sagar joshi senior security consultant | ace team, microsoft information security...
TRANSCRIPT
Weaving Security in .Net Application.Net 2.0
Sagar JoshiSenior Security Consultant | ACE Team, Microsoft Information [email protected]
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
SDL-IT
SDLC
SDL-IT
Envision
Application Entry / Risk Assessment
Security Review
Develop / Purchase
Security Deployment Review
Test Release / Sustainment
Creation AssimilationSignoff
Threat Model / Design Review
Design
Iterative Process
Security Deployment Review
DefineModelMeasure
ValidateOptimize
Holistic Approach to security
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
Methods of Authentication
BasicDigestIntegrated
Kerberos v5NTLM
ASP.NET Forms AuthenticationDigital signatures and digital certificates Smart CardsBiometrics
Authentication Techniques
Windows authenticationForms authentication
AuthenticationMembershipProvider
Provides a consistent and simple APIs for user storage and management and enables easy implementation of Forms Authentication.
ActiveDirectoryMembershipProvider SqlMembershipProvider
aspnet_regsql -S (local) -E -A mS specifies the server, which is (local) in this example. E specifies to use Windows authentication to connect to SQL Server. A m specifies to add only the membership feature. For simple authentication against a SQL Server user store, only the membership feature is required.
Authentication and Membership Provider and Discovering the client identity
DEMO
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
Authorization
What is authorization?URL Authorization
selectively deny or allow access to specific files or folders
File AuthorizationApplicable to file types like .aspx or .asmxAccess check will be made for user based on windows token
Role based authorization
RBAC
Role manager simple APIs for role authorization and role managementWindowsTokenRoleProvider / AuthorizationStoreRoleProvider (Azman)SqlRoleProvider
Imperative authorization
Example of an Imperative check
if(Thread.CurrentPrincipal.IsInRole(‘Administrators'))
{// Authorized
}
Imperative authorization
Example of an Imperative check using the ASP.NET role provider:
if (Roles.IsUserInRole(@"accounting")) {
//authorized }
Declarative authorization
PrincipalPermission Example [PrincipalPermission(SecurityAction.Demand,
Role = “Administrators")] public double Add(double a, double b) { return
a + b; }
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
How to encrypt the Web.Config
Use aspnet_regiis RSAConfigurationProvider
If you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RSAProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data.
"DataProtectionConfigurationProvider"
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
Input Validation
Protection against common attacksWhite list Vs BlacklistClient side Vs Server SideRegex validator controls
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
Cryptographic Algorithms
Symmetric AlgorithmsUses same key for encryption and decryptionComputationally cheaperUsed to exchange or store information in secret
Asymmetric AlgorithmsUses separate keys for encryption and decryptionComputationally more expensiveNormally used to negotiate a symmetric key
Both only require one key to be kept secretHashing Algorithms
.Net supported Cryptographic Algorithms
SymmetricAESDES Deprecated3DESRC2 DeprecatedRijndaelManaged
AsymmetricDSACryptoServiceProvider RSACryptoServiceProvider ECDiffieHellmanCng ECDsaCng
.Net supported Cryptographic Algorithms
.NET Supported Hash AlgorithmsMD5 (produces 128-bit hash value)
Collisions discovered!
SHA1 (produces 160-bit hash value)Has been compromised!
SHA256 (produces 256-bit hash value)SHA384 (produces 384-bit hash value)SHA512 (produces 512-bit hash value)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
Auditing & Logging Threats
Failure to spot the signs of intrusionInability to prove a user's actionsDifficulties in problem diagnosis.
29
Logging
Keep a log trail of authentication attemptsBoth successful and failed
Keep a log trail of all accesses to assetsLog as close to an asset as possible
SQL Server Stored ProcedureSometimes… a log trail is the only mitigation
What you Log
“Don’t write sensitive information in logsPasswords
Identify the (“who, what, where & when”):IdentityActionComponent/Service/Object/MethodTimestamp
Enterprise Library Logging Application Block
Feedback / QnA
Your Feedback is Important!Please take a few moments to fill out our
online feedback form
Use the Question Manager on LiveMeeting to ask your questions now!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.