文章目錄
- ASP.NET 2.0 Security FAQ s
看到園子裡好些同學為了一些基礎問題(如:如何設定ASPNETDB資料庫、如何設定Membership密碼規範等)苦苦掙紮,實在是有點遺憾。大家對英文的東西大概都有點排斥,很多問題在MSDN(English)或者達人(Scott Guthrie、Fredrik Normén等)的Weblog上都能很輕鬆的找到解答。
Channel9上的MS Security Wiki 還專設了ASP.NET 2.0 Security FAQ s ,常見的ASP.NET 2.0問題都可以找到(這裡的Security是很寬泛的,不止是通常意義的安全問題)。翻譯了現有FAQ的目錄,放在這裡。準備陸續翻譯其中的一部分(篇幅較長、難啃的)。如果您也有興趣加入,請給我留言。我會把您的連結和您的大名加進來。當然在翻譯中您可以加入您自己的感受和經驗等。也歡迎指出我翻譯中的不妥之處。
請在您翻譯的文章標題前面加上[ASP.NET 2.0 Security FAQs] ,我看到後就會把您的文章鏈進來,謝謝。
ASP.NET 2.0 Security FAQ s
Welcome to the ASP.NET 2.0 Security FAQ page. This page provides an index to common questions and answers. The questions act as another index into the security guidance.
Authentication 許可權驗證
- What's new in ASP.NET 2.0 in terms of Authentication?
ASP.NET 2.0 許可權驗證新特性
- How do I decide my Authentication strategy in ASP.NET?
如何選擇ASP.NET中的驗證策略?
- How do I use Forms Authentication with SQL Server database?
如何使用基於SQL Server資料庫的Form驗證?
- How do I use Forms Authentication with Active Directory?
如何使用基於活動目錄的Form驗證?
- How do I enable Forms Authentication to work with multiple Active Directory domains?
如何使Form驗證在多個活動目錄域中有效?
- How do I protect Forms Authentication?
如何保護Form驗證?
- How do I enforce strong passwords using membership feature in ASP.NET 2.0
如何在membership中強制使用安全性高的密碼? 中文
- How do I protect passwords in user store?
如何保護儲存介質中的密碼?
- What are the issues with Forms Authentication in Web Farm Scenario?
在網站群中使用Form認證
- How do I implement single sign on using forms authentication?
如何在Form驗證中實現一次性登陸?
- How do I use my custom user / identity store with forms authentication?
如何自訂Form驗證中的使用者驗證資訊存貯介質?
- How do I configure account lockout using membership feature in ASP.Net 2.0?
如何使用membership中的帳號鎖定?
- When and how do I use windows authentication in ASP.NET 2.0?
如何使用Windows驗證?
- When and how do I use Kerberos authentication in ASP.NET 2.0?
如何使用Kerberos驗證?
Authorization 授權
- What's new in ASP.NET 2.0 in terms of Authorization?
ASP.NET 2.0中的授權新特性?
- What is the difference between URL authorization, File authorization and Role authorization??
URL授權、檔案授權、和Role授權之間的區別?
- How do I use URL Authorization in ASP.NET 2.0?
如何使用基於URL的授權?
- How do I use File Authorization in ASP.NET 2.0?
如何使用基於檔案的授權?
- How do I use Role Authorization in ASP.NET 2.0?
如何使用基於Role的授權?
- How is the AuthorizationStoreRoleProvider different from Authorization Manager APIs?
AuthorizationStoreRoleProvider和Authorization Manager APIs的區別
- How do I use Windows Groups for role authorization in ASP.NET 2.0?
如何使用Windows使用者組作為role?
- How do I use my custom role store for roles authorization?
如何使用自訂的role存貯介質?
- How do I cache roles in ASP.NET 2.0?
如何緩衝role?
- How do I protect authorization cookie when using role caching in ASP.NET 2.0?
如何在使用role緩衝時保護cookie中的授權資訊?
- How do I lock authorization settings?
如何鎖定授權設定?
- How do I use RoleManager in my application?
如何使用RoleManager ?
Auditing and Logging 審核和日誌
- What's new in ASP.NET 2.0 in terms of Auditing and Logging?
ASP.NET 2.0中的審核和日誌新特性?
- How do I use the Health monitoring feature in ASP.NET 2.0?
如何使用Health monitoring?
- What all security events do health monitoring feature logs by default?
Health monitoring預設會把所有的安全事件記入日誌嗎?
- How do I instrument my application for security?
提高程式安全的措施
- When writing to a new event source from my ASP.NET application running under the Network service security context, I get registry permission exception. Why is this and how do I correct this
如何解決在Network Service安全環境下寫入新日誌源時得到的註冊表授權異常?
- How do I protect audit and log files?
如何保護審核檔案和記錄檔?
Code Access Security 程式碼存取安全性
- What's new in ASP.NET 2.0 in terms of Code Access Security?
ASP.NET 2.0中的代碼訪問安全新特性
- How do I use code access security with ASP.NET?
如何使用CAS?
- How do I create a custom trust level for ASP.NET?
如何建立一個自訂的安全層級?
- What are the permissions at the various trust levels?
不同信任層級中的許可有什麼區別?
- How do I write partial trust applications?
如何編寫部分信任程式?
- When should I put assemblies in GAC, what are security implications?
何時需要把assembly放入全域assembly緩衝?會有什麼樣的安全問題?
Impersonation / Delegation 類比和委託
- When do I use impersonation in ASP.NET 2.0?
何時在ASP.NET中使用類比(impersonation)?
- How do I impersonate the original caller?
如何類比原始訪問者?
- How do I temporarily impersonate the original caller?
如何臨時類比原始訪問者?
- How do I impersonate a specific (fixed) identity?
如何模仿一個特殊的認證生分?
- When should I use programmatic impersonation?
何時需要使用可程式化的類比?
- How do I use programmatic impersonation?
如何使用可程式化的類比?
- What is protocol transition and when do I care?
何時已經如何使用protocol transtion?
- What is Constrained Delegation?
什麼是Constrained Delegation?
- How can I retain impersonation in the new thread created from ASP.NET application?
如何在新的線程中保持impersonation?
- How do I flow the original user identity to different layers?
如何在不同的層間傳遞原始使用者身份?
- Can impersonation be used with Forms authentication?
impersionation可以和Form驗證一起使用嗎?
- What are the requirements for using Kerberos delegation?
使用Kerberos委託的條件
Configuration 配置
- What does a secure web.config look like?
怎樣才是安全的web.config檔案?
- How do I encrypt sensitive data in machine.config or web.config file?
如何加密machine.config和web.config中的敏感性資料?
- How do I run an ASP.NET application with a particular identity?
如何用一個單獨的執行個體允許ASP.NET程式?
- How do I create a service account for running my ASP.NET applications?
如何在伺服器上配置運行ASP.NET程式的帳號?
- Do I need to create a unique user account for each application pool?
需要為每個應用程式集區(IIS)配置獨立的帳號嗎?
- How do I lock configuration settings?
如何鎖定設定檔?
Exception Handling 異常處理
- How do I handle exceptions securely?
如何安全的進行異常處理?
- How do I prevent detailed errors from returning to the client?
如何防止異常資訊被發送到用戶端?
- How do I use structured exception handling?
如何使用結構話的異常處理(try/catch/finnally)?
- How do I setup a global exception handler for my application?
如何設定全域性的異常處理
- How do I enable my ASP.NET application to write to new event source?
如何把ASP.NET程式的事件記錄寫入自訂的事件來源?
Data Access 資料訪問
- How do I protect the database connection strings in web.config file?
如何保護Web.config檔案中的資料庫連接串?
- How do I use windows authentication for connecting to SQL server?
如何使用Windows驗證串連SQL Server?
- How do I use SQL authentication for connecting to SQL server?
如何使用SQL帳號串連SQL Server?
- When using Windows authentication, how can I give the default ASP.NET worker process access to a remote database server?
何時使用Windows驗證串連SQL Server,如何串連遠端資料庫?
Input / Data Validation 輸入資料驗證
- What are the types of input I need to validate in my ASP.NET application?
什麼樣的輸入需要驗證?
- How do I validate input in server-side controls?
如何驗證通過伺服器控制項輸入的資料?
- How do I validate input in HTML controls, QueryString, cookies, and HTTP headers?
如何驗證通過HTML控制項、QueryStirng、cookies和HTTP頭輸入的資料?
- What is SQL injection and how do I protect my application from SQL injection attacks?
什麼是SQL注入,如何防止SQL注入攻擊?
- What is cross-site scripting and how do I protect my ASP.NET application from it?
什麼是誇站指令碼,如何防止誇站指令碼攻擊?
Sensitive Data 敏感性資料
- How do I protect my web application's ViewState?
如何保護我的ViewState?
- What care should I take when securing ViewState in a web farm scenario?
如何在網站群環境下保護ViewState?
- How do I protect sensitive data in the database?
如何保護資料庫裡的敏感性資料?
- How do I protect sensitive data in configuration files?
如何保護設定檔裡的敏感性資料?
- How do I protect sensitive data in memory?
如何保護記憶體中的敏感性資料?
- How do I protect passwords?
如何保護密碼?
- How do I secure Session State information?
如何保護Session資料?
Strong Naming and Signing 強式名稱和簽名
- How do I strong-name an ASP.NET application assembly?
如何強式名稱化一個ASP.NET assembly?
- How do I delay sign an ASP.NET application assembly?
如何延遲簽名一個ASP.NET assembly?
- When should I use .pfx files?
何時需要使用.pfx檔案?
- When should I pre-compile my ASP.NET application?
何時需要先行編譯我的ASP.NET程式?
- How do I pre-compile my ASP.NET application?
如何先行編譯我的ASP.NET程式?
- How do I strong name an ASP.NET application?
如何強式名稱化一個ASP.NET程式?
- How do I Sign .Net assemblies with Authenticode signature?
如何和assembliy加上籤名?
Obfuscation 混淆
- How should I prevent someone from disassembling code?
如何防止IL代碼被反編譯?
Others 其他
- How do I set up a SQL Server or SQL Express database for Membership, Profiles and Role Management?
如何設定SQL Server或SQL Express資料庫,試其支援Membership、Profiles和Role? 中文