 please include commentsIf < 7 please include comments

Resource DVD – our way of saying Resource DVD – our way of saying “Thanks!”“Thanks!”

Giveaways!!Giveaways!!

BUSINESS AND TECHNICAL

EXECUTIVESSMALL BUSINESS IT PROFESSIONALS IT DEVELOPERS PARTNERS

Events Events designed to designed to show show business and business and technical technical executives executives how to how to streamline streamline operations operations and increase and increase efficiency efficiency through through technologytechnology

Information Information for small for small business business decision decision makers who makers who want to want to improve improve productivity, productivity, efficiency, efficiency, and security and security in their in their workplaceworkplace

““How-To” How-To” sessions sessions delivering delivering highly technical highly technical content -- direct content -- direct from a from a Microsoft Microsoft technology technology specialist with specialist with real-world real-world experienceexperience

Sessions Sessions designed for designed for developers to developers to get the latest get the latest tools and tools and tips, chat with tips, chat with fellow fellow developers developers and learn and learn how to create how to create rich new rich new applicationsapplications

Designed for Designed for technology technology providers who providers who are seeking to are seeking to enhance enhance technical technical knowledge, to knowledge, to improve selling improve selling skills and to skills and to learn about learn about various various programs and programs and offers for offers for partners.partners.

What’s on in West RegionWhat’s on in West Region

SoCal code camp Fullerton – Jan 26/27Sleepless SharePoint Dev Event SoCal – Jan 26/27Office Dev Conf (SanJose) – Feb 11-13Launch LA – Feb 27BarCampLA – Mar 1-2SharePoint Dev Conf (Redmond) – March 3-6Mix08 (Las Vegas) – March 5-7CodeTrip (SoCal) – March 26-31

HP Compaq dc7800 desktop PC HP Compaq dc7800 desktop PC with Intelwith Intel®® Core Core™™2 Processor with vPro2 Processor with vPro™™ Technology Technology

Special Offer:

HP Compaq dc7800 Smart Buy*:Price: $1,059.00 Save $340!www.hp.com/go/smartbuy

Intel® Core™2 Duo processor E6550 2.33 GHz 4 MB L2 cache 1333 MHz front side bus Intel Q35 Express Chipset2 GB 667 MHz DDR2 SDRAM160 GB 7200 rpm SATA3 year warrantyP/N: RU026UT

*HP Smart Buys are the easiest way to get the most popular, expertly pre-configured, ready-to-ship business solutions at discounted prices.

http://www.hp.com/go/smartbuy

PromotionPromotional Offeral Offer

Visit the New Horizons CLC/Microsoft Visit the New Horizons CLC/Microsoft Learning table today and ask for your Learning table today and ask for your

40% discount exam voucher. 40% discount exam voucher.

Please visit us at: Please visit us at: www.NewHorizons.com

or or www.microsoft.com/learning

http://www.newhorizons.com/

http://www.microsoft.com/learning

What’s new for developers in IIS7

What’s new for developers in IIS7

What Will We cover?What Will We cover?

The new processing pipeline in IIS7The new processing pipeline in IIS7

Using technologies such as PHP with IIS7Using technologies such as PHP with IIS7

Customizing IIS7 with managed codeCustomizing IIS7 with managed code

AgendaAgenda

Introducing IIS7 ArchitectureIntroducing IIS7 Architecture

Securing IIS7Securing IIS7

Extending IIS7Extending IIS7

Architecture OverviewArchitecture Overview

AuthenticationBasic NTLM Anon

CGI

Static File

ISAPI

Send Response

CompressionLog

HTTP Request

Determine Handler

aspnet_isapi.dll

Authentication

Windows

ASPX

Trace

…

Forms

Map Handler

HTTP Response

Basic

Anon

Static File

ISAPI

Send Response Compression

Log

HTTP Request

HTTP Response

Execute Handler

aspnet_isapi.dll

Authentication

Windows

ASPX

Trace

…

Forms

Map Handler

Authorization

ResolveCache

UpdateCache

Authentication

Windows Activation ServiceWindows Activation Service

Independent from IISIndependent from IIS

Application poolsApplication poolsIdentityIdentity

Isolates corruptionIsolates corruption

Message based activationMessage based activationHTTP requestsHTTP requests

Non-HTTP requestsNon-HTTP requests

Hosting a WCF Hosting a WCF Service in WASService in WAS

DemoDemo

Configuration FilesConfiguration Files

IIS/WAS global settingsIIS/WAS global settingsapplicationHost.configapplicationHost.config

Application specific settingsApplication specific settingsweb.configweb.config

No metabaseNo metabase

Remote configurationRemote configuration

Configuring IISConfiguring IIS

DemoDemo

AgendaAgenda




Secure by DefaultSecure by Default

Less surface areaLess surface area

Request filteringRequest filtering

Handler permissionsHandler permissions

Hardened listenersHardened listeners

Authentication ModulesAuthentication Modules

Method Security Level

How Passwords are Sent

Crosses Proxy Servers and Firewalls

Client Requirements

Anonymous authentication

None N/A Yes Any Browser

ASP.NET Impersonation

Medium Obscured Yes .NET

Basic authentication

Low Base64 encoded clear text

Yes Most Browsers

Digest authentication

Medium Hashed Yes IE 5.0 or later

FORMS authentication

None Plain text Yes

Windows authentication

High Hashed or Kerberos ticket

No, unless over VPN

IE 2.0 for NTLM/ W2K and IE 5.0 for Kerberos

Certificate authentication

High N/A Yes, using a SSL connection

IE and Netscape

Managing modulesManaging modules

DemoDemo

AgendaAgenda




Type of ExtensibilityType of Extensibility

Modules and HandlersModules and Handlers

Extending configurationExtending configuration

Extending IIS ManagerExtending IIS Manager

Extending DiagnosticsExtending Diagnostics

Modules and HandlersModules and Handlers

ModulesModules Similar to ISAPI filtersSimilar to ISAPI filters Broader scopeBroader scope

HandlersHandlersSimilar to ISAPI extensionSimilar to ISAPI extension

Narrower scopeNarrower scope

Extending IISExtending IISwith managed codewith managed code

DemoDemo

Session SummarySession Summary

IIS7 has a granular designIIS7 has a granular design

IIS7 has an integrated pipeline IIS7 has an integrated pipeline for handling requestsfor handling requests

IIS7 is easily extensible with IIS7 is easily extensible with managed codemanaged code

Links on Lynn’s blog – Links on Lynn’s blog – http://blogs.msdn.com/SoCalDehttp://blogs.msdn.com/SoCalDevGalvGal

Web Security SidebarsWeb Security Sidebars

MSDN EventsMSDN Events


Creating Secure Web ApplicationsCreating Secure Web Applications

Common Threats FacedCommon Threats FacedHow Does It Work?How Does It Work?

What are the risks?What are the risks?

Real World ExamplesReal World Examples

How do I protect my web site?How do I protect my web site?

AgendaAgenda

Growing importance of securityGrowing importance of security

5 Most Common Threats 5 Most Common Threats

Cross Site ScriptingCross Site Scripting

SQL InjectionSQL Injection

Integer OverflowInteger Overflow

One-Click Attack / Cross Site Request One-Click Attack / Cross Site Request ForgeryForgery

Insecure Direct Object Reference & Insecure Direct Object Reference & Securing Sensitive InformationSecuring Sensitive Information

www.HelloSecureWorld.comwww.HelloSecureWorld.com

Security is an increasingly important factor Security is an increasingly important factor for web applications.for web applications.

People place an increasing dependence People place an increasing dependence on technologyon technology

Potential threats also increasing Potential threats also increasing

ASP.NET integrates a number of built-in ASP.NET integrates a number of built-in defensive barriers which make it easier to defensive barriers which make it easier to create secure web sites.create secure web sites.

How To Build Secure Web AppsHow To Build Secure Web Apps

Web Security Web Security

Facets Of Web SecurityFacets Of Web Security

5 Most Common Security Risks5 Most Common Security Risks


What is it Cross Site Scripting?What is it Cross Site Scripting?

Allows hackers to run malicious script in Allows hackers to run malicious script in a client’s Web browsera client’s Web browser

Any Web page that renders dynamic Any Web page that renders dynamic HTML based on content that users submit HTML based on content that users submit is vulnerableis vulnerable


Potential RisksPotential Risks

Hackers can embed <script>, <object>, Hackers can embed <script>, <object>, <applet>, and <embed> tags<applet>, and <embed> tags

Hackers can steal Web session Hackers can steal Web session information, modify the user’s screeninformation, modify the user’s screen


How To MitigateHow To Mitigate

Validate and constrain inputValidate and constrain input

Properly encode outputProperly encode output

Microsoft Anti-Cross Site Scripting LibraryMicrosoft Anti-Cross Site Scripting Library

What about Server.HTMLEncode?What about Server.HTMLEncode?

Uses blacklist for exclusionUses blacklist for exclusion

Less secureLess secure


Real World ExampleReal World Example• Attackers redirected PayPal visitors to a Attackers redirected PayPal visitors to a

page warning users their accounts had page warning users their accounts had been compromised. been compromised.

• Victims were then redirected to a phishing Victims were then redirected to a phishing site and prompted to enter sensitive site and prompted to enter sensitive financial data.financial data.

Source: http://www.acunetix.com/news/paypal.htmSource: http://www.acunetix.com/news/paypal.htm

DemoDemo



What SQL Injection?What SQL Injection?

Affects dynamic SQL queries which utilize Affects dynamic SQL queries which utilize user input as part of the queryuser input as part of the query

Attacker submits data containing a Attacker submits data containing a command that SQL server executescommand that SQL server executes

Attack VectorsAttack Vectors

Query stringsQuery strings

FormsForms

Web ServicesWeb Services



Probe databasesProbe databases

Bypass authorizationBypass authorization

Execute multiple SQL statementsExecute multiple SQL statements

Call built-in stored procedures (e.g. Call built-in stored procedures (e.g. xp_cmdshell)xp_cmdshell)


How to MitigateHow to Mitigate

Constrain and sanitize input data. Constrain and sanitize input data.

Use type-safe SQL parametersUse type-safe SQL parameters

Restrict permissions for account used to Restrict permissions for account used to access databaseaccess database

Do not disclose error informationDo not disclose error information

Use LINQ to SQL to access and interact Use LINQ to SQL to access and interact with datawith data


Real World ExampleReal World Example• The official government website for the The official government website for the

state of Rhode Island (www.ri.gov) was the state of Rhode Island (www.ri.gov) was the victim of a SQL Injection attack in January victim of a SQL Injection attack in January of last year.of last year.

• Hackers allegedly stole credit card data Hackers allegedly stole credit card data from individuals who have done business from individuals who have done business online with state agencies.online with state agencies.

• The hackers claimed to have stolen as The hackers claimed to have stolen as many as 53,000 credit card numbersmany as 53,000 credit card numbers

Source: http://www.webappsec.org/projects/whid/list_id_2006-3.shtmlSource: http://www.webappsec.org/projects/whid/list_id_2006-3.shtml

DemoDemo



What is Integer Overflow?What is Integer Overflow?

Occurs when an calculation causes an integer Occurs when an calculation causes an integer to exceed the max or min value allowed by its to exceed the max or min value allowed by its data typedata type



Data corruptionData corruption

Application crashes, instabilityApplication crashes, instability

Execution of arbitrary codeExecution of arbitrary code

Preventing Integer OverflowPreventing Integer Overflow

How To MitigateHow To Mitigate

Validate user inputValidate user inputCheck for min and max valuesCheck for min and max values

Use the correct data typeUse the correct data type

Execute your code in a checked context Execute your code in a checked context


Real World ExampleReal World Example

Apple’s OS X operating Apple’s OS X operating system contained a system contained a vulnerability which could be exploited vulnerability which could be exploited remotely by an attacker to compromise a remotely by an attacker to compromise a user's system. user's system. The ffs_mountfs() method was vulnerable The ffs_mountfs() method was vulnerable to an integer overflow which could to an integer overflow which could potentially allow abritrary code to be potentially allow abritrary code to be executed.executed.

Source: Source: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1238554,00.hhttp://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1238554,00.htmltml

DemoDemo


Cross Site Request ForgeryCross Site Request Forgery

What is Cross Site Request Forgery?What is Cross Site Request Forgery?

Forces a logged-on victim’s browser to Forces a logged-on victim’s browser to send a request to a vulnerable web send a request to a vulnerable web applicationapplication

Request is sent by the victim, not the Request is sent by the victim, not the attackerattacker

Can be difficult to detectCan be difficult to detect

Also known as “One-Click” vulnerabilityAlso known as “One-Click” vulnerability



Exposes victims private information to Exposes victims private information to attackerattacker

Attacker can alter data, make purchases, Attacker can alter data, make purchases, retrieve account info.retrieve account info.

Victim is usually unaware any changes Victim is usually unaware any changes have taken placehave taken place


How to MitigateHow to Mitigate

Include unique token which the server Include unique token which the server validates when a request is receivedvalidates when a request is received

ASP.NET: ViewStateUserKeyASP.NET: ViewStateUserKey

Ties view state content to a specific Ties view state content to a specific useruser

Must use unique value for each userMust use unique value for each user

Recommended: Recommended: ViewStateUserKey = Session.ID ViewStateUserKey = Session.ID

Require user confirmation with a shared Require user confirmation with a shared secretsecret



A security flaw at FTD.com made it A security flaw at FTD.com made it possible to access customer data simply by possible to access customer data simply by copying a cookie from one computer to copying a cookie from one computer to another.another.In addition, sequential values were used as In addition, sequential values were used as identifiers, making it easier to guess the identifiers, making it easier to guess the numbers of other valid cookies.numbers of other valid cookies.

Source: http://www.news.com/2100-1017-984585.htmlSource: http://www.news.com/2100-1017-984585.html

DemoDemo


InsecureInsecure Direct Object Reference Direct Object Reference

What is Insecure Direct Object What is Insecure Direct Object Reference?Reference?

Occurs when a direct reference to a file, Occurs when a direct reference to a file, directory, database record, etc. is exposed directory, database record, etc. is exposed to usersto users

Typically exposed in the URL as a Typically exposed in the URL as a querystring or form parameterquerystring or form parameter

Hacker can manipulate reference to access Hacker can manipulate reference to access other objectsother objects

Insecure Direct Object ReferenceInsecure Direct Object Reference

Potential RisksPotential Risks• Attacker can access other files or resources Attacker can access other files or resources

on the serveron the server• Web.Config Web.Config – contains database – contains database

connection and user account infoconnection and user account info• SAM file SAM file – Holds the user names and – Holds the user names and

password hashes for every account on password hashes for every account on the local machinethe local machine

• This data can be used to create This data can be used to create additional attacksadditional attacks

InsecureInsecure Direct Object Reference Direct Object Reference

Steps To MitigateSteps To Mitigate

Avoid directly referencing objects wherever Avoid directly referencing objects wherever possiblepossible

Use an index to assign a unique id, then Use an index to assign a unique id, then reference the idreference the id

If a direct reference must be used employ If a direct reference must be used employ methods to ensure only authorized objects methods to ensure only authorized objects are shown are shown

Encrypt sensitive sections in web.configEncrypt sensitive sections in web.config

Insecure Direct Object Reference Insecure Direct Object Reference


Cahoot (www.cahoot.com) a UK based Cahoot (www.cahoot.com) a UK based online bank, allowed online bank, allowed allowed customers to allowed customers to access other people's account simply by access other people's account simply by changing the username in the URLchanging the username in the URL

The website was closed down for 10 hours The website was closed down for 10 hours to repair the vulnerabilityto repair the vulnerability

Source: http://news.bbc.co.uk/2/hi/business/3984845.stmSource: http://news.bbc.co.uk/2/hi/business/3984845.stm

DemoDemo

Insecure Direct Object ReferenceInsecure Direct Object Reference


Validate Input / Encode Output (Anti-XSS Validate Input / Encode Output (Anti-XSS library)library)

Parameterize SQL QueriesParameterize SQL Queries

Least privilege AccountLeast privilege Account

Execute in a checked contextExecute in a checked context

ViewStateUserKey = Session.IDViewStateUserKey = Session.ID

Reference objects IndirectlyReference objects Indirectly

Encrypt Web.ConfigEncrypt Web.Config

For More InformationFor More Information

Anti XSS LibraryAnti XSS Library

http://www.microsoft.com/downloads/http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en9a89-af08de2e5982&displaylang=en

Built-in ASP.NET security featuresBuilt-in ASP.NET security features

http://msdn2.microsoft.com/en-us/library/http://msdn2.microsoft.com/en-us/library/ms972969.aspxms972969.aspx

HelloSecureWorld.comHelloSecureWorld.com

http://www.hellosecureworld.comhttp://www.hellosecureworld.com

Extending ASP.NET Application ServicesExtending ASP.NET Application ServicesMSDN EventsMSDN EventsWinter, 2007Winter, 2007


ASP.NET Provider ModelASP.NET Provider Model

Application ServicesApplication Services

Rich Clients in .NET 3.5Rich Clients in .NET 3.5

Level 200

Helpful ExperienceHelpful Experience

ASP.NET 2.0 Login ControlsASP.NET 2.0 Login Controls

Microsoft Ajax LibraryMicrosoft Ajax Library

SilverlightSilverlight

Building a WinForms applicationBuilding a WinForms application

AgendaAgenda

Understanding ASP.NET providers and the Understanding ASP.NET providers and the Provider ModelProvider Model

Using Built-in Providers and Application Using Built-in Providers and Application ServicesServices

Using Application Services in .NET 3.5Using Application Services in .NET 3.5

The Provider ModelThe Provider Model

Provider Design PatternProvider Design PatternMembershipProvider:ProviderBase MySQLMembershipProvider:MembershipProvider

Methods and Properties Overridden Methods and Properties

Methods and Properties

ProviderBase

Built-in ProvidersBuilt-in Providers

Custom ProvidersCustom Providers

Working with ProvidersWorking with Providers

Integration with ASP.NET 2.0 controlsIntegration with ASP.NET 2.0 controlsLogin ControlsLogin Controls

Other ControlsOther Controls

Provider ConfigurationProvider ConfigurationASP.NET Server Setup ASP.NET Server Setup

ASP.NET Configuration ToolASP.NET Configuration Tool

DemoDemo

Introducing ProvidersIntroducing Providers

AgendaAgenda




Application Service FlexibilityApplication Service Flexibility

ASP.NET Silverlight

Web Services

SOAP

Clients

Application Services

Ajax

Application Services with AjaxApplication Services with Ajax

AjaxAjaxASP.NET 2.0 – 3.5ASP.NET 2.0 – 3.5

Silverlight 1.0Silverlight 1.0

Web ServicesWeb ServicesSilverlight 2.0Silverlight 2.0

Other SOAP ClientsOther SOAP Clients

DemoDemo

Sharing Providers with Ajax and Sharing Providers with Ajax and SilverlightSilverlight

AgendaAgenda




Services in Visual Studio 2008Services in Visual Studio 2008

Application Services IntegrationApplication Services Integration

Services PageServices Page

New LibrariesNew LibrariesSystem.Web.ClientServicesSystem.Web.ClientServices

Offline SupportOffline SupportSQL/CESQL/CE

CustomizedCustomized

DemoDemo

Using Application Services from Using Application Services from a Rich Clienta Rich Client


Simplified storage solutions with the Simplified storage solutions with the Provider ModelProvider Model

Using Application Services to increase Using Application Services to increase productivityproductivity

Harness Application Services from Harness Application Services from different clientsdifferent clients

http://www.msdnevents.com/resourceshttp://www.msdnevents.com/resources

Thanks for attending!

Lynn Langit MSDN Developer Evangelist – Southern Californiahttp://blogs.msdn.com/SoCalDevGal

Economy & Finance

Jan 2008 Allup