Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security...

Weaving Security in .Net Application.Net 2.0

Sagar JoshiSenior Security Consultant | ACE Team, Microsoft Information SecuritySagar.joshi@microsoft.com

Agenda

AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging

SDL-IT

SDLC

SDL-IT

Envision

Application Entry / Risk Assessment

Security Review

Develop / Purchase

Security Deployment Review

Test Release / Sustainment

Creation AssimilationSignoff

Threat Model / Design Review

Design

Iterative Process

Security Deployment Review

DefineModelMeasure

ValidateOptimize

Holistic Approach to security

Agenda

AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging

Methods of Authentication

BasicDigestIntegrated

Kerberos v5NTLM

ASP.NET Forms AuthenticationDigital signatures and digital certificates Smart CardsBiometrics

Authentication Techniques

Windows authenticationForms authentication

AuthenticationMembershipProvider

Provides a consistent and simple APIs for user storage and management and enables easy implementation of Forms Authentication.

ActiveDirectoryMembershipProvider SqlMembershipProvider

aspnet_regsql -S (local) -E -A mS specifies the server, which is (local) in this example. E specifies to use Windows authentication to connect to SQL Server. A m specifies to add only the membership feature. For simple authentication against a SQL Server user store, only the membership feature is required.

Authentication and Membership Provider and Discovering the client identity

DEMO

Agenda

AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging

Authorization

What is authorization?URL Authorization

selectively deny or allow access to specific files or folders

File AuthorizationApplicable to file types like .aspx or .asmxAccess check will be made for user based on windows token

Role based authorization

RBAC

Role manager simple APIs for role authorization and role managementWindowsTokenRoleProvider / AuthorizationStoreRoleProvider (Azman)SqlRoleProvider

SQL Role Provider

DEMO

URL Authorization

DEMO

Imperative authorization

Example of an Imperative check

if(Thread.CurrentPrincipal.IsInRole(‘Administrators'))

{// Authorized

}

Imperative authorization

Example of an Imperative check using the ASP.NET role provider:

if (Roles.IsUserInRole(@"accounting")) {

//authorized }

Declarative authorization

PrincipalPermission Example [PrincipalPermission(SecurityAction.Demand,

Role = “Administrators")] public double Add(double a, double b) { return

a + b; }

Agenda

AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging

How to encrypt the Web.Config

Use aspnet_regiis RSAConfigurationProvider

If you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RSAProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data.

"DataProtectionConfigurationProvider"

Encrypting sections of configuration file

DEMO

Agenda

AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging

Input Validation

Protection against common attacksWhite list Vs BlacklistClient side Vs Server SideRegex validator controls

Demo of Input validations using RegEx

DEMO

Agenda

AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging

Cryptographic Algorithms

Symmetric AlgorithmsUses same key for encryption and decryptionComputationally cheaperUsed to exchange or store information in secret

Asymmetric AlgorithmsUses separate keys for encryption and decryptionComputationally more expensiveNormally used to negotiate a symmetric key

Both only require one key to be kept secretHashing Algorithms

.Net supported Cryptographic Algorithms

SymmetricAESDES Deprecated3DESRC2 DeprecatedRijndaelManaged

AsymmetricDSACryptoServiceProvider RSACryptoServiceProvider ECDiffieHellmanCng ECDsaCng

.Net supported Cryptographic Algorithms

.NET Supported Hash AlgorithmsMD5 (produces 128-bit hash value)

Collisions discovered!

SHA1 (produces 160-bit hash value)Has been compromised!

SHA256 (produces 256-bit hash value)SHA384 (produces 384-bit hash value)SHA512 (produces 512-bit hash value)

Agenda

AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging

Auditing & Logging Threats

Failure to spot the signs of intrusionInability to prove a user's actionsDifficulties in problem diagnosis.

29

Logging

Keep a log trail of authentication attemptsBoth successful and failed

Keep a log trail of all accesses to assetsLog as close to an asset as possible

SQL Server Stored ProcedureSometimes… a log trail is the only mitigation

What you Log

“Don’t write sensitive information in logsPasswords

Identify the (“who, what, where & when”):IdentityActionComponent/Service/Object/MethodTimestamp

Enterprise Library Logging Application Block

Feedback / QnA

Your Feedback is Important!Please take a few moments to fill out our

online feedback form

Use the Question Manager on LiveMeeting to ask your questions now!

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.