Build and configure a safer website

Best Security Solution for Windows 2000 Advanced Server, Internet Information Service 5.0, SQL Server 2000, And. NET Framework

Author: Timothy Bollefer, Girish Chander, Jesper Johansson, Mike Kass, Erik Olson-Microsoft Corp.

Scott Stanfield, James Walters-Vertigo Software Inc.

Abstract: Microsoft engineers use Microsoft. web sites built in NET Framework, Microsoft Windows 2000 Advanced Server, Internet Information Service 5.0, and Microsoft SQL Server 2000 successfully withstood more than 82500 attacks in the eWeek OpenHack 4 competition, and wins. This article describes how to build and configure this solution, and provides the best solution for software developers and system administrators to ensure the security of their solutions. (This article contains links to English sites .)

Directory
* Introduction
* Web Applications
* The Internet Information Service (IIS) 5.0
* Windows 2000 Advanced Server Operating System
* IP Security Standard (IPSec) Policy
* Remote management and monitoring
* SQL Server 2000
* Password
* Summary

Introduction
EWeek Labs held its fourth annual OpenHack online security competition in October 2002. This annual competition (this is Microsoft®The third event) aims to test enterprise security by exposing the system to a real and sinister Web environment. EWeek provides a Web application example for Microsoft and Oracle, requiring both parties to re-develop the application using their respective technologies. Subsequently, eWeek invited computer users from all over the United States to undermine the security of the end site. Successful users can receive a certain amount of bonuses. Acceptable damages include cross-site scripting, dynamic Web page source code leakage, Web page destruction, malicious SQL commands sent to the database, and theft of credit card data from the database.

Microsoft uses Microsoft®. NET Framework. Microsoft®. NET Framework is a complete Windows component that supports building and running next-generation applications and XML Web Services. This application uses Microsoft®Internet Information Service (IIS) 5.0 is the host and Microsoft®SQL Server™2000 as its database. All servers run on Microsoft®Windows®2000 on the Advanced Server operating system. (It is worth noting that if Microsoft with IIS 6.0 has been released during the competition®Windows Server 2003, the operating system of this version will be used at that time. If you use Windows Server 2003, you can skip the steps used to "Lock" the operating system and Web Server in the competition .)

The competition results can be found inHttp://www.eweek.com/category2/1396060043100. Found in asp. All in all, Microsoft's solution withstood more than 82500 attacks. Microsoft successfully won the OpenHack 4 competition, just as it did in the first and second OpenHack competitions. This article will introduce the various technologies used in the competition to illustrate how to build and configure this solution, developers and system administrators who want to ensure the security of their solutions are also briefed on how to apply these best solutions.

Web Applications

This application simulates the eWeek eXcellence Awards Web site. On this site, users can register their products or services to participate in the award selection. You can set up an account to enter products or services for selection. You can submit a credit card number to pay the registration fee and obtain information about the awards. Microsoft uses. NET Framewo

Rk builds its solution.. NET Framework is a complete Windows component used to build and run applications and XML Web Services. Most development focuses on ASP. NET, ADO.. NET and the Encryption Class Library are used to build Web-based applications, access and use data, encrypt, decrypt, and ensure data integrity.

Form Authentication
Microsoft®The ASP. NET class provides several options for user identity authentication (that is, using creden such as user names and passwords to confirm the identity of a given user ). These options include integrated Windows authentication, basic authentication, digest authentication, Microsoft®. NET Passport and customer certificate. For each eWeek request, OpenHack solution selects form-based or custom authentication.

When a user logs on through form authentication, the system creates an encrypted cookie to track the user throughout the site. (Technically speaking, cookie is a plain text string generated by the Web site. It can enter the user's Web browser memory and be used to identify the user who browses the site .)

If a user requests a Security page without logging on, the system redirects the user to the login page, all of which only need to use the XML-based Web of the application. you can configure the config file. This file is created by Microsoft®Visual Studio®. NET (used to build an integrated development environment for Applications Based on. NET Framework) is automatically generated to store the configuration of ASP. NET Web applications.

In the root folder of the application. <system. web> adds the following lines of code to request form-based authentication and specify the location of the logon page.

<Authentication mode = "Forms">
<Forms loginUrl = "Login. aspx" name = "OPSAMPLEAPP"/>
</Authentication>

This top-level configuration file is applied to all pages of this application. Then, use the second Web. config file to create a subdirectory. This file is only applied to a few selected pages in the application to prevent unauthenticated users (I .e. anonymous users) from accessing it. The second. config file inherits the authentication information of the top-level. config file.

<? Xml version = "1.0" encoding = "UTF-8"?>
<Configuration>
<System. web>

<Authorization>
<Deny users = "? "/>
</Authorization>

</System. web>
</Configuration>

Use these two methods in this way. in the config file, unauthenticated users can only access the home page and a few other pages, but authenticated users can also access those pages on the site that require user login.

The logon page contains fields for users to enter their usernames and passwords, and returns them to the Web server through Secure Sockets Layer (SSL, this prevents some users from stealing creden。 transmitted on the network. After a user creates a new account, the Web application uses the Triple DES algorithm to encrypt the new password (for details, see the description in the storage Confidential Information Section) and stores it in the database together with the user name. In the future, Web applications will use Triple DES to encrypt the password entered on the logon page, and then compare it with the encrypted password stored in the database. If the two passwords match, the Web application uses the System. Web. Security. FormsAuthentication class in the ASP. NET Library to generate an encrypted cookie containing the user name and name. This cookie will be returned to the user and stored in the user's browser until the timeout period ends. Any request sent to the Web site thereafter will contain this cookie. All transmission requests involving cookies are transmitted over SSL to prevent "replay" attacks (that is, attackers steal cookies from the network and then use them to impersonate users for operations ). We strongly recommend that you use SSL when sending sensitive information or creden。 that can be used to access sensitive information over the public network.

Input validity Verification
OpenHack implements different levels and types of validity verification in the application to ensure that the operation of the application cannot be changed without any input (that is, user input. Verifying input validity is a key and optimal security solution that helps prevent

Cache overflow, cross-site scripting attacks, and other potential attempts to execute malicious code in application context. Providing multi-layer protection (as we have done here) is another important security solution, called "layer-by-layer protection ". It is often important to make the worst plan and assume that one or more layers of the solution may be damaged.

The first line of defense is the validity verification control provided by ASP. NET (especially the RegularExpressionValidator class and RequiredFieldValidator class) to ensure that all required inputs and valid data are provided. Only characters used to provide user operations are allowed. In this example, the character range is limited. For example, some fields can only enter "[. 0-9a-zA-Z _] *", that is, spaces, single quotes, commas, periods, letters, and numbers. Other characters that can be used to send malicious scripts to websites are forbidden.

In addition to text boxes, this application also accepts some input through the "query string". The query string is part of a dynamic URL and contains parameters used to generate pages. Use the functions provided by the System. Text. RegularExpressions. Regex class to verify data using regular expressions, as shown below:

Regex isNumber = new Regex ("^ [0-9] + $ ");
If (isNumber. Match (inputData )){
// Use it
}
Else {
// Discard it
}

A regular expression is a set of characters and syntax elements used to match the text pattern. In OpenHack applications, they are used to ensure that the query string content is correct and malicious.

All data access in this application is done through parameterized stored procedures that are developed in the T-SQL language and run in the database as defined. Limiting interactions with databases to stored procedures is usually the best solution. If no stored procedure exists, the SQL query must be dynamically constructed by the Web application. If the Web layer is damaged, attackers can insert malicious commands into database queries to retrieve, modify, or delete data stored in the database. When stored procedures are used, the interaction between Web applications and databases is limited to several specific strict parameters sent through stored procedures. Every time developers use. when the NET Framework calls a stored procedure, the system checks the parameters sent to the stored procedure, to ensure they are acceptable types of stored procedures (such as integers and 8 character strings ). This is another protection layer for Web layer validity verification. It ensures that all input data formats are correct and cannot be constructed as operational SQL statements by itself.

All data is HTML encoded before being returned to the user. You only need to use the HtmlEncode method in the System. Web. HttpServerUtility class, as shown below.

SomeLabel. Text = Server. HtmlEncode (username );

HTML encoding helps prevent cross-site scripting attacks. Once the database is damaged, the attacker can input a script into the record, which is then returned to the user and