Securing Your .NET Application

Securing your .NET Applications Visit us: www.ironspeed.com Download the Free Edition: www.ironspeed.com/download

Securing your .NET Applications Concentric Rings of Security Firewall Security Medium Trust vs. High Trust IIS Security Authentication Authorization SSL Encryption Database Security SQL Injection Attacks Secure Communications (URL Encryption) Multiple Applications for Internal vs. External Users Best Practices

Concentric Rings of Security No system should rely on a single-level of Security Secure Web Applications through Concentric Rings of Security

Concentric Rings of Security Security should include: Physical (e.g., data center) Network (e.g., Firewall, VPN) Operating System (e.g., Accounts, Trust Levels) Web Server (e.g., IIS Virtual Directory) Web Application (e.g., Authentication, Authorization) Database (e.g., User Accounts) Data (e.g., encrypt sensitive data) Best Practices (e.g., SQL Injection, URL Encryption) You know what to do

Network Security Level Use VPN to secure Internal Systems Use separate machines for Web Server and Database Server

Operating System Level Use .NET Trust Level to secure Operating System access

.NET Trust Levels Full: Anything that the account running it can do. High: ‘Full trust’ minus calls to unmanaged code (Win32 APIs and COM interop). Medium: No DB, File I/O, Registry, Reflection or Event logs. Low: Cannot make calls to a database, network, etc. Minimal: Only trivial processing allowed Modified in the machine-level web.config file

Iron Speed Recommends High Trust for Internal Applications Modified Medium Trust for External Applications Allow Ole DB Reflection Registry File I/O Event Logs (if not hosted)

Web Server Level Every .NET Application runs under specific user credentials Anonymous Impersonation (pass-through)

Web Server – Anonymous Anonymous Security = IIS Virtual Directory configured to run under specific user account Typical for public web applications Internal web applications can use if combined with Active Directory

Web Server – Impersonation IIS Configured to pass-through user credentials Only works with Microsoft Internet Explorer IE passes Windows domain and user to application Fraught with problems Double-hop not allowed by Microsoft Database on different server cannot use Windows Authentication Other browsers do not pass credentials Suited for Internal Applications Does not work for External Applications Alternative Approach: Use Anonymous + Active Directory

Iron Speed Recommends IIS Configured to use Anonymous Access Use IIS_machinename account System account with limited capabilities

Web Application – Authentication Configure most web pages to require Authentication Some web pages may be publicly accessible Multiple choices available Active Directory Windows Authentication Database SharePoint All choices are equally secure

Iron Speed Recommends Use Active Directory if all users internal Use Database if external or extranet application

Web Application – Authorization Use Role-Based Security to Authorize parts of application Use Page-level or Control-level Not sufficient to disable button E.g., do not just disable Edit button – also secure Edit page Use Roles in Query WHERE clauses

Iron Speed Recommends Use any of the role-based security protocols Most customers find they need Application-level control of roles – so use Database Roles – regardless of which Authentication used

Database Security Limit Database Account to query execution Exclude “dbcreator” access to prevent DROP or ALTER Use Database Specific Accounts (instead of Windows Authentication)

Iron Speed Recommends SQL Server: Use SQL Server Authentication Use Separate Database Server

Best Practices – SQL Injection Attacks Text boxes in your application can be used to inject malicious SQL code SELECT * FROM Customers WHERE Name = ‘ + SearchTextbox.Text + ’ If user enters: a’; DELETE FROM Customers WHERE ‘1’ = ‘1 Will delete all customers

Best Practices – SQL Injection Attacks Never trust user input Never use dynamic SQL Never connect to a database using Admin account Encrypt sensitive data in database Use custom error messages

Iron Speed Recommends All user input is quoted End-user should not be allowed to create dynamic SQL Use limited account for connecting to the database

Best Practices – Cross-Site Scripting Attacks Cross-Site Scripting uses JavaScript, HTML, VBScript or other code Inject using regular data entry fields Execution happens when data is displayed if data is not validated and quoted when saved

Iron Speed Recommends Do not allow user to input HTML or JavaScript Use Rich-Text Editor sparingly Validate Rich-Text input Set HTMLEncodeValue = TRUE Validate using Cross-Site Validators

Best Practices – Secure Communications Browser to Server communications can be easily eavesdropped Use SSL (Secure Sockets Layer) to prevent eavesdropping Purchase SSL Certificate from trusted authority Setup IIS and Virtual Directory to always redirect to SSL site

Best Practices – Secure Communications URL Parameters may also expose data Use URL Encryption or pass data through POST or using Session Encrypt URL Parameters using key based on Session Id Prevents reverse-engineering because each parameter value is encrypted using session based key

Iron Speed Recommends Use SSL (HTTPS) for all secure sites Use URL Encryption for all secure sites

Best Practices – Multiple Applications Develop separate Internal and External Applications Helps secure Internal applications through VPN, Active Directory, etc. External Applications can be secured using Database Users and/or Database Role-Based

Iron Speed Recommends Separate Applications for Internal and External Use

Data Level Encrypt all sensitive data Passwords Social Security Numbers Credit Card Numbers Birth Dates Confidential Numbers like Salary

Iron Speed Recommends One-way encryption for password type fields Encrypt and save Compare with encrypted data rather than decrypting Two-way encryption / decryption for other data

Security Audits Maintain security checklist Regularly audit each ring of security All system changes must be followed by security audits Regularly check System and Event logs Security is not a one-time issue, it is an ongoing endeavor Re-validate upon each application modification/deployment

Iron Speed Designer Supports Authentication Windows Authentication Database (User table) Active Directory Microsoft SharePoint

Iron Speed Designer Supports Authorization Database (Roles) Active Directory Groups Microsoft Authorization Manager (AzMan) Microsoft SharePoint Groups

Iron Speed Designer Supports SQL Injection Attack Prevention All user input goes through multiple validations and is quoted No dynamic SQL allowed from end user

Iron Speed Designer Supports Cross-Site Scripting Attack Prevention Prevent HTML / JavaScript execution by encoding HTMLEncodeValue = True by default

Iron Speed Designer Supports URL Encryption Turn on in Application Generation Options

Iron Speed Designer Supports Session Timeouts Logout after certain time

Iron Speed Designer Supports Web Server and Database Security Use SSL Security Configure IIS Virtual Directory Settings using specific account Configure Database Accounts

Iron Speed Designer Supports Major Security challenges out-of-the-box Best Practices out-of-the-box Other Security challenges through simple configuration based on system needs

Why use Iron Speed Designer? Speed application development Cut software development costs Reduce testing time Simplify maintenance Built-in Security Application generation = acceleration

Course Materials Download from http://cdn.ironspeed.com/videos/RaziMohiuddin/V71.Security.zip

Securing Your .NET Application

More Related Content

What's hot (19)

Viewers also liked (13)

Similar to Securing Your .NET Application (20)

More from Iron Speed (12)

Recently uploaded (20)

Securing Your .NET Application

Editor's Notes