Upload
iron-speed
View
780
Download
3
Embed Size (px)
Citation preview
Copyright © 2006-2008. Iron Speed Inc. All rights reserved
Securing your .NET Applications
Visit us: www.ironspeed.com Download the Free Edition: www.ironspeed.com/download
2
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Securing your .NET Applications Concentric Rings of Security Firewall Security Medium Trust vs. High Trust IIS Security Authentication Authorization SSL Encryption Database Security SQL Injection Attacks Secure Communications (URL Encryption) Multiple Applications for Internal vs. External Users Best Practices
3
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Concentric Rings of Security No system should rely on a single-level of Security Secure Web Applications through Concentric Rings
of Security
4
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Concentric Rings of Security Security should include:
Physical (e.g., data center) Network (e.g., Firewall, VPN) Operating System (e.g., Accounts, Trust Levels) Web Server (e.g., IIS Virtual Directory) Web Application (e.g., Authentication, Authorization) Database (e.g., User Accounts) Data (e.g., encrypt sensitive data) Best Practices (e.g., SQL Injection, URL Encryption)
You know what to do
5
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Network Security Level Use VPN to secure Internal Systems Use separate machines for Web Server and
Database Server
6
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Operating System Level Use .NET Trust Level to secure Operating System
access
7
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
.NET Trust Levels Full: Anything that the account running it can do. High: ‘Full trust’ minus calls to unmanaged code
(Win32 APIs and COM interop). Medium: No DB, File I/O, Registry, Reflection or
Event logs. Low: Cannot make calls to a database, network, etc. Minimal: Only trivial processing allowed
Modified in the machine-level web.config file
8
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends High Trust for Internal Applications Modified Medium Trust for External Applications
Allow Ole DB Reflection Registry File I/O Event Logs (if not hosted)
9
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Web Server Level Every .NET Application runs under specific user
credentials Anonymous Impersonation (pass-through)
10
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Web Server – Anonymous Anonymous Security = IIS Virtual Directory
configured to run under specific user account Typical for public web applications Internal web applications can use if combined with
Active Directory
11
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Web Server – Impersonation IIS Configured to pass-through user credentials Only works with Microsoft Internet Explorer IE passes Windows domain and user to application Fraught with problems
Double-hop not allowed by Microsoft Database on different server cannot use Windows
Authentication Other browsers do not pass credentials
Suited for Internal Applications Does not work for External Applications Alternative Approach: Use Anonymous + Active Directory
12
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends IIS Configured to use Anonymous Access Use IIS_machinename account
System account with limited capabilities
13
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Web Application – Authentication Configure most web pages to require Authentication Some web pages may be publicly accessible Multiple choices available
Active Directory Windows Authentication Database SharePoint
All choices are equally secure
14
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends Use Active Directory if all users internal Use Database if external or extranet application
15
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Web Application – Authorization Use Role-Based Security to Authorize parts of
application Use Page-level or Control-level Not sufficient to disable button
E.g., do not just disable Edit button – also secure Edit page
Use Roles in Query WHERE clauses
16
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends Use any of the role-based security protocols Most customers find they need Application-level
control of roles – so use Database Roles – regardless of which Authentication used
17
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Database Security Limit Database Account to query execution Exclude “dbcreator” access to prevent DROP or
ALTER Use Database Specific Accounts (instead of Windows
Authentication)
18
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends SQL Server: Use SQL Server Authentication Use Separate Database Server
19
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Best Practices – SQL Injection Attacks Text boxes in your application can be used to inject
malicious SQL code SELECT *
FROM Customers WHERE Name = ‘ + SearchTextbox.Text + ’
If user enters: a’; DELETE FROM Customers WHERE ‘1’ = ‘1
Will delete all customers
20
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Best Practices – SQL Injection Attacks Never trust user input Never use dynamic SQL Never connect to a database using Admin account Encrypt sensitive data in database Use custom error messages
21
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends All user input is quoted End-user should not be allowed to create dynamic
SQL Use limited account for connecting to the database
22
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Best Practices – Cross-Site Scripting Attacks Cross-Site Scripting uses JavaScript, HTML, VBScript
or other code Inject using regular data entry fields Execution happens when data is displayed if data is
not validated and quoted when saved
23
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends Do not allow user to input HTML or JavaScript Use Rich-Text Editor sparingly Validate Rich-Text input Set HTMLEncodeValue = TRUE Validate using Cross-Site Validators
24
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Best Practices – Secure Communications Browser to Server communications can be easily
eavesdropped Use SSL (Secure Sockets Layer) to prevent
eavesdropping Purchase SSL Certificate from trusted authority Setup IIS and Virtual Directory to always redirect to
SSL site
25
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Best Practices – Secure Communications URL Parameters may also expose data Use URL Encryption or pass data through POST or
using Session Encrypt URL Parameters using key based on Session
Id Prevents reverse-engineering because each
parameter value is encrypted using session based key
26
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends Use SSL (HTTPS) for all secure sites Use URL Encryption for all secure sites
27
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Best Practices – Multiple Applications Develop separate Internal and External Applications
Helps secure Internal applications through VPN, Active Directory, etc.
External Applications can be secured using Database Users and/or Database Role-Based
28
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends Separate Applications for Internal and External Use
29
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Data Level Encrypt all sensitive data
Passwords Social Security Numbers Credit Card Numbers Birth Dates Confidential Numbers like Salary
30
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Recommends One-way encryption for password type fields
Encrypt and save Compare with encrypted data rather than
decrypting Two-way encryption / decryption for other data
31
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Security Audits Maintain security checklist Regularly audit each ring of security All system changes must be followed by security
audits Regularly check System and Event logs
Security is not a one-time issue, it is an ongoing endeavor
Re-validate upon each application modification/deployment
Copyright © 2006-2008. Iron Speed Inc. All rights reserved
Iron Speed Designer
33
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports Authentication
Windows Authentication Database (User table) Active Directory Microsoft SharePoint
34
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports Authorization
Database (Roles) Active Directory Groups Microsoft Authorization Manager (AzMan) Microsoft SharePoint Groups
35
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports SQL Injection Attack Prevention
All user input goes through multiple validations and is quoted
No dynamic SQL allowed from end user
36
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports Cross-Site Scripting Attack Prevention
Prevent HTML / JavaScript execution by encoding HTMLEncodeValue = True by default
37
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports URL Encryption
Turn on in Application Generation Options
38
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports Session Timeouts
Logout after certain time
39
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports Web Server and Database Security
Use SSL Security Configure IIS Virtual Directory Settings using
specific account Configure Database Accounts
40
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Iron Speed Designer Supports Major Security challenges out-of-the-box Best Practices out-of-the-box Other Security challenges through simple
configuration based on system needs
41
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Why use Iron Speed Designer?
Speed application development Cut software development costs Reduce testing time Simplify maintenance Built-in Security
Application generation = acceleration
42
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Questions?
43
Copyright © 2006-2008. Iron Speed® Inc. All rights reserved
Course MaterialsDownload from
http://cdn.ironspeed.com/videos/RaziMohiuddin/V71.Security.zip