ASP. net2.0 technical insider (Reading Note 3) Security

Security cannot be added to existing applicationsProgramOr introduced later in the development stage. Security was born to be associated with the functions of the application, and should be planned as one of the earliest features at the early stage of the design stage.
The safest web application is the application that can really resist attacks, rather than the application that can be designed to do so. Security is a very complex problem. Its solutions vary with applications. Security is usually achieved through the successful combination of application-level and system-level measures.
ASP. NET provides a built-in infrastructure to protect web pages from unauthorized access at the application level. This type of security is only a problem, but also prevents server attacks.
(1) Sources of Security
Cross-site scripting (XSS): untrusted user input is sent back to this page.
Denial of Service (DoS): Increases requests to overload the system.
Eavesdropping: use an sniffer.
Hide field tampering.
Single-key attack.
Session interception.
SQL Code Injection.
Sensitive data cannot be sent over wires and must be securely stored on servers.
Measures:
Coding practices: data verification, type and buffer length testing, and anti-tampering measures.
Data Access: Use roles and stored procedures.
Effective storage and management: Do not send key data to the client, use hash code to detect and manipulate, verify users and protect identities, and use strict password policies.
Only developers, architects, and administrators can work together to build a secure system.
(2) security context of Asp.net
From the perspective of applications, security is mainly a matter of actions that make it difficult for users to identify and authorize system resources. The security context of ASP. NET consists of different levels:
1. IIS-level
2. determine the identity of the service request thread in the ASP. NET working process at the ASP. NET working process level.
3. ASP. NET MPs queues
When an ASP. NET Request arrives at the web server, IIS obtains the request and assigns it to a pooled thread. The IIS running mechanism is under the system account-the strongest account in Microsoft Windows. From then on, three levels of security will be performed.
(1) Iis thread security context
Set up a fake identity based on the current IIS Authentication: Basic Authentication, digest authentication, integrated Windows authentication or anonymous authentication.
Anonymous: the user name is iusr_xxx, where xxx represents the machine name.
Basic authentication is an HTTP standard that almost any browser supports. We recommend that you only use basic authentication on the HTTPS security channel.
Digest authentication is hashed before user creden。 are sent. Is a feature of http1.1, not all browsers support it. Win2003 does not require restoring encryption to store passwords on the server.
Basic Authentication and digest authentication work well through firewalls and proxy servers.
Integrates windows verification to establish a session between the browser and the web server. It cannot be used with a firewall.
Certificate-based authentication.