Beginning ASP. NET Security3

Document directory

• Transport Security
• Message Security
• Mixed Mode
• Selecting the Security Mode
• Choosing the Client Credentials
• The XMLHttpRequest Object
• The Ajax Same Origin Policy
• The Microsoft ASP. NET Ajax Framework
• Using ASP. NET Trust Levels
• IIS Role services
• Creating and processing ing Application Pools
• Using ing Trust Levels in IIS
• Filtering Double-Encoded Requests
• Filtering Requests with Non-ASCII Characters
• Filtering Requests Based on File Extension
• Filtering Requests Based on Request Size
• Filtering Requests Based on HTTP Verbs
• Filtering Requests Based on Request Sequences
• Filtering Requests Based on a Request Header
• Status Codes Returned to Denied Requests
• Requesting an SSL Certificate
• Using ing a Site to Use HTTPS
• Setting up a Test Certification Authority
• Creating a "Claims-Aware" web site
• Accepting information cards
• Working with a claims identity
• Protecting yourself against XSS
• Protecting an MVC Application against CSRF
• Securing model binding
• Providing validation for and error messages from your model

Part iii: Advanced ASP. NET ScenariosChapter 11: processing Data with windows communication authentication and Consuming WCF ServicesSecurity and Privacy with WCFTransport SecurityMessage SecurityMixed ModeSelecting the Security Authentication the Client has Security to an Internet ServiceSigning Messages with WCFLogging and Auditing in specified Parameters Using authentication Message Processing error in WCFA Checklist for Securing WCF

• Never expose services over protocols you are not using.-Once you have migrated your services to a secure protocol, remove the insecure protocols so that they can no longer be used.
• Choose an appropriate binding for interoperability and security.-Not all clients may understand the WS * protocols. However, you can apply security to the BasicHttpProtocol if interoperability is a concern. But the WS * protocols offer more flexibility.
• Choose a suitable authentication mechanism for your protocol.-The credential type used will depend on your setup. intranets, for example, may use Windows authentication to automatically authenticate to service, but this is not suitable for Internet-facing services, which shoshould use a username and password.
• Apply authorization to your service contract using PrincipalPermission.
• Utilize message inspectors if needed.-Message inspectors allow you to examine a message before it reaches your service implementation, allowing for custom rules and filtering on any message property.
• Throw custom SOAP faults from your service, not. NET exceptions.-Never set IncludeExceptionDetailsInFaults to true.

Chapter 12: Securing rich internet applicationsRIA ubunturesecurity in Ajax ApplicationsThe XMLHttpRequest ObjectThe Ajax Same Origin PolicyThe Microsoft ASP. NET Ajax FrameworkExamining the specified ScriptManagerSecurity Considerations with UpdatePanel and ScriptManagerSecurity in Silverlight Applications

Understanding the CoreCLR Security Model

Using the HTML Bridge

Accessing

Using ASP. NET Authentication and Authorization in Ajax and SilverlightA Checklist for securing Ajax and Silverlight

• Both Ajax and Silverlight are constrained by cross domain policies.-Ajax can only communicate with services and resources on the same domain. Silverlight can access external resources if the external Web site allow it.
• The Ajax UpdatePanel cocould be considered more secure than ScriptManager.-UpdatePanel hides implementation, reduces the attack service, and is easier to implement than ScriptManager services, making it a more secure option. However, ScriptManager services are more scalable.
• The Silverlight security model has restrictions.-The Silverlight security model restricts the classes you can inherit from, as well as the methods you can implement or override.
• Silverlight Isolated storage is discoverable by users.-Do not use isolated storage to save sensitive information.
• All Silverlight cryptography functions need initial value.-You cannot strore keys, hashes, or initialization vectors (IVs) securely on the local machine. use a Web service in conjunction with the ASP. NET membership functions to store cryptographic keys on your server.

Chapter 13: Understanding code access securityUnderstanding Code Access SecurityUsing ASP. NET Trust LevelsDemanding Minimum CAS PermissionsAsking and Checking for CAS PermissionsTesting Your Application Under a New Trust LevelUsing the Global Assembly Cache to Run Code Under Full Trust. NET 4 Changes for Trust and ASP. NETA Checklist for Code not Under Full Trust

• Always wrap code that requires CAS permissions with a demand.-You shoshould specify mimimum permissions for your code, or fail gracefully, or disable functionality if the decmand fails.
• Place code that always requires Full Trust in a separate assembly stored in the GAC.-GAC assemblies will always run as Full Trust.
• Remember to opt-in to allow partially trusted callers.-The. NET framework will stop code hosted in partial trust environments from calling GAC assemblies, unless opt-in and mark your assembly with the AllowPartiallyTrustedCallers attribute.
• Remember to use Demand/Assert in APTC assemblies.-This will check the calling assemblies that are allowed to perform the function. If you want to override this, then remember that anyone can call a GAC assembly, unless you add a StrongNameIdentityPermission.

Chapter 14: Securing internet information server (IIS) Installing and inserting ing IIS7IIS Role servicesRemoving Global Features for an Individual Web SiteCreating and inserting ing Application Pools

To configure the account an application pools runs under, you must first create the Windows user account and add to the IIS_IUSERS group (or the IIS_SPG group for IIS6/Windows 2003 ). this group adds the right permissions for a Windows account to be used as an application pool identity.

Indexing ing Trust Levels in IISLocking Trust LevelsCreating M Trust using Double-Encoded encoding Requests with Non-ASCII encoding Requests Based on File ExtensionFiltering Requests Based on Request processing Requests Based on HTTP VerbsFiltering Requests Based on Request sequencesFiltering Requests Based on a Request HeaderStatus Codes Returned to Denied RequestsUsing Log Parser to Mine IIS Log Files

Log Parser: http://www.iis.net/downloads/default.aspx? Tabid = 34 & g = 6 & I = 1287

Using CertificatesRequesting an SSL certificateindexing ing a Site to Use HTTPSSetting up a Test Certification AuthorityA Checklist for Securing Internet Information Server (IIS)

• Configure application pool identities. -Configuration a separate application pool identity will isolate multiple Web sites on the same machine. setting a specific application pool identity will (If the identity has the appropriate permissions) allow you to access networked resources.
• Configure appropriate trust levels for ASP. NET applications.-Limiting what your application can do is best practice, because your applications will run under the least privilege possible. If the standard trust levels do not meet your needs, then customize and create your own.
• Configue logging in IIS .-Log files can provide a valuable source of information when trying to track down potential attacks, or to evaluate successful ones.
• Filter requests with IIS .-Using IIS's request filtering will stop potentially dangerous requests from reaching your application, and provides another layer of defense.
• Use the Windows Certificate Authority to generate test certificates for HTTPS sites and Web services .-Using a test CA provides support for certificate validation and revocation, allowing you to develop your code without lowering the security level on certificate-handling code. this in turn, removes the risk of insecure test code making it into a production environment.

Chapter 15: third-party authenticationA brief history of federated identityUsing the Windows Identity Foundation to accept SAML and Information CardsCreating a "Claims-Aware" web tracking information cardsWorking with a claims identityUsing OpenID with your web siteuslive Windows ID with your web siteA strategy for integrating third-party authentication with forms ahthenticationChapter 16: secure development with the ASP. net mvc frameworkMVC input and outputProtecting yourself against XSSProtecting an MVC Application against CSRFSecuring model bindingProviding validation for and error messages from your modelAuthentication and Authorization with ASP. NET MVC

Authorizing actions and controllers

Protecting public controller methods

Discovering the current user

Customizing authorization with an authorization filter

Error handling with ASP. net mvca checklist for secure development with the ASP. net mvc framework

• Always encode your output when adding it to your View.-Encoding your output will protect you against XSS attacks.
• Protect your POST actions with an anti-forgery token .-An anti-forgery token will protect you form CSRF, but remember that it is two-step process: add the form to the token and apply the [ValidateAntiForgeryToken] attribute to your action.
• Secure your model binding.-Witelist the properties binding to avoid malicious updates by the compression sion of extra input fields.
• Perform authorization on actions in your Controller, not based upon URLs.-Authorization rules based on URLs may not work because you can create multiple routes to a Controller.
• Use filters to provide common exception handing and custom authorization logic .-Placing common code like this in a filter allows for it to be reused into SS multiple Controllers and actions.