Build a safe ASP.NET application preface
Release Date: 9/28/2004
| Update Date: 9/28/2004
Browse all security guidance topics
Microsoft Corporation
Why write these chapters
This guide is neither a security introduction, nor a security reference for Microsoft .NET Framework; because you can get a .NET Framework Software Development Package (SDK) from the MSDN development plan. This guide collects the omission of the above document, and introduces a scenario method for sharing suggestions and proven techniques. We hope that these chapters are as close as possible to reality, so we have a profound insight, suggestions and excellent experiences from subjects, users experience and Microsoft product team information.
Many techniques can be used to build .NET web programs. To establish efficient, practical authentication and authorization strategies, you need to understand how to adjust a variety of subtle security features in various products and technical fields, and how to make them work together to produce a high-efficiency, depth defense security Strategy. This guide focuses on the security and identity management between the distributed ASP.NET applications.
More specifically, we have chosen authentication, authorization, and communication security as a focus discussion object. Safety is a broad theme, but studies have shown that early design authentication and authorization can eliminate most applications vulnerabilities. Communication security is an indispensable part of protecting distributed applications, which protects the sensitive data between the application and the application, including credentials.
Back to top
Who should read these chapters?
If you are an intermediate developer or software designer, plan or is constructed with one or more techniques below to build .NET web applications, you should read these chapters.
• ASP.NET • Web Services • ENTERPRISE Services • Remoting • ADO.NET
To use this guide to help you design and build a more secure .NET web application, you should know and have some experience in using .NET development technology and knowledge. Familiar with the architecture of distributed applications, and if you have implemented the .NET web application solution, you should know the architecture and use of your application.
Back to top
How should you read these chapters?
This guide is built according to the chapter. You can choose and select the chapter you want to read. For example, if you are interested in learning a particular technology provided by a particular technology, you can jump directly to the following chapter: "ASP.NET Security", "Enterprise Service Security", "Web Service Security", ".NET Remote Process Security" and "Data Access Security".
However, it is recommended that you first read the previous chapters because they can help you understand the security model, identify core technology and security services. Application designers should ensure that they have read the "Authentication and Authorization" chapter. This chapter introduces some key points of designing identity verification and authorization strategies across the web application. The first three chapters describe the basic content, which can help you get the biggest benefit when reading other chapters of this South.
"InTranet Web Application Security", "The .NET Web Application Security in the Extranet environment" and "Internet Web Application Security in the Internet Environment", how to introduce how to apply scenes in a specific application scenario Guarantee safety. If you know the architecture and deployment modes you have adopted by your application, you can understand the relevant security topics and the basic configuration steps you need to make specific scenarios.
Finally, additional information and reference materials in each chapter help deepen understanding of specific technical fields. This guide contains a "how to do" article libraries that make you develop a feasible security solution in the shortest possible time.
Back to top
Chapter organization
This guide can be divided into four parts. The aim is to provide a logical organizational structure to help you understand the content easier.
The first part, the first part of the security module is the basis for the other parts of the guide. Familiar with the concept, principles, and technologies of the first part, help you get the biggest benefit from other parts of this guide. The first part includes the following sections:
• "Security Model for ASP.NET Apps" • "Authentication and Authorization" • "Secure Communication"
Part II, application scenario
Most applications can be incatenated as an intranet, an Extranet or an Internet application. This section of the guide describes some common application scenarios, each of which belongs to the category mentioned above. The key feature of each scene is described, and there is a potential security threat.
You will see how to configure and implement the most appropriate authentication, authorization, and secure communication strategies for each application scenario. Each scenario also includes a detailed analysis, which should be paid to the common mistakes, and the common problem (FAQ). The second part contains the following sections:
• "Protect the .NET Web Application in the Intranet environment" • Protect the .NET web application in the Extranet environment • Protect the .NET web application in the Internet environment.
Part III, layer security
This part of the guide contains detailed information related to separate layers and security related technologies. The third part contains the following sections:
• "ASP.NET Security" • Enterprise Service Security • "Web Service Security" • ".NET Remoting Security" • "Data Access Security"
All chapters give an overview of the safety architecture for specific technical issues. This guide gives each technique to give authentication and authorization strategies, and when you use a specific policy to give configurable security options, programmable security options, and operative suggestions.
Chapters provide guidance and in-depth insights, which helps to choose and implement the most appropriate authentication, authorization, and secure communication options for each technology. In addition, chapters provide additional information for specific technologies. Finally, chapters summarize the end with a brief proposal.
Part 4, reference
The reference section of the guide contains supplementary information, which can help you understand these techniques, strategies, and security solutions given in the previous chapters. The detailed "How to Do" provides a step-by-step process to help you achieve a specific security solution. This section contains the following information:
• "Safety Problem Troubleshooting" • "Index Of Building Secure ASP.NET HOW TOS" • "Building Secure Microsoft ASP.NET Applications - Basic Configuration" • "Building Secure Microsoft ASP.NET Applications - Configuring Storage & Tools" • Secure Microsoft ASP.NET Applications - Reference Center "•" Building Secure Microsoft ASNET Applications - How does it work? "•" ASP.NET Identification Matrix "•" Encryption, Key and Certificate "
Back to top
System Requirements
These sections can help you design and build secure ASP.NET applications on your computer with Microsoft Window2000 operating systems and .NET Framework. The 1 version of the .NET Framework 2, although these concepts and code can be run in the next version of .NET Framework. These sections allow you to prepare for new security features provided in the next release, but also prepared for additional features provided with Windows ServerTM 2003, Windows ServerTM 2003 is Microsoft's next-generation Windows Server operating system.
To use these chapters, you need at least one computer running Windows XP Professional or Windows 2000 Server SP3. In addition, you also need Microsoft Visual Studio_.NET development system, .NET Framework SP2 and SQL ServerTM 2000 SP2. In order to implement some of the above discussion, you also need another computer running Windows 2000 Server SP3, Window 2000 Advanced SP3, and Windows 2000 Datacenter Server SP3.
Back to top
Install sample file
The sample file can be downloaded on http://www.microsoft.com/mspress/guides/6501.asp website. To download these instance files, click on the "Companion Content" link on the "More Information" menu. This will load the COMPANON Content page that contains the link to downloadable sample files.
Back to top
