asp net security

Securing Your ASP.NET ApplicationPresented by:Rob BagbyDeveloper [email protected] (email)http://www.robbagby.com (blog)

Session AgendaSecurity Overview / BasicsASP.NET Security ArchitectureAuthenticationAuthorizationInput ValidationDatabaseSensitive Data

Security OverviewDefense-In-Depth Security The concept that many layers of security is better than one layer.

Threat ModelingStructured approach to:Evaluate security threatsIdentify countermeasures DREAD helps rate riskDamage potentialReproducibilityExploitabilityAffected usersDiscoverability More information in MSDN Patterns and Practiceshttp://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp

1. Identify Assets2. Create an Architectural Overview3. Decompose the Application4. Identify the Threats5. Document the Threats6. Rate the Threats

ASP.NET Architecture - Overview

ASP.NET Architecture - GatekeepersGatekeepers The authorization points within an ASP.NET application that are provided by:IISASP.NETIISPermits requests from users that it can authenticate (with anonymous turned off)Uses NTFS permissions to perform access control

ASP.NET Architecture - GatekeepersASP.NET has 2 gatekeepersUrlAuthorizationModuleConfigure elements in Web.Config to configure accessBased on IPrincipal (stored in HttpContext.User)FileAuthorizationModuleFor file types mapped to the ASP.NET ISAPI ext.Access checks done using the authenticated users tokenCould be the anonymous account

ASP.NET Architecture - Gatekeepers

ASP.NET Architecture Declarative[PrincipalPermission(SecurityAction.Demand, Role=@"DomainName\WindowsGroup)] ImperativePrincipalPermission permCheck = new PrincipalPermission( null, @"DomainName\ WindowsGroup"); permCheck.Demand(); (Principal Permission Demands)

AuthenticationThe process by which a user is uniquely identified, given his/her credentials.

Authentication OptionsWindows w/ impersonationWindows w/o impersonationFormsPassport

Authentication - WindowsOperating system authenticates userRequires valid windows accountTransparent access to resourcesWindowsIdentityWindowsIdentity widentity = WindowsIdentity.GetCurrent();IIdentity iidentity = WindowsIdentity.GetCurrent();(Overview)

Authentication - WindowsConfiguration

AdvantagesACLs for Resources accessed by your app.Flow callers identity to middle tierDisadvantagesReduced scalability database poolingRequires windows account for each userIncreased administration(w/ Impersonation)

Authentication - WindowsConfiguration

(or no identity ele.)AdvantagesACLs for Client Requested ResourcesURL Authorization

DisadvantagesRequires windows account for each userIncreased administration(w/o Impersonation)

Authentication - FormsConfiguration

AdvantagesNo Windows accounts requiredFirewall friendlyDisadvantagesYou have to implement / write

Authentication - PassportConfiguration

AdvantagesSingle sign-onDisadvantagesNon-trivial to implement

AuthorizationThe Process By which The System Validates That The Authenticated User Has Access To Resources Or Has Privileges To Perform Certain Operations.

Options Depend upon Authentication typeWindows w/ impersonationWindows w/o impersonationFormsPassport

Authorization - WindowsBehaviorsACLsClient Requested Resources: Original Callers tokenResources Accessed by Application: Original Callers tokenURL Authorization: Original Callers Group or User

(w/ Impersonation)

Authorization - WindowsBehaviorsACLsClient Requested Resources: Original Callers tokenResources Accessed by Application: ASP.NET process identityURL Authorization: Original Callers Group or User

(w/o Impersonation)

Authorization - FormsBehaviorsACLsClient Requested Resources: ACLs must allow read access to anonymous Internet user accountFile Authorization not availableResources Accessed by Application: ASP.NET process identityURL Authorization: Determined by custom data store. Sql example:

Authorization cont..NET Role-Based OptionsDeclarative Demands With PrincipalPermissionAttribute (1 Role)[PrincipalPermissionAttribute(SecurityAction.Demand, Role=MyRole)]Imperative Demands Using PrincipalPermission Object (Multiple)public void MyMethod { PrincipalPermission perm = New PrincipalPermission(null, MyRole); perm.Demand(); }Role Checks With IsInRole (Multiple)Principal.IsInRole(MyRole);Custom Authentication Role Checksstring[] roles = new string[] {MyRole, MyRole1};IPrincipal principal = new GenericPrincipal(identity, roles);principal.IsInRole(MyRole);(Role-Based)

Authorization cont.Defense-In-Depth ApproachGranular RolesDeclarative Demands, Where PossibleUse IsInRole If You Need to Check > 1 Role Membership(Guidelines)

ASP.NET Forms Authenticationdemo

Input ValidationAssume all input is maliciousCentralize your approachDo not rely on client-side validationBe careful with canonicalization issuesConstrain, reject, and sanitize your input

DatabaseUse Stored ProceduresGrant Access Only To Stored ProceduresParameterize Queries, When SPs Not PossibleUse Least-Privileged Account ApproachProtect Connection Strings As SecretsHash PasswordsEncrypt Sensitive Data

Sensitive DataHashing Practically Impossible To ReverseEncryption Can Only Decrypt With Encryption KeyDPAPI Data Protection API

Sensitive Data Cont.

Sensitive Datademo

Wrap-up & Questions Rob BagbyDeveloper [email protected] (email)http://www.robbagby.com (blog)

asp net security

Documents