RE: Securing ASP.NET for Hosting

From: David Sommers (dsommers@dialogmedical.com)
Date: 10/29/02


Date: Tue, 29 Oct 2002 10:31:26 -0500
From: "David Sommers" <dsommers@dialogmedical.com>
To: "Henry Sieff" <hsieff@orthodon.com>, "Tyler Davis" <tdavis@sonicdev.com>, <focus-ms@securityfocus.com>

Building Secure ASP.NET Applications:
Authentication, Authorization, and Secure Communication

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
c/html/secnetlpMSDN.asp

This white paper (608 printed pages) is listed under the .NET
Security/Technical Articles section which also contains several other
interested and useful documents.

Including:
> Secure Coding Guidelines for the .NET Framework
> Security in .NET: Enforce Code Access Rights with the Common
Language Runtime
> The Security Infrastructure of the CLR Provides Evidence,
Policy, Permissions, and Enforcement Services
> Code Access Security and Distribution Features in .NET Enhance
Client-Side Apps
> .NET Framework Enterprise Security Policy Administration and
Deployment

- David Sommers.

-----Original Message-----
From: Henry Sieff [mailto:hsieff@orthodon.com]
Sent: Friday, October 25, 2002 7:39 PM
To: 'Tyler Davis'; focus-ms@securityfocus.com
Subject: RE: Securing ASP.NET for Hosting

No, sadly. Part of the problem is that the technology isn't mature yet,
the other part is that .net really puts the burden for security on the
the application design.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/h
tml/
authaspdotnet.asp discusses authentication in a .net environment.

http://www.dotnetjunkies.com/tutorials.aspx?tutorialid=396 gives a nice
overview of how IIS, Windows, and .NET work together. One of the
articles he references is
http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx,
which is also not bad.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide
/htm
l/cpconsecuringyourapplication.asp

When this topic came up earlier, somebody mentioned this article:
http://tiberi.us/view_article.aspx?article_id=27, not bad.

But none of them speak exactly to what you're asking, which is what
every admin who needs to support .net is going to be asking, which is
"Exactly what do I do to make sure the server itself is as secure as
possible?"

Again, the two factors previously mentioned are responsible: once you've
done the locking down of IIS, you need to move onto setting security on
the Web services themselves, things like code access (remember, the
whole idea behind .net is to expose executable code to the world via
http: WHOOOOOO-HOOOOOOOO). Also, auhtentication to specific apps. And
unlike the best practices for securing IIS, all of the BP's stuff I've
read is really geared towards developers or focuses on securing access
to the components.

At this point, we are not using ASP.NET for remotely accessible
applications. We definitely will, but not until me and the developers at
my Co. can figure out what we need to do.

Anyways, sorry for the ramble; this issue has come up here before, and I
watched hoping for someone to come up with a white paper. Then I did
some searching; I found no comprehensive guide, but a lot of good
resources. At this point, you, me, and everyone else tasked with
deploying .net based apps will have to formulate our own best practices
based on careful study of the basic info out there.

Henry
> -----Original Message-----
> From: Tyler Davis [mailto:tdavis@sonicdev.com]
> Sent: Friday, October 25, 2002 1:58 AM
> To: focus-ms@securityfocus.com
> Subject: Securing ASP.NET for Hosting
>
>
> Anyone got a link to any sites or whitepapers with info on securing
> asp.net in a hosting environment? Ive already got win2k and iis5
> locked down, just need some info on asp.net
>
> Thanks,
> Tyler
>



Relevant Pages

  • RE: application security
    ... Securing Authentication into the applications ... Securing Access control to resources in the application ... Netegrity plays a role in Authentication and Access control ... If you are trying to build the most secure application, ...
    (Security-Basics)
  • Re: Which Windows OS is Safest
    ... It's not specifically which is the safest OS, but how you go about securing ... These will help make any OS secure. ... >> I would like to know what is regarded as the safest Windows OS as I ...
    (Security-Basics)
  • Re: LOGIN INFO secure at wwww.americanexpress.CA?
    ... a session, and all was secure. ... the particular point of concern was securing the login info itself, ... My guess is that the quality of support at Amex is such that they never ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Does FE mde need security?
    ... you are learning from your mistakes so this is just part of your learning process. ... In some situations just properly securing the BE will do just fine. ... If you secure the BE and the FE using the same workgroup file then no, ... you will not see two login screens. ...
    (microsoft.public.access.security)
  • Re: Looking for One Time Pad Software, small with gui for WIN.
    ... Yes - securing the computer is the key to preventing a side-channel ... attack it. ... So if your OTP is implemented using secure, ... But the OP was talking about a OTP on a Windows PC. ...
    (sci.crypt)