ASP. NET Server custom control security guidelines

Custom Controls of ASP. NET servers are a way to extend the functions of ASP. NET Web server controls. Some IDES (such as Microsoft Visual Studio 2005) simplify the use and development of custom controls. However, no matter which IDE you use, you must pay attention to ASP.. NET Server custom controls. The following lists the common security standards of ASP. NET Server custom controls, which are applicable to almost all ides.

User-Defined controls for ASP. NET servers

You can use ASP. for example, you can directly store the source code file in the App_Code folder of a Web application, and use the control from the global assembly cache, you can also use the Community components installed by an automatic installation program, such as Visual Studio content installer. In all circumstances, preventive measures should be taken to prevent malicious code imports or code that has an unexpected but negative impact on the IDE and the server hosting components.

The following provides some custom control security guidelines for ASP. NET servers. This list may not be comprehensive enough, but you can proceed with the investigation:

◆ Do not use unfamiliar code or code that does not understand its security risks. For community components, we recommend that you read the available issuer information and determine whether the component is signed. For more information, see How to: Package Community Components to Use the Visual Studio Content Installer and How to: Package Community Components to Use Visual Studio Content Installer. Content from dedecms

◆ Do not only consider the runtime security of custom controls on ASP. NET servers, but also the security during design.

◆ If possible, use the custom control in the strong name program and select a trusted publisher. For more information, see How to: determine the fully qualified name of the Assembly.

◆ Use a minimum privileged account to run ASP. NET Web applications that include imported controls. For more information about running ASP. NET processes with the lowest privilege, see configure ASP. NET process identifiers. In an IDE such as Visual Studio 2005 or quick release of Visual Web Developer, unless you need to execute management tasks, do not run applications as administrators as normal users. For more information, see User Rights and Visual Studio and User permissions and Visual Studio.

◆ View the operating system security and Windows Access Control List (ACL) on the ASP. NET Server that carries the custom control of the ASP. NET Server ). For example, make sure that you run ASP with only the minimum permissions required to run the application. to minimize the impact of security vulnerabilities caused by custom server controls on other hosted applications. For more information, see configure ASP. NET Process Identity. In addition, view the permissions of custom server controls and ensure that they comply with the file and folder permissions. The ASP. NET Web application identity must have this permission to work properly.

◆ Use code access security to restrict resources that can be accessed by Web applications (with custom server controls) and privileged operations that can be performed.

◆ Use the. NET Framework Configuration tool (Mscorcfg. msc) to manage and configure the assembly in the Global Assembly Cache and adjust the code access security policy. Because Mscorcfg. msc is used to help senior administrators perform tasks related to application configuration, work with your system administrator to determine whether the tool meets your needs.

Guidelines for developers of custom controls for ASP. NET servers

As a developer of ASP. NET Server custom controls, you should follow the common best practices for security in ASP. NET application pages and controls and. NET Framework. In many cases, users of custom server controls may not understand the details or security risks of All implementations. However, you should plan this by following the established security conventions and clearly specifying all permissions required for the component to work normally. You can.. NET Website Security ,. NET Framework developer guide, basic security concepts, and security topics in Patterns and Practices Web site.. NET Server custom control security issues and solutions are investigated.

After the custom Web server control is designed and implemented, you must determine how to provide the component to the user. There are two common methods to provide: provided as an assembly or as a Community component. If a component is provided as an assembly, you must sign the Assembly (also known as a strong name signature ). The signature provides a unique identifier for the Assembly. Other software can use this identifier to identify the Assembly and explicitly reference the assembly. At the same time, this method provides other benefits, which are described in detail in assembly programming.

If a component is provided as a Community component with an automatic installation process, you should sign the component in encrypted mode. A signature can be used to create a unique digital signature for a specific party to verify whether the data is sent from a specific party. One way to create a Community component for Visual Studio 2005 is to use the Visual Studio content installer and create a. vsi file that can be signed. For more information, see How to: Package Community Components to Use the Visual Studio Content Installer and How to: Package Community Components to Use Visual Studio Content Installer. dedecms.com

The following provides some ASP. NET Server custom control security rules that should be taken into account when developing custom server control components. This list may not be comprehensive enough, but you can proceed with the investigation:

◆ Provides instructions on how to use the custom controls on the ASP. NET Server, as well as the required resources and permissions for normal operation of these controls.

Digitally sign a component. If you package a custom control as an assembly, use a strong name to sign the assembly. For more information, see create and use an assembly with a strong name. If you use an automatic Installer (for example, Visual Studio content installer), you still need to sign the component. For more information, see How to: Package Community Components to Use the Visual Studio Content Installer and How to: Package Community Components to install programs using Visual Studio Content.

◆ Follow the best practices for exception management in the code.

◆ If you want the page developer. add custom controls of the. NET Server to the toolbox of the visualization designer, drag them to the design surface, and access their properties and events in the property browser, in addition to runtime security, you must also consider design-time security. For more information, see ensure the security of custom control designer components.

◆ Understand the highest threats to Web application pages and controls, including code injection, information leakage, session hijacking, identity spoofing, parameter operations, and network listening. Therefore, Threat modeling and analysis of components should be completed before deployment.

1. How to restore a form with a custom control of ASP. NET Server
2. ASP. NET Server Control usage and setting skills
3. Analysis on the lifecycle of ASP. NET Server controls
4. ASP. NET Server-side control CheckBoxList
5. Optimal Selection of ASP. NET Server controls