Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft rob.bagby@...

Click here to load reader

  • date post

    03-Jan-2016
  • Category

    Documents

  • view

    216
  • download

    2

Embed Size (px)

Transcript of Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft rob.bagby@...

  • Securing Your ASP.NET ApplicationPresented by:Rob BagbyDeveloper EvangelistMicrosoftrob.bagby@microsoft.com (email)http://www.robbagby.com (blog)

  • Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

  • Security OverviewDefense-In-Depth Security The concept that many layers of security is better than one layer.

  • Threat ModelingStructured approach to:Evaluate security threatsIdentify countermeasures DREAD helps rate riskDamage potentialReproducibilityExploitabilityAffected usersDiscoverability More information in MSDN Patterns and Practiceshttp://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp

    1. Identify Assets2. Create an Architectural Overview3. Decompose the Application4. Identify the Threats5. Document the Threats6. Rate the Threats

  • Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

  • ASP.NET Architecture - Overview

  • ASP.NET Architecture - GatekeepersGatekeepers The authorization points within an ASP.NET application that are provided by:IISASP.NETIISPermits requests from users that it can authenticate (with anonymous turned off)Uses NTFS permissions to perform access control

  • ASP.NET Architecture - GatekeepersASP.NET has 2 gatekeepersUrlAuthorizationModuleConfigure elements in Web.Config to configure accessBased on IPrincipal (stored in HttpContext.User)FileAuthorizationModuleFor file types mapped to the ASP.NET ISAPI ext.Access checks done using the authenticated users tokenCould be the anonymous account

  • ASP.NET Architecture - Gatekeepers

  • ASP.NET Architecture Declarative[PrincipalPermission(SecurityAction.Demand, Role=@"DomainName\WindowsGroup)] ImperativePrincipalPermission permCheck = new PrincipalPermission( null, @"DomainName\ WindowsGroup"); permCheck.Demand(); (Principal Permission Demands)

  • Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

  • AuthenticationThe process by which a user is uniquely identified, given his/her credentials.

    Authentication OptionsWindows w/ impersonationWindows w/o impersonationFormsPassport

  • Authentication - WindowsOperating system authenticates userRequires valid windows accountTransparent access to resourcesWindowsIdentityWindowsIdentity widentity = WindowsIdentity.GetCurrent();IIdentity iidentity = WindowsIdentity.GetCurrent();(Overview)

  • Authentication - WindowsConfiguration

    AdvantagesACLs for Resources accessed by your app.Flow callers identity to middle tierDisadvantagesReduced scalability database poolingRequires windows account for each userIncreased administration(w/ Impersonation)

  • Authentication - WindowsConfiguration

    (or no identity ele.)AdvantagesACLs for Client Requested ResourcesURL Authorization

    DisadvantagesRequires windows account for each userIncreased administration(w/o Impersonation)

  • Authentication - FormsConfiguration

    AdvantagesNo Windows accounts requiredFirewall friendlyDisadvantagesYou have to implement / write

  • Authentication - PassportConfiguration

    AdvantagesSingle sign-onDisadvantagesNon-trivial to implement

  • Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

  • AuthorizationThe Process By which The System Validates That The Authenticated User Has Access To Resources Or Has Privileges To Perform Certain Operations.

    Options Depend upon Authentication typeWindows w/ impersonationWindows w/o impersonationFormsPassport

  • Authorization - WindowsBehaviorsACLsClient Requested Resources: Original Callers tokenResources Accessed by Application: Original Callers tokenURL Authorization: Original Callers Group or User

    (w/ Impersonation)

  • Authorization - WindowsBehaviorsACLsClient Requested Resources: Original Callers tokenResources Accessed by Application: ASP.NET process identityURL Authorization: Original Callers Group or User

    (w/o Impersonation)

  • Authorization - FormsBehaviorsACLsClient Requested Resources: ACLs must allow read access to anonymous Internet user accountFile Authorization not availableResources Accessed by Application: ASP.NET process identityURL Authorization: Determined by custom data store. Sql example:

  • Authorization cont..NET Role-Based OptionsDeclarative Demands With PrincipalPermissionAttribute (1 Role)[PrincipalPermissionAttribute(SecurityAction.Demand, Role=MyRole)]Imperative Demands Using PrincipalPermission Object (Multiple)public void MyMethod { PrincipalPermission perm = New PrincipalPermission(null, MyRole); perm.Demand(); }Role Checks With IsInRole (Multiple)Principal.IsInRole(MyRole);Custom Authentication Role Checksstring[] roles = new string[] {MyRole, MyRole1};IPrincipal principal = new GenericPrincipal(identity, roles);principal.IsInRole(MyRole);(Role-Based)

  • Authorization cont.Defense-In-Depth ApproachGranular RolesDeclarative Demands, Where PossibleUse IsInRole If You Need to Check > 1 Role Membership(Guidelines)

  • ASP.NET Forms Authenticationdemo

  • Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

  • Input ValidationAssume all input is maliciousCentralize your approachDo not rely on client-side validationBe careful with canonicalization issuesConstrain, reject, and sanitize your input

  • Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

  • DatabaseUse Stored ProceduresGrant Access Only To Stored ProceduresParameterize Queries, When SPs Not PossibleUse Least-Privileged Account ApproachProtect Connection Strings As SecretsHash PasswordsEncrypt Sensitive Data

  • Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

  • Sensitive DataHashing Practically Impossible To ReverseEncryption Can Only Decrypt With Encryption KeyDPAPI Data Protection API

  • Sensitive Data Cont.

  • Sensitive Data Cont.

  • Sensitive Data Cont.

  • Sensitive Datademo

  • Wrap-up & Questions Rob BagbyDeveloper EvangelistMicrosoftrob.bagby@microsoft.com (email)http://www.robbagby.com (blog)