1.Topics‎ > ‎Dot.Net‎ > ‎C.ASP.NET‎ > ‎A.ASP.Net (Web Forms)‎ > ‎

E.Security Architecture

  1. Authentication 
    1. Anonymous : Use only when there is not secure content on website such as public facing internet sites.
    2. Windows:Must use if you have windows AD infrastructure 
    3. Forms: If do not have windows AD infrastructure or need to use SSO
    4. Federated , SSO and Enterprise SSO
    5. ASP.Net Authentication Providers
      1. Forms Authentication Provider
      2. Windows Authentication Provider
  2. Authorization
    1. URL Authorization : Support user level , role based and verb based authorization.
    2. ACL Based Authorization : Uses file system based ACLs 
    3. ASP.NET Impersonation : Can be used to propagate credentials of requesting user.
    4. Sitemap Trimming : Prevent unauthorized use to see your site pages.
  3. Cookie Security 
    1. Replay Attack 
    2. Cookie tempering attack 
    3. HTTP Only Cookie  
  4. View State Security 
    1. MAC Protection 
    2. View State Encryption 
    3. Control State Encryption
    4. Per-user View State Encoding
  5. Web Config Encryption
  6. Worker Process Identity
  7. Common ASP.Net Security Attacks
    1. SQL & Script Injection : 
      1. This is most common exploit is asp.net security vulnerability. 
      2. Most common preventive measures are 
        1. Request Validation that can be done even at per control level
        2. Output encoding
        3. Attribute encoding 
        4. CSS encoding
        5. JavaScript Encode
    2. Phishing Attack 
    3. DOS Attack by posting large form data 
    4. Request Validation 
    5. Cross Site Scripting 
    6. Cross-site request forgery (CSRF) Attack: Letest version of ASP.Net project by default support CSRF protection 
  8. Security Best Practices 
    1. Do not trust any user input always validate user input and encode any text before being displayed on the page.
    2. WindowsTokenRoleProvider : If we are using windows authentication then we should try to use built in configuration (web.config) based authorization instead of explicitly using WindowsTokenRoleProvider Class
    3. Mark your Cookie  HTTP Only : Always Mark your cookie HTTP only so that it can be accessed via HTTP only not by some script.
    4. Always turn off tracing in production environment.
    5. Always turn on custom error in production environment 
    6. The <deployment retail=”true”/> Switch in Maching.config
    7.  Always use ASP.Net Request Validation 
    8. Keep Max Request Limit reasonable to Prevent DOS attack
    9. Prefer turning off UseUnsafeHeaderParsing that prevent script injection attack
    10. Prefer Setting the SlidingExpiration property to false that can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.
    11. Do not prefer Cookie less authentication (i.e. url based auth code) it can lead to replay attack.
    12. Protect your Cookie by turning protection mode =Encryption and Validation.
    13. If required Explicitly use attribute encoding because not all the properties in ASP.Net controls are encoded 
    14. Use Anti-Cross Site Scripting Library
    15. Prefer using X- Frame Option (XFO) set to SAMEORIGIN this prevent click jacking
    16. Prefer using Trusted Connection (Windows Authentication) in place of User Name/Pw in connection strings 
    17. Always verify Securing Elmah logging libs in ASP.NET website failing to this can expose several sensitive information
    18. Do not ever set EnableViewStateMac to false, because it may break application in future as MS is planning to deprecate it.
  9. Related Tools 
    1. http://nwebsec.codeplex.com/  a tool that helps securing your asp.net website by manipulating various security options. 
    2. https://asafaweb.com  a site that dynamically test your websites form most common type of security venerability 
  10. Further Discussion
    1. How authorization differs in IIS6 VS IIS7
    2. URL authorization do not work for static content by default  
    3. How to use role based security with forms authentication 
    4. How can we explicitly configure membership providers 
    5. How can we explicitly configure Role providers 
    6. Where we defined to secure the cookie (Role Manager)
    7. DPAPI VS RSA