ASP. NET 2.0 Security FAQs

ArticleDirectory

• ASP. NET 2.0 Security FAQ s

I am sorry to see some of my colleagues struggling to solve some basic problems (such as how to set the aspnetdb database and how to set the membership password specifications. We probably have some rejection of English. Many questions can be easily answered on the weblog of msdn (English) or talents (Scott Guthrie, Fredrik normé N, etc.

MS Security wiki on channel9 also has ASP. NET 2.0 Security faq s, common ASP. NET 2.0 problems can be found (Security here is very broad, not just the general security issues ). I have translated the existing FAQ directory and put it here. Prepare to translate some of them one after another (long and difficult ). If you are interested in joining us, please leave a message. I will add your link and your name. Of course, you can add your own feelings and experiences to the translation. You are also welcome to point out what is wrong with my translation.

Add the title before the article you have translated[ASP. NET 2.0 Security FAQs], I will link your article to you after seeing it. Thank you.

ASP. NET 2.0 Security FAQ s

Welcome to the ASP. NET 2.0 Security FAQ page. This page provides an index to common questions and answers. The questions act as another index into the security guidance.

Authentication permission Verification

2. What's new in ASP. NET 2.0 in terms of authentication?
   New Features of ASP. NET 2.0 permission Verification
4. How do I decide my authentication strategy in ASP. NET?
   How to select an authentication policy in ASP. NET?
6. How do I use forms authentication with SQL Server database?
   How to Use Form Verification Based on the SQL Server database?
8. How do I use forms authentication with active directory?
   How to Use Form Verification Based on the Active Directory?
10. How do I enable Forms authentication to work with multiple Active Directory domains?
    How can I make Form Verification valid in Multiple Active Directory domains?
12. How do I protect Forms authentication?
    How to Protect form verification?
14. How do I enforce strong passwords using membership feature in ASP. NET 2.0
    In membership, how does one forcibly use a secure password?Chinese
16. How do I protect passwords in user store?
    How do I protect passwords in storage media?
18. What are the issues with forms authentication in Web farm scenario?
    Use Form authentication in the website Group
20. How do I implement Single Sign on using Forms authentication?
    How to implement one-time login in Form Verification?
22. How do I use my Custom User/identity store with forms authentication?
    How do I customize the storage medium for user authentication information in Form Verification?
24. How do I configure account lockout using membership feature in ASP. NET 2.0?
    How can I use the account in membership to lock it?
26. When and how do I use Windows Authentication in ASP. NET 2.0?
    How to use Windows verification?
28. When and how do I use Kerberos Authentication in ASP. NET 2.0?
    How to use Kerberos authentication?

Authorization authorization

2. What's new in ASP. NET 2.0 in terms of authorization?
   What are the new authorization features in ASP. NET 2.0?
4. What is the difference between URL Authorization, file authorization and Role authorization ??
   What are the differences between URL Authorization, file authorization, and Role authorization?
6. How do I use URL Authorization in ASP. NET 2.0?
   How to Use URL-based authorization?
8. How do I use file authorization in ASP. NET 2.0?
   How to use file-based authorization?
10. How do I use Role authorization in ASP. NET 2.0?
    How to Use Role-based authorization?
12. How is the authorizationstoreroleprovider different from authorization manager APIs?
    Difference between authorizationstoreroleprovider and authorization manager APIs
14. How do I use Windows groups for role authorization in ASP. NET 2.0?
    How to use Windows User Group as role?
16. How do I use my custom role store for roles authorization?
    How to use custom role storage media?
18. How do I cache roles in ASP. NET 2.0?
    How to cache role?
20. How do I protect authorization cookie when using role caching in ASP. NET 2.0?
    How can I protect the authorization information in the cookie when using the role cache?
22. How do I lock authorization settings?
    How to lock the authorization settings?
24. How do I use rolemanager in my application?
    How to Use rolemanager?

Auditing and logging auditing and logging

1. What's new in ASP. NET 2.0 in terms of auditing and logging?
   In ASP. NET 2.0, is the review and new log features?
2. How do I use the health monitoring feature in ASP. NET 2.0?
   How to use health monitoring?
3. What all security events do health monitoring feature logs by default?
   Health Monitoring will log all security events by default?
4. How do I instrument my application for security?
   ImproveProgramSecurity measures
5. When writing to a new event source from my ASP. NET application running under the network service security context, I get registry permission exception. Why is this and how do I correct this
   In the network service security environment, how does one solve the Registry authorization exception when a new log source is written?
6. How do I protect audit and log files?
   How do I protect audit files and log files?

Code access security Code Access Security

1. What's new in ASP. NET 2.0 in terms of code access security?
   New Features of code access security in ASP. NET 2.0
2. How do I use code access security with ASP. NET?
   How to Use Cas?
3. How do I create a custom trust level for ASP. NET?
   How to create a custom security level?
4. What are the permissions at the various trust levels?
   What are the differences between licenses at different trust levels?
5. How do I write partial trust applications?
   How to Write a trusted program?
6. When shocould I put assemblies in GAC, what are security implications?
   When do I need to put assembly into the global assembly cache? What kind of security problems will there be?

Impersonation/delegation simulation and Delegation

2. When do I use impersonation in ASP. NET 2.0?
   When to use impersonation in ASP. NET )?
4. How do I impersonate the original caller?
   How to simulate original visitors?
6. How do I temporarily impersonate the original caller?
   How to simulate the original visitor temporarily?
8. How do I impersonate a specific (fixed) identity?
   How does one imitate a special authentication score?
10. When should I use programmatic impersonation?
    When do I need programmable simulation?
12. How do I use programmatic impersonation?
    How to Use programmable simulation?
14. What is Protocol Transition and when do I care?
    When Will protocol Transtion be used?
16. What is constrained delegation?
    What is constrained delegation?
18. How can I retain impersonation in the new thread created from ASP. NET application?
    How to keep impersonation in the new thread?
20. How do I flow the original user identity to different layers?
    How do I transmit original user identities between different layers?
22. Can impersonation be used with forms authentication?
    Can impersionation be used with form verification?
24. What are the requirements for using Kerberos Delegation?
    Conditions for using Kerberos Delegation

Configuration

1. What does a secure web. config look like?
   How is the Secure Web. config file?
2. How do I encrypt sensitive data in machine. config or web. config file?
   How to encrypt sensitive data in machine. config and web. config?
3. How do I run an ASP. NET application with a special identity?
   How can I use a separate instance to allow ASP. NET programs?
4. How do I create a service account for running my ASP. NET applications?
   On the server, how does one configure the account for running ASP. NET programs?
5. Do I need to create a unique user account for each application pool?
   Do I need to configure an independent account for each application pool (IIS?
6. How do I lock configuration settings?
   How to lock the configuration file?

Exception Handling

1. How do I handle exceptions securely?
   How to safely handle exceptions?
2. How do I prevent detailed errors from returning to the client?
   How to Prevent Abnormal information from being sent to the client?
3. How do I use structured exception handling?
   How to use the structure to handle exceptions (try/catch/finnally )?
4. How do I setup a global exception handler for my application?
   How to set global Exception Handling
5. How do I enable my ASP. NET application to write to new event source?
   How to Write event logs of ASP. NET programs to Custom Event sources?

Data Access

1. How do I protect the database connection strings in Web. config file?
   How to protect the database connection string in the web. config file?
2. How do I use Windows authentication for connecting to SQL Server?
   In Windows, how does one connect to SQL server?
3. How do I use SQL authentication for connecting to SQL Server?
   How can I use an SQL account to connect to SQL server?
4. When using Windows authentication, how can I give the default ASP. NET Worker Process Access to a remote database server?
   When can I use Windows to connect to SQL Server? How can I connect to a remote database?

Input/Data Validation

1. What are the types of input I need to validate in my ASP. NET application?
   What types of inputs need to be verified?
2. How do I validate input in server-side controls?
   How do I verify the data input through the server control?
3. How do I validate input in HTML controls, querystring, cookies, and HTTP headers?
   How do I verify data input through HTML controls, querystirng, cookies, and HTTP headers?
4. What is SQL injection and how do I protect my application from SQL injection attacks?
   What is SQL injection and how to prevent SQL injection attacks?
5. What is cross-site scripting and how do I protect my ASP. NET application from it?
   What is kaug script and how to prevent kaug script attacks?

Sensitive data

1. How do I protect my web application's viewstate?
   How do I protect my viewstate?
2. What care shoshould I take when securing viewstate in a web farm scenario?
   How to Protect viewstate in the site group environment?
3. How do I protect sensitive data in the database?
   How to protect sensitive data in the database?
4. How do I protect sensitive data in configuration files?
   How to protect sensitive data in the configuration file?
5. How do I protect sensitive data in memory?
   How to protect sensitive data in the memory?
6. How do I protect passwords?
   How to protect the password?
7. How do I secure session state information?
   How to Protect session data?

Strong name and signature of strong naming and signing

1. How do I strong-name an ASP. NET application assembly?
   How to name an ASP. NET assembly?
2. How do I delay sign an ASP. NET application assembly?
   How to delay signing an ASP. NET assembly?
3. When should I use. pfx files?
   When do I need to use the. pfx file?
4. When should I pre-compile my ASP. NET application?
   When do I need to pre-compile my ASP. NET program?
5. How do I pre-compile my ASP. NET application?
   How do I pre-compile my ASP. NET program?
6. How do I strong name an ASP. NET application?
   How to name an ASP. NET program?
7. How do I sign. Net assemblies with Authenticode signature?
   How can I add a signature to assembliy?

Obfuscation

1. How shoshould I prevent someone from disconfiguring code?
   How can I prevent the Il code from being decompiled?

Others others

1. How do I set up a SQL Server or SQL express database for membership, profiles and role management?
   How can I set up an SQL Server or SQL express database and try to support membership, profiles, and role?Chinese