Security is an important aspect of internet applications, and these whitepapers discuss how to design and implement secure ASP.NET applications.
Instrument ASP.NET 2.0 Applications for Security
This How To shows you how to use custom health monitoring events to instrument your ASP.NET application to track security-related
events and operations. ASP.NET version 2.0 provides health monitoring that includes instrumentation for many standard
...
Perform a Security Deployment Review for ASP.NET 2.0
This How To shows you how to perform a security deployment review for an ASP.NET 2.0 application to identify potential
security vulnerabilities introduced by inappropriate configuration settings. The majority of the review process involves
making...
Use ADAM for Roles in ASP.NET 2.0
This How To shows you how you can develop an ASP.NET Web site that uses Active Directory Application Mode (ADAM) to store
ASP.NET roles. It shows you how to configure ADAM and the Authorization Manager (AzMan) policy store, how to create
new roles and...
Use Authorization Manager (AzMan) with ASP.NET 2.0
This How To shows you how to use the Authorization Manager (AzMan) in conjunction with the ASP.NET role manager API to
manage roles, check user role membership, and authorize roles to perform specific operations against an AzMan policy store.
The How To...
Use Membership in ASP.NET 2.0
This How To shows how to use the membership feature in ASP.NET version 2.0 applications. It shows you how to
use two different membership providers: the ActiveDirectoryMembershipProvider and the SqlMembershipProvider.
The membership feature...
Use Role Manager in ASP.NET 2.0
This How To shows you how to use the ASP.NET 2.0 role manager. The role manager eases the task of managing
roles and performing role-based authorization in your application. It shows how to configure the various role
providers for use with your...
Use Windows Authentication in ASP.NET 2.0
This How To shows you how to configure and use Windows authentication in an ASP.NET Web application. Windows authentication
is the preferred approach whenever users are a part of your Windows domain. This approach enables you to use an existing
identity store...
Perform a Security Code Review for Managed Code (Baseline Activity)
This How To shows you how to perform security code reviews. This module presents the steps involved in the activity, and techniques
for analyzing your results. Use this How To with “Security Question List: Managed Code (.NET Framework 2.0)”
...
Perform a Security Deployment Review for ASP.NET 2.0
This How To shows you how to perform a security deployment review for an ASP.NET 2.0 application to identify potential
security vulnerabilities introduced by inappropriate configuration settings. The majority of the review process
involves making...
Implement Kerberos Delegation for Windows 2000
Kerberos delegation allows you to flow an authenticated identity across multiple physical tiers of an application
to support downstream authentication and authorization. This How To shows you the configuration steps required to
make this work.
Use Impersonation and Delegation in ASP.NET 2.0
This How To shows you how and when you should use impersonation in ASP.NET 2.0 applications. By default,
impersonation is turned off, and you can access resources by using the ASP.NET Web application’s process identity.
However, you can use...
Create a Threat Model for a Web Application at Design Time
This How To describes an approach for creating a threat model for a Web application. The threat modeling
activity helps you to model your security design so that you can expose potential security design flaws and
vulnerabilities before you invest...
User Input Data Validation
Request Validation - Preventing Script Attacks
This paper describes the request validation feature of ASP.NET where, by default, the application is prevented from
processing unencoded HTML content submitted to the server. This request validation feature can be disabled when the application
has been...
Prevent Cross-Site Scripting in ASP.NET
This How To shows how you can help protect your ASP.NET applications from cross-site scripting attacks by using proper input
validation techniques and by encoding the output. It also describes a number of other protection mechanisms that you can
use in...
Protect From SQL Injection in ASP.NET
This How To shows a number of ways to help protect your ASP.NET application from SQL injection attacks. SQL injection
can occur when an application uses input to construct dynamic SQL statements or when it uses stored procedures to connect
to the...
Use Regular Expressions to Constrain Input in ASP.NET
This How To shows how you can use regular expressions within ASP.NET applications to constrain untrusted input.
Regular expressions are a good way to validate text fields such as names, addresses, phone numbers, and other user
information. You can use...
Code Access Security
Use Code Access Security in ASP.NET 2.0
This How To shows you how to select an appropriate trust level for your application, and where necessary, how to create
a custom ASP.NET code access security policy file to define a custom trust level. You can use different code access
security trust...
Create a Custom Encryption Permission
This How To describes how to create a custom code access security permission to control programmatic access to unmanaged encryption
functionality that Win32® Data Protection API (DPAPI) provides. Use this custom permission with the managed DPAPI wrapper
...
Use Code Access Security Policy to Constrain an Assembly
An administrator can configure code access security policy to constrain the operations of .NET Framework code (assemblies).
In this How To, you configure code access security policy to constrain the ability of an assembly to perform file I/O and
restrict...
Communications Security
Set Up SSL on a Web Server
A Web server must be configured for SSL in order to support https connections from client applications. This How To shows you
how to configure SSL on a Web Server.
Set Up Client Certificates
IIS supports client certificate authentication. This How To shows you how to configure a Web application to require client
certificates. It also shows you how to install a certificate on a client computer and use it when calling the Web application.
Use IPSec for Filtering Ports and Authentication
Internet Protocol security (IPSec) is a protocol, not a service, that provides encryption, integrity, and authentication
services for IP-based network traffic. Because IPSec provides server-to-server protection, you can use IPSec to counter
internal threats...
Use IPSec to Provide Secure Communication Between Two Servers
IPSec is a technology provided by Windows 2000 that allows you to create encrypted channels between two servers. IPSec can be
used to filter IP traffic and to authenticate servers. This How To shows you how to configure IPSec to provide a secure (encrypted)
...
Use SSL to Secure Communication with SQL Server
It is often vital for applications to be able to secure the data passed to and from a SQL Server database server. With SQL Server,
you can use SSL to create an encrypted channel. This How To shows you how to install a certificate on the database server,
...
Call a Web Service Using Client Certificates from ASP.NET 1.1
This How To describes how you can pass a client certificate to a Web service for authentication from an ASP.NET Web application
or from a Windows Forms application. You can install the client certificate in either the local machine store or the user store.
If...
Call a Web Service Using SSL from ASP.NET 1.1
Secure Sockets Layer (SSL) encryption can be used to guarantee the integrity and confidentiality of the messages passed to
and from a Web service.
This How To shows you how to use SSL with Web services.
Cryptography
Create a DPAPI Library in .NET 1.1
This How To shows you how to create a managed class library that exposes DPAPI functionality to applications that want to
encrypt data, for example, database connection strings and account credentials.
Create an Encryption Library in .NET 1.1
This How To shows you how to create a managed class library to provide encryption functionality for applications.
It allows an application to choose the encryption algorithm. Supported algorithms include DES, Triple DES, RC2,
and Rijndael.
Store an Encrypted Connection String in the Registry in ASP.NET 1.1
Applications may choose to store encrypted data such as connection strings and account credentials in the Windows registry.
This How To shows you how to store and retrieve encrypted strings in the registry.
Use DPAPI (Machine Store) from ASP.NET 1.1
This How To shows you how to use DPAPI from an ASP.NET Web application or Web service to encrypt sensitive data.
Use DPAPI (User Store) from ASP.NET 1.1 with Enterprise Services
This How To shows you how to use DPAPI from an ASP.NET Web application or service to encrypt sensitive data.
This How To uses DPAPI with the user store, which requires the use of an out of process Enterprise Services component.