Building a secure system is a very huge project. It includes setting network security, operating system security, and applications. Program Security. This article describes how to build a secure web application system with the application. NET technology.
1. Security-related services
To build a web application system, it must involve clients, IIS and databases. The following figure [source of this image: Signature.
For example, in IIS, we can use anonymous access or other authentication control methods, set IP address and domain name restrictions, or set security case communication server certificates. The latest version of IIS provides better security improvements than the previous version of IIS. For more information about the security of the latest iis7, refer.
2. IIS settings
How to Set IIS to ensure IIS security to the maximum extent?
1. Patch IIS. Every once in a while, Microsoft will release some security update patches that must be promptly applied to your system.
2. Change the file storage location of the web project automatically generated by VS 2005. When a web project is created, VS 2005 automatically creates a project directory under c: \ Inetpub \ wwwroot, changes the automatically generated directory, and places it in a location on another disk, this increases the difficulty for intruders to find the document directory.
3. If anonymous access is used, grant as few system permissions as possible to anonymous users.
4. If necessary, set IP address limits for the site.
5. Disable directory browsing items to prevent malicious users from navigating to directories with dangerous tools.
[Site]-> [properties]-> [main directory]-> [directory browsing]
6. Disable parent path browsing to prevent malicious users from browsing the parent directory using mappath.
[Site]-> [properties]-> [main directory]-> [application configuration]-> [enable parent path]
7. Delete unnecessary IIS virtual directories
3. Web application settings
1. Set the server authentication method
. NET provides three authentication methods: Windows authentication, form authentication, and. NET Passport authentication. For these three verification methods, the http://msdn2.microsoft.com/en-us/library/aa302388.aspx article in msdn has made a very detailed introduction to this.
2. encrypted connection to the database string
Many of my friends like to direct the database connection strings to the Web. under the <connectionstrings> node in config, as shown in <Add name = "sqlconnstring" connectionstring = "Data Source =... user ID = ...; password = ....; initial catalog = ...; "providername =" system. data. sqlclient "/> in fact, this is very insecure, in case of web. if the config file is obtained by an illegal user, the database and user name and password information on the database server will be displayed at a glance, which is equivalent to giving the illegal user a key for anti-theft. There are two better encryption methods:
Method 1:
There are two good articles in msdnArticleDescribes how to use dpapi and RSA to encrypt it separately.
Encrypt configuration sections in ASP. NET 2.0 using dpapi: Http://msdn2.microsoft.com/en-us/library/ms998280.aspx
Encrypt configuration sections in ASP. NET 2.0 using RSA: Http://msdn2.microsoft.com/en-us/library/ms998283.aspx
Method 2:
Create a key value in the Windows registry, store the sqlconnstring encrypted information on the key value, and set some users to have the permission to read the key value in the registry, this is a safer method.
3. prevent cross-site attacks
What is cross-site attack? Cross-Site attacks are malicious scripts used to inject the system to other sites.
Such as view. aspx? Stuname = Sam write view. aspx? Stuname = <SCRIPT> alert ('you are attacked! ') </SCRIPT>
This is a typical cross-site attack.
Preventive measures include:
1. Restrict the input format, type, length, and characters
If you use the Web Control of Asp.net, you can use the server-side verification control provided by Asp.net for verification. If you use the HTML Server Control, you need to use system. Text. regularexpressons. RegEx to verify it on the server.
Note,Do not just use JS on the clientCodeVerify. Because the client JS script can be easily ignored by disabling the tutorial language. My understanding of the client's Js script is that it only helps improve user experience.
2. format the output. Process the input content through httputility. htmlencode, so that the output content cannot be seen directly.
3. Use HTML tags that are potentially dangerous to embed malicious web code. For example, <IFRAME> <SCRIPT> <frameset> <embed> <Object> <style>.
4. Prevent SQL injection attacks
What is an SQL injection attack? Using SQL syntax rules, attackers can construct malicious attack statements to intrude into the database system.
For example, if you enter a'; drop database ***
Build the original select * from user where username = 'A' into select * from user where username = 'a'; drop database ***. the consequences of such malicious attacks are very serious. This sentence is enough to delete your database !!
Preventive measures include:
1. Restrict the input format, type, length, and characters
2. Use dynamic SQL statements with parameters, or use stored procedures with parameters. In this way, the content that replaces parameters in the program will not be considered executable code, but will only represent a piece of text.
3. Restrict database account permissions and adhere to the principle of minimum account permissions.
4. If necessary, do not grant the database table operation permission to the account connecting to the database in the program. Create a stored procedure, grant the account the permission to operate the stored procedure, and add, query, modify, and delete database tables through the stored procedure.
Iv. Database Security Settings
The security settings of databases are profound and profound. Many companies also have dedicated database administrators responsible for database security. Consider the following items to ensure database security.
1. Install database patches in a timely manner
2. Set as few permissions as possible for the account.
3. Set a complex password for the SA account. The password must contain numbers, letters, and! # % And other non-letter characters. The length must be greater than or equal to 8.
4. Delete unnecessary services, such as terminal services, as necessary.
How to Build Secure. net web application systems are profound and profound. Of course, under different circumstances, there are different levels of requirements for application security. Each developer should also proceed from reality, build a security system that meets the actual needs. The above are some of my accumulated experiences in practice. I have written them for your reference. You are welcome to discuss them.
If you are interested, more in-depth content can also read http://msdn2.microsoft.com/en-us/library/aa302415.aspx.