INFO: Building Secure ASP.NET Web Applications Guide (330246)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework) 1.0
This article was previously published under Q330246

SUMMARY

As part of the Microsoft commitment to trustworthy computing, the Patterns and Practices group has created a guide that describes how to implement fundamental security principles across ASP.NET, Microsoft ADO.NET, Microsoft Enterprise Services, Microsoft Remoting, and Microsoft XML Web services in the context of intranet, extranet, and Internet applications. The architectural and design guide focuses on:
  • Authentication - How to identify users of your application
  • Authorization - How to provide access control to the users of your application
  • Secure communication - How to make sure that messages remain private and are not changed by unauthorized parties
This guide is designed to help developers build secure functionality from the ground up. The guide has been divided into four primary sections:
  • Security Models
  • Application Scenarios
  • Securing the Tiers and Technologies
  • References
The References section contains tips, how-tos, and tools to help diagnose security related issues. Step-by-step descriptions of how to perform common tasks are also featured in the guide.

The guide contains more than 600 pages of task-based, modular content about authentication, authorization, and secure communication across ASP.NET, Enterprise Services, Web Services, Remoting and data access in the context of intranet, extranet, and Internet applications. Topics addressed include:
  • Architecture of each .NET technology covered
  • Designing authentication and authorization
  • Building secure extranet business to business scenarios
  • When and how to flow user identities across application tiers
  • Securing data connection strings
  • Accessing network resources from ASP.NET
  • Secure data access
  • Using Secure Sockets Layer (SSL) from Web Services
  • Calling Enterprise Services from ASP.NET
  • Roles (Microsoft SQL Server, Enterprise Services, and .NET)
  • PrincipalPermission checks
  • Configurable security vs. programmatic security
  • Forms authentication against SQL Server and the Active Directory
The following is an index of the step-by-step procedures in the guide:

ASP.NET
  • How To: Create a Custom Account to Run ASP.NET
  • How To: Use Forms Authentication with Active Directory
  • How To: Use Forms Authentication with SQL Server 2000
  • How To: Use Forms Authentication with GenericPrincipal Objects
  • Authentication and Authorization
  • How To: Implement Kerberos Delegation in Windows 2000
  • How To: Implement IPrincipal
Cryptography
  • How To: Create a DPAPI Library
  • How To: Use DPAPI (Machine Store) from ASP.NET
  • How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
  • How To: Create an Encryption Library
  • How To: Store Encrypted Connection Strings in the Registry
Web Services, Remoting, And Enterprise Services Security
  • How To: Use Role-based Security with Enterprise Services
  • Web Services Security
  • How To: Call a Web Service Using Client Certificates
  • How To: Use Forms Authentication with GenericPrincipal Objects
  • How To: Call a Web Service Using SSL
  • Remoting Security
  • How To: Host a Remote Object in a Windows Service
Secure Communication
  • How To: Set Up SSL on a Web Server
  • How To: Set Up Client Certificates
  • How To: Use IPSec to Secure Communication between Two Servers
  • How To: Use SSL to Secure Communication with SQL Server 2000
For more information about this guide, visit the following Microsoft Web site:

Building Secure ASP.NET Applications
http://go.microsoft.com/fwlink/?LinkId=10616

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbPAG kbHOWTOmaster kbinfo kbSecurity KB330246 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.