Building Secure ASP.NET Applications - People Search Directory

More documents

Recommendations

Info

188 Building Secure ASP.NET Applications SQL session state can be configured either in Machine.config or Web.config. The default setting in machine.config is shown below. By default, the SQL script InstallSqlState.sql, which is used for building the database used for SQL session state is installed at the following location: C:\WINNT\Microsoft.NET\Framework\v1.0.3705 When you use SQL session state there are two problems to consider. ● You must secure the database connection string. ● You must secure the session state as it crosses the network. Securing the Database Connection String If you use SQL authentication to connect to the server, the user ID and password information is stored in plain text in web.config as shown below. By default the HttpForbiddenHandler protects configuration files from being downloaded. However, any user who has direct access to the folders where the configuration files are stored can still see the user name and password. A better practice is to use Windows authentication to SQL Server. To use Windows authentication, you can use the ASP.NET process identity (typically ASPNET) 1. Create a duplicate account (with the same name and password) on the database server. 2. Create a SQL login for the account. 3. Create a database user in the ASPState database and map the SQL login to the new user. The ASPState database is created by the InstallSQLState.sql script.
Chapter 8: ASP.NET Security 189 5. Create a user defined database role and add the database user to the role. 6. Configure permissions in the database for the database role. You can then change the connection string to use a trusted connection, as shown below: sqlConnectionString="server=127.0.0.1; database=StateDatabase; Integrated Security=SSPI;" Securing Session State Across the Network You may need to protect the session state as it crosses the network to the SQL Server database. This depends on how secure the network hosting the Web server and data servers is. If the database is physically secured in a trusted environment, you may be able to do without this extra security measure. You can use IPSec to protect all IP traffic between the Web servers and SQL Server, or alternatively, you can use SSL to secure the link to SQL Server. With this approach, you have the option of encrypting just the connection used for the session state, and not all traffic that passes between the computers. More Information ● For more information about how to set up SQL Session State, see article Q317604, “HOW TO: Configure SQL Server to Store ASP.NET Session State,” in the Microsoft Knowledge Base. ● For more information about using SSL to SQL Server, see “How To: Use SSL to Secure Communication with SQL Server 2000” in the Reference section of this guide. ● For more information about using IPSec, see “How To: Use IPSec to Provide Secure Communication Between Two Servers” in the Reference section of this guide. Web Farm Considerations In a Web farm scenario, there is no guarantee that successive requests from the same client are serviced by the same Web server. This has implications for state management and for any encryption that relies on attributes maintained by the element in Machine.config.
Page 1 and 2:
Building Secure ASP.NET Application
Page 3 and 4:
Contents About This Book Summary .
Page 5 and 6:
Contents v Role-Based Authorization
Page 7 and 8:
Contents vii Chapter 7 Internet Sec
Page 9 and 10:
Contents ix Configuring Security .
Page 11 and 12:
Contents xi Accessing System Resour
Page 13 and 14:
Contents xiii Troubleshooting Tools
Page 15 and 16:
Contents xv How To: Create a DPAPI
Page 17 and 18:
Contents xvii 6. Export the Client
Page 19 and 20:
Contents xix Reference Hub 517 Sear
Page 21 and 22:
About This Book Summary This guide
Page 23 and 24:
About This Book xxiii Who Should Re
Page 25:
About This Book xxv ● ● ● Spe
Page 28 and 29:
xxviii Building Secure ASP.NET Appl
Page 30 and 31:
xxx Building Secure ASP.NET Applica
Page 32 and 33:
xxxii Building Secure ASP.NET Appli
Page 34 and 35:
xxxiv Building Secure ASP.NET Appli
Page 36 and 37:
xxxvi Building Secure ASP.NET Appli
Page 38 and 39:
xxxviiiBuilding Secure ASP.NET Appl
Page 40 and 41:
xl Building Secure ASP.NET Applicat
Page 42 and 43:
2 Building Secure ASP.NET Applicati
Page 44 and 45:
Page 46 and 47:
Page 49 and 50:
2 Security Model for ASP.NET Applic
Page 51 and 52:
Chapter 2: Security Model for ASP.N
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67:
Page 70 and 71:
30 Building Secure ASP.NET Applicat
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
100 Building Secure ASP.NET Applica
Page 143 and 144:
6 Extranet Security Extranet applic
Page 145 and 146:
Chapter 6: Extranet Security 105 Se
Page 147 and 148:
Chapter 6: Extranet Security 107
Page 149 and 150:
Chapter 6: Extranet Security 109 Co
Page 151 and 152:
Chapter 6: Extranet Security 111 Re
Page 153 and 154:
Chapter 6: Extranet Security 113 Th
Page 155 and 156:
Chapter 6: Extranet Security 115 Co
Page 157:
Chapter 6: Extranet Security 117 Pi
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179: 138 Building Secure ASP.NET Applica
Page 235 and 236: 9 Enterprise Services Security Trad
Page 237 and 238: Chapter 9: Enterprise Services Secu
Page 267 and 268: 10 Web Services Security This chapt
Page 269 and 270: Chapter 10: Web Services Security 2
Page 279 and 280:
Chapter 10: Web Services Security 2
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299:
Page 302 and 303:
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 333 and 334:
12 Data Access Security When you bu
Page 335 and 336:
Chapter 12: Data Access Security 29
Page 337 and 338:
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
Page 369 and 370:
Page 371 and 372:
13 Troubleshooting Security Issues
Page 373 and 374:
Chapter 13: Troubleshooting Securit
Page 375 and 376:
Page 377 and 378:
Page 379 and 380:
Page 381 and 382:
Page 383 and 384:
Page 385 and 386:
Page 387 and 388:
Page 389 and 390:
How To: Index ASP.NET Building Secu
Page 391 and 392:
How To: Create a Custom Account to
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
How To: Use Forms Authentication wi
Page 399 and 400:
Page 401 and 402:
Page 403 and 404:
Page 405 and 406:
Page 407 and 408:
Page 409 and 410:
Page 411 and 412:
Page 413 and 414:
Page 415 and 416:
Page 417 and 418:
How To: Create GenericPrincipal Obj
Page 419 and 420:
Page 421 and 422:
Page 423 and 424:
Page 425 and 426:
How To: Implement Kerberos Delegati
Page 427:
How To: Implement Kerberos Delegati
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 449 and 450:
How To: Use DPAPI (Machine Store) f
Page 451 and 452:
Page 453 and 454:
Page 455 and 456:
How To: Use DPAPI (User Store) from
Page 457 and 458:
Page 459 and 460:
Page 461 and 462:
Page 463 and 464:
Page 465 and 466:
Page 467 and 468:
Page 469 and 470:
How To: Create an Encryption Librar
Page 471 and 472:
Page 473 and 474:
Page 475 and 476:
Page 477 and 478:
Page 479 and 480:
How To: Store an Encrypted Connecti
Page 481 and 482:
Page 483 and 484:
Page 485 and 486:
How To: Use Role-based Security wit
Page 487 and 488:
Page 489 and 490:
Page 491:
Page 494 and 495:
Page 496 and 497:
Page 498 and 499:
Page 500 and 501:
Page 502 and 503:
Page 504 and 505:
Page 506 and 507:
Page 508 and 509:
Page 510 and 511:
Page 512 and 513:
Page 514 and 515:
Page 516 and 517:
Page 518 and 519:
Page 520 and 521:
Page 522 and 523:
Page 525 and 526:
How To: Set Up Client Certificates
Page 527 and 528:
How To: Set Up Client Certificates
Page 529 and 530:
How To: Use IPSec to Provide Secure
Page 531 and 532:
Page 533 and 534:
Page 535 and 536:
Page 537 and 538:
Page 539 and 540:
How To: Use SSL to Secure Communica
Page 541 and 542:
Page 543 and 544:
Page 545 and 546:
Page 547:
Page 551 and 552:
Configuration Stores and Tools The
Page 553 and 554:
Configuration Stores and Tools 513
Page 555 and 556:
Configuration Stores and Tools 515
Page 557 and 558:
Reference Hub This section provides
Page 559 and 560:
Reference Hub 519 Key Notes ● ●
Page 561 and 562:
Reference Hub 521 ● ● HOW TO: A
Page 563 and 564:
Reference Hub 523 How Tos ● ● R
Page 565:
Reference Hub 525 ● ● Best Prac
Page 568 and 569:
Page 570 and 571:
Page 572 and 573:
Page 574 and 575:
Page 577 and 578:
ASP.NET Identity Matrix Principal o
Page 579:
ASP.NET Identity Matrix 539 Table 3
Page 582 and 583:
Page 584 and 585:
Page 586 and 587:
Page 589:
.NET Web Application Security The t
Page 592 and 593:
Page 594 and 595:
Page 596 and 597:
Page 598 and 599:
Page 600 and 601:
Page 602 and 603:
Page 604 and 605:
Page 606 and 607:
show all

Building Secure ASP.NET Applications - People Search Directory

Create successful ePaper yourself

Delete template?

Save as template?