Securing Your .NET Application

Copyright © 2006-2008. Iron Speed Inc. All rights reserved

Securing your .NET Applications

Visit us: www.ironspeed.com Download the Free Edition: www.ironspeed.com/download

2

Copyright © 2006-2008. Iron Speed® Inc. All rights reserved

Securing your .NET Applications Concentric Rings of Security Firewall Security Medium Trust vs. High Trust IIS Security Authentication Authorization SSL Encryption Database Security SQL Injection Attacks Secure Communications (URL Encryption) Multiple Applications for Internal vs. External Users Best Practices

3


Concentric Rings of Security No system should rely on a single-level of Security Secure Web Applications through Concentric Rings

of Security

4


Concentric Rings of Security Security should include:

Physical (e.g., data center) Network (e.g., Firewall, VPN) Operating System (e.g., Accounts, Trust Levels) Web Server (e.g., IIS Virtual Directory) Web Application (e.g., Authentication, Authorization) Database (e.g., User Accounts) Data (e.g., encrypt sensitive data) Best Practices (e.g., SQL Injection, URL Encryption)

You know what to do

5


Network Security Level Use VPN to secure Internal Systems Use separate machines for Web Server and

Database Server

6


Operating System Level Use .NET Trust Level to secure Operating System

access

7


.NET Trust Levels Full: Anything that the account running it can do. High: ‘Full trust’ minus calls to unmanaged code

(Win32 APIs and COM interop). Medium: No DB, File I/O, Registry, Reflection or

Event logs. Low: Cannot make calls to a database, network, etc. Minimal: Only trivial processing allowed

Modified in the machine-level web.config file

8


Iron Speed Recommends High Trust for Internal Applications Modified Medium Trust for External Applications

Allow Ole DB Reflection Registry File I/O Event Logs (if not hosted)

9


Web Server Level Every .NET Application runs under specific user

credentials Anonymous Impersonation (pass-through)

10


Web Server – Anonymous Anonymous Security = IIS Virtual Directory

configured to run under specific user account Typical for public web applications Internal web applications can use if combined with

Active Directory

11


Web Server – Impersonation IIS Configured to pass-through user credentials Only works with Microsoft Internet Explorer IE passes Windows domain and user to application Fraught with problems

Double-hop not allowed by Microsoft Database on different server cannot use Windows

Authentication Other browsers do not pass credentials

Suited for Internal Applications Does not work for External Applications Alternative Approach: Use Anonymous + Active Directory

12


Iron Speed Recommends IIS Configured to use Anonymous Access Use IIS_machinename account

System account with limited capabilities

13


Web Application – Authentication Configure most web pages to require Authentication Some web pages may be publicly accessible Multiple choices available

Active Directory Windows Authentication Database SharePoint

All choices are equally secure

14


Iron Speed Recommends Use Active Directory if all users internal Use Database if external or extranet application

15


Web Application – Authorization Use Role-Based Security to Authorize parts of

application Use Page-level or Control-level Not sufficient to disable button

E.g., do not just disable Edit button – also secure Edit page

Use Roles in Query WHERE clauses

16


Iron Speed Recommends Use any of the role-based security protocols Most customers find they need Application-level

control of roles – so use Database Roles – regardless of which Authentication used

17


Database Security Limit Database Account to query execution Exclude “dbcreator” access to prevent DROP or

ALTER Use Database Specific Accounts (instead of Windows

Authentication)

18


Iron Speed Recommends SQL Server: Use SQL Server Authentication Use Separate Database Server

19


Best Practices – SQL Injection Attacks Text boxes in your application can be used to inject

malicious SQL code SELECT *

FROM Customers WHERE Name = ‘ + SearchTextbox.Text + ’

If user enters: a’; DELETE FROM Customers WHERE ‘1’ = ‘1

Will delete all customers

20


Best Practices – SQL Injection Attacks Never trust user input Never use dynamic SQL Never connect to a database using Admin account Encrypt sensitive data in database Use custom error messages

21


Iron Speed Recommends All user input is quoted End-user should not be allowed to create dynamic

SQL Use limited account for connecting to the database

22


Best Practices – Cross-Site Scripting Attacks Cross-Site Scripting uses JavaScript, HTML, VBScript

or other code Inject using regular data entry fields Execution happens when data is displayed if data is

not validated and quoted when saved

23


Iron Speed Recommends Do not allow user to input HTML or JavaScript Use Rich-Text Editor sparingly Validate Rich-Text input Set HTMLEncodeValue = TRUE Validate using Cross-Site Validators

24


Best Practices – Secure Communications Browser to Server communications can be easily

eavesdropped Use SSL (Secure Sockets Layer) to prevent

eavesdropping Purchase SSL Certificate from trusted authority Setup IIS and Virtual Directory to always redirect to

SSL site

25


Best Practices – Secure Communications URL Parameters may also expose data Use URL Encryption or pass data through POST or

using Session Encrypt URL Parameters using key based on Session

Id Prevents reverse-engineering because each

parameter value is encrypted using session based key

26


Iron Speed Recommends Use SSL (HTTPS) for all secure sites Use URL Encryption for all secure sites

27


Best Practices – Multiple Applications Develop separate Internal and External Applications

Helps secure Internal applications through VPN, Active Directory, etc.

External Applications can be secured using Database Users and/or Database Role-Based

28


Iron Speed Recommends Separate Applications for Internal and External Use

29


Data Level Encrypt all sensitive data

Passwords Social Security Numbers Credit Card Numbers Birth Dates Confidential Numbers like Salary

30


Iron Speed Recommends One-way encryption for password type fields

Encrypt and save Compare with encrypted data rather than

decrypting Two-way encryption / decryption for other data

31


Security Audits Maintain security checklist Regularly audit each ring of security All system changes must be followed by security

audits Regularly check System and Event logs

Security is not a one-time issue, it is an ongoing endeavor

Re-validate upon each application modification/deployment

Copyright © 2006-2008. Iron Speed Inc. All rights reserved

Iron Speed Designer

33


Iron Speed Designer Supports Authentication

Windows Authentication Database (User table) Active Directory Microsoft SharePoint

34


Iron Speed Designer Supports Authorization

Database (Roles) Active Directory Groups Microsoft Authorization Manager (AzMan) Microsoft SharePoint Groups

35


Iron Speed Designer Supports SQL Injection Attack Prevention

All user input goes through multiple validations and is quoted

No dynamic SQL allowed from end user

36


Iron Speed Designer Supports Cross-Site Scripting Attack Prevention

Prevent HTML / JavaScript execution by encoding HTMLEncodeValue = True by default

37


Iron Speed Designer Supports URL Encryption

Turn on in Application Generation Options

38


Iron Speed Designer Supports Session Timeouts

Logout after certain time

39


Iron Speed Designer Supports Web Server and Database Security

Use SSL Security Configure IIS Virtual Directory Settings using

specific account Configure Database Accounts

40


Iron Speed Designer Supports Major Security challenges out-of-the-box Best Practices out-of-the-box Other Security challenges through simple

configuration based on system needs

41


Why use Iron Speed Designer?

Speed application development Cut software development costs Reduce testing time Simplify maintenance Built-in Security

Application generation = acceleration

42


Questions?

43


Course MaterialsDownload from

http://cdn.ironspeed.com/videos/RaziMohiuddin/V71.Security.zip

http://cdn.ironspeed.com/videos/RaziMohiuddin/V71.Security.zip

Technology

Securing Your .NET Application