Enhance Web security
Transfer from: Dynamic Network Production Guide www.knowsky.com
Through the Internet, people can do all kinds of online transactions. How to make the information are not stealing, the site is not destroyed, it has become an important responsibility of the network application developer and network administrators. This article describes several principles and methods for improving Web site security. First, the application environment is generally, the Web site that provides database application services is mainly composed of three operating system servers, database servers, and web servers, whereby our security settings for Web sites can be started from these three aspects. WEB solutions based on different environmental configurations, their safety considerations have focus, but the basic principles are substantially the same. Below we use the Windows2000 Advanced Server, Internet Information Services 5.0, and SQL Server 2000 Environment as an example to discuss security issues for Web sites. In addition, since most websites developed using Microsoft .NET Framework, we will take into account .NET Framework. Second, the solution 1. Web application layer security web application layer security is a security factor that should be considered when performing web application development, including form authentication, input validity verification, use parameterized stored procedures, output data HTML encoding, information encryption, etc. content. (1) Form authentication Form authentication is when the user requests a security page, the system must judge it, if the user has already logged in to the system and has not been overtime, the system will return this page to the request user; The user is not logged in, and the system will redirect this user to the login page. The implementation of the functions described above simply makes the web.config file as follows. If some pages in the system do not want to be accessed by anonymous identity user, you can configure the web.config: ... ...... The login page that performs authentication is itself, you should verify that the user exists and the password is correct, and cannot Use a SQL statement to verify for the image (if the attacker breaks the website, and adding a SQL statement's WHERE clause to a true judgment statement, whenever he can verify it). The authentication statement of the security hidden danger is: select * from users where name = namestr and password = passwdstr. More securely user authentication should be: Judging whether the user exists with "SELECT NAME, Password from Use WHERE NAME = NameStr". If the user exists, a record including the username and password will be returned, and then determine the password value input by the database and the user input: if password = passwdstr {// passed the verification program code ...} else {// failed The verification program code ...} To enhance the security transmission of these sensitive information such as user name, password, etc., should be encrypted by the security socket layer and then returned to the web server. (2) Input Validity Verification Input Validity Verification is to limit the character range input to all users to prevent characters that can be used to send malicious scripts to the Web site. The data provided by the ASP.NET's System.Text.RegularExpressions.RegeX class, verify the data with the regular expression, as shown below: Regex isnumber = new regex ("^ [0-9] $"); if ( IsNumber.match (InputData)) {// Use it ...} else {// Discard it ...} The regular expression is a collection of characters and syntax elements used to match text mode, which is used to ensure that the query string is correct and no malicious.
(3) Use the parameterized stored procedure to use the parameterized stored procedure to refer to the web application, as much as possible to use the stored procedure to complete, not dynamically constructed SQL statements. The interaction with the database is limited to the stored procedure, which is usually a best solution to enhance web security. If there is no stored procedure, the SQL query must be dynamically constructed from a web application. If the web layer is destroyed, the attacker can insert malicious commands to the database query to retrieve, change, or delete data stored in the database. Using a stored procedure, the interaction of the web application to the database is limited to several specific stringent type parameters transmitted by the stored procedure. Whenever the developer uses the .NET Framework calls the stored procedure, the system checks the parameters sent to this stored procedure to ensure they are acceptable types of stored procedures (such as integer, 8 characters, etc.). This is another protective layer on the Web layer validity verification, ensuring that all input data format is correct and cannot be constructed as an operable SQL statement. (4) Output Data HTML Code Output Data HTML Code refers to HTML encoding before returning any data to the user to prevent span-site script attacks. Because an attacker disrupts the database, the script can be entered into the record, which is then returned to the user and executed in the browser. With HTML encoding, most script commands can be automatically converted to harmless text. HTML encoding can be implemented via the htmlencode method in the System.Web.httpserverutility class, as shown below: SomeLabel.Text = Server.htmlencode (username); (5) Information encryption storage information encryption store refers to a database connection string, user Sensitive information such as secrets is encrypted to properly protect data. The database connection string stores database connection information such as the location, database name, and user name & password, and the attacker can use it to access the database and malicious damage to the database. Usually we can use the following method to protect the encrypted connection string and other secret information: Encrypt the connection string, store it in the registry, and use the Access Control List (ACL) to ensure that only the system administrator and the ASP.NET assist process can access registration Entry. The encryption of information can be achieved by using the feature provided in the TripleDes class in the System.Security.cryptography class of the .NET Framework.
2. Internet Information Services (IIS) Safety Configuration for IIS is generally included in the following aspects, maximizing system security: (1) to install the latest version of the software as much as possible; (2) Upon installation of software as possible And patches; (3) Change the default Web site location on disk from C: / INETPUB / change to other volumes to prevent attackers from accessing "../" as position descriptions easy access to C: drivers; (4) use IIS Lock Tool (IIS LockDown Tool) Remove all other dynamic content types that are not used in the application to reduce the area where attackers can use; (5) Make sure applications use low permissions default local service accounts (ASP.NET account ) Run the ASP.NET code; (6) Add the ASP.NET account to the local "Web Application Group" created by the IIS Lock Tool to prevent the process running any authorized command line executable when the process is attached. 7) Modify the web application group privilege to run resources such as .NET Framework C # compiler and resource converter (CSE.exe and Cvtres.exe); (8) Configure urlscan2.5 to make it Only the extension sets used in the application are allowed to prevent longer requests (urlscan2.5 is installed by the IIS Locking tool, is an ISAPI filter, which can be sent to IIS Web based on query length and character set. All input requests of the server); (9) Set access to the web content directory, grant the ASP.NET process to read access to the content file, grant anonymous user's appropriate read only access to the content provided; (10) Limit pair Access to the log directory of IIS and Urlscan, only the system account and system administrator group have access. 3. Windows2000 Advanced Server operating system layer security is the security of the operating system, and should be installed as much as possible to close the application unused service as much as possible. The following describes several registry values. (1) Creating a registry key: Nolmhash In Windows 2000, this is a keyword, and in Windows XP and Windows Server 2003, this is a value. Location: HKLM / System / Current ControlSet / Control / LSA; Uses: Prevent the operating system from storeing user passwords in an LM hash format. This format is only used to not support NTLM or Kerberos's Windows 3.11 client. The risk of creating and retaining this LM hashing is that if the attacker tries to decrypt the password stored in this format, you can repeat these passwords on other computers on the network. (2) Create a registry value: NodeFault Exempt location: HKLM / System / Current ControlSet / Services / IPsec; Utue: By default, IPSec will allow the source port 88 to query the IPSec service to get connected to the computer. Information, regardless of which IPsec policy is used.
