Messaging Security at Microsoft Eileen Brown [email protected] IT Evangelist Microsoft UK .
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft...
35
Securing Your Securing Your ASP.NET ASP.NET Application Application Presented by: Presented by: Rob Bagby Rob Bagby Developer Evangelist Developer Evangelist Microsoft Microsoft [email protected] [email protected] (email) (email) http://www.robbagby.com http://www.robbagby.com (blog) (blog)
-
Upload
lee-alexander -
Category
Documents
-
view
221 -
download
2
Transcript of Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft...
Securing Your ASP.NET Securing Your ASP.NET ApplicationApplication
Presented by:Presented by:Rob BagbyRob BagbyDeveloper EvangelistDeveloper [email protected]@microsoft.com (email)(email)http://www.robbagby.comhttp://www.robbagby.com (blog)(blog)
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Session AgendaSession Agenda
Defense-In-Depth Security – The concept that many layers of security is better than one layer.
Security OverviewSecurity Overview
Threat ModelingThreat Modeling
Structured approach to:Structured approach to:Evaluate security threatsEvaluate security threats
Identify countermeasuresIdentify countermeasures
DREAD helps rate riskDREAD helps rate riskDamage potentialDamage potential
ReproducibilityReproducibility
ExploitabilityExploitability
Affected usersAffected users
DiscoverabilityDiscoverability
More information in MSDN Patterns and PracticesMore information in MSDN Patterns and Practiceshttp://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCouhttp://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.aspnter.asp
Threat Modeling ProcessThreat Modeling Process
1. Identify Assets
2. Create an Architectural Overview
3. Decompose the Application
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Session AgendaSession Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
ASP.NET Architecture - ASP.NET Architecture - OverviewOverview
Gatekeepers – The authorization points within an ASP.NET application that are provided by:
IISASP.NET
IISPermits requests from users that it can authenticate (with anonymous turned off)Uses NTFS permissions to perform access control
ASP.NET Architecture - ASP.NET Architecture - GatekeepersGatekeepers
ASP.NET – has 2 gatekeepers
UrlAuthorizationModuleConfigure <authorization> elements in Web.Config to configure accessBased on IPrincipal (stored in HttpContext.User)
FileAuthorizationModuleFor file types mapped to the ASP.NET ISAPI ext.Access checks done using the authenticated users token
Could be the anonymous account
ASP.NET Architecture - ASP.NET Architecture - GatekeepersGatekeepers
ASP.NET Architecture - ASP.NET Architecture - GatekeepersGatekeepers
Declarative
[PrincipalPermission(SecurityAction.Demand, Role=@"DomainName\
WindowsGroup)]
ImperativePrincipalPermission permCheck = new PrincipalPermission( null,
@"DomainName\ WindowsGroup");
permCheck.Demand();
ASP.NET Architecture ASP.NET Architecture (Principal Permission Demands)(Principal Permission Demands)
Session AgendaSession Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
The process by which a user is uniquely identified, given his/her credentials.
Authentication Options
Windows w/ impersonation
Windows w/o impersonation
Forms
Passport
AuthenticationAuthentication
Operating system authenticates user
Requires valid windows account
Transparent access to resources
WindowsIdentityWindowsIdentity widentity = WindowsIdentity.GetCurrent();
IIdentity iidentity = WindowsIdentity.GetCurrent();
Authentication - WindowsAuthentication - Windows(Overview)(Overview)
Configuration<authentication mode=“Windows” />
<identity impersonate=“true” />
AdvantagesACLs for Resources accessed by your app.Flow caller’s identity to middle tier
DisadvantagesReduced scalability – database poolingRequires windows account for each userIncreased administration
Authentication - WindowsAuthentication - Windows(w/ Impersonation)(w/ Impersonation)
Configuration<authentication mode=“Windows” />
<identity impersonate=“false” /> (or no identity ele.)
AdvantagesACLs for Client Requested ResourcesURL Authorization<authorization>
<deny user=“DomainName\UserName” />
<allow roles=“DomainName\WindowsgroupName” />
</authorization>
DisadvantagesRequires windows account for each userIncreased administration
Authentication - WindowsAuthentication - Windows(w/o Impersonation)(w/o Impersonation)
Configuration<authentication mode=“Forms”>
<forms loginUrl=“login.aspx” name=“AuthCookie” timeout=“60” path=“/” />
</authentication>
AdvantagesNo Windows accounts requiredFirewall friendly
DisadvantagesYou have to implement / write
Authentication - FormsAuthentication - Forms
Configuration<authentication mode=“Passport” />
AdvantagesSingle sign-on
DisadvantagesNon-trivial to implement
Authentication - PassportAuthentication - Passport
Session AgendaSession Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
The Process By which The System Validates That The Authenticated User Has Access To Resources Or Has Privileges To Perform Certain Operations.
Options Depend upon Authentication type
Windows w/ impersonation
Windows w/o impersonation
Forms
Passport
AuthorizationAuthorization
Behaviors
ACLsClient Requested Resources: Original Caller’s tokenResources Accessed by Application: Original Caller’s token
URL Authorization: Original Caller’s Group or User<authorization>
<deny user=“DomainName\UserName” />
<allow roles=“DomainName\WindowsgroupName” />
</authorization>
Authorization - WindowsAuthorization - Windows(w/ Impersonation)(w/ Impersonation)
Behaviors
ACLsClient Requested Resources: Original Caller’s tokenResources Accessed by Application: ASP.NET process identity
URL Authorization: Original Caller’s Group or User<authorization>
<deny user=“DomainName\UserName” />
<allow roles=“DomainName\WindowsgroupName” />
</authorization>
Authorization - WindowsAuthorization - Windows(w/o Impersonation)(w/o Impersonation)
BehaviorsACLs
Client Requested Resources: ACLs must allow read access to anonymous Internet user accountFile Authorization not availableResources Accessed by Application: ASP.NET process identity
URL Authorization: Determined by custom data store. Sql example:<authorization>
<deny user=“?” /><allow roles=“RoleName, RoleName1” />
</authorization>
Authorization - FormsAuthorization - Forms
.NET Role-Based OptionsDeclarative Demands With PrincipalPermissionAttribute (1 Role)
[PrincipalPermissionAttribute(SecurityAction.Demand, Role=“MyRole”)]
Imperative Demands Using PrincipalPermission Object (Multiple)
public void MyMethod { PrincipalPermission perm = New PrincipalPermission(null, “MyRole”); perm.Demand(); }
Role Checks With IsInRole (Multiple)Principal.IsInRole(“MyRole”);
Custom Authentication Role Checks
string[] roles = new string[] {“MyRole”, “MyRole1”};
IPrincipal principal = new GenericPrincipal(identity, roles);
principal.IsInRole(“MyRole”);
Authorization cont.Authorization cont.(Role-Based)(Role-Based)
Defense-In-Depth Approach
Granular Roles
Declarative Demands, Where Possible
Use IsInRole If You Need to Check > 1 Role Membership
Authorization cont.Authorization cont.(Guidelines)(Guidelines)
ASP.NET Forms AuthenticationASP.NET Forms Authentication
demo
Session AgendaSession Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Assume all input is malicious
Centralize your approach
Do not rely on client-side validation
Be careful with canonicalization issues
Constrain, reject, and sanitize your input
Input ValidationInput Validation
Session AgendaSession Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Use Stored ProceduresGrant Access Only To Stored ProceduresParameterize Queries, When SPs Not Possible
Use Least-Privileged Account Approach
Protect Connection Strings As Secrets
Hash Passwords
Encrypt Sensitive Data
DatabaseDatabase
Session AgendaSession Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Hashing – Practically Impossible To Reverse
Encryption – Can Only Decrypt With Encryption Key
DPAPI – Data Protection API
Sensitive DataSensitive Data
Sensitive Data Cont.Sensitive Data Cont.
I want to… Recommendation Advantages Limitations
Store a user password securely
Salt + SHA1 (One-way hash)
Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks.
No keys to manage.
Identical input yields identical hash values.
Must store a salt to ensure unique cipher text for identical values.
Sensitive Data Cont.Sensitive Data Cont.
I want to… Recommendation Advantages Limitations
Store a user password securely
Salt + SHA1 (One-way hash)
Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks.
No keys to manage.
Identical input yields identical hash values.
Must store a salt to ensure unique cipher text for identical values.
Protect local user data
DPAPI (Encryption using keys derived from user credentials)
DPAPI manages keys on behalf of the application.
Data can’t be decrypted by other users, or on other machines.
Sensitive Data Cont.Sensitive Data Cont.
I want to… Recommendation Advantages Limitations
Store a user password securely
Salt + SHA1 (One-way hash)
Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks.
No keys to manage.
Identical input yields identical hash values.
Must store a salt to ensure unique cipher text for identical values.
Protect local user data
DPAPI (Encryption using keys derived from user credentials)
DPAPI manages keys on behalf of the application.
Data can’t be decrypted by other users, or on other machines.
Encrypt data that will need to decrypted later
Symmetric encryption algorithms (e.g. Rijndael)
Flexible: data can be decrypted by other apps / machines that have the key.
Application must manage keys and transmit them securely.
Wrap-up & Questions …Wrap-up & Questions …
Rob BagbyRob BagbyDeveloper EvangelistDeveloper [email protected]@microsoft.com (email)(email)http://www.robbagby.comhttp://www.robbagby.com (blog)(blog)
