This page
This guide's goal This guide readers how to read this guide This guide constitutes the system requirements for installation sample file support
The goal of this guide
This guide is not introducing security, nor the security reference material for Microsoft .NET Framework; if you have to understand this, check the .NET Framework Software Development Kit (SDK) in MSDN. This guide contains content in this document and provides some suggestions and effective technologies through specific scenarios. Our goal is to make this guide close to practical applications as much as possible, therefore, the proposals, suggestions and best practices come from site operation, customer experience and Microsoft product team.
Many technologies are used during the process of building a .NET web application. To build a valid application level authentication and authorization policy, you need to learn how to optimize various security functions in each product and technical field, and how to make them work together to provide a valid security policy of depth defense. This guide focuses on the security of the distributed ASP.NET application and the identification management between the layers.
Specifically, we choose to focus on authentication, authorization, and secure communication. Security is a broad topic. The survey shows that designing authentication and authorization functions can greatly increase the security of the application at the beginning. Secure communication is an indispensable part of distributed application protection; the purpose of protecting distributed applications is to protect confidential data, including credentials passed to applications and from applications, as well as in applications The credentials transmitted between layers.
Back to top
Readers of this guide
This guide should be read if you are an intermediate developer or architect designer for planning build solutions, or you are currently using one or more technologies to build .NET web applications.
• ASP.NET • Web Services • Enterprise Services • Remote Processing • ADO.NET
In order to effectively use this guide to design and build security .NET web applications, you should have already understood and used .NET development techniques and techniques. You should be familiar with the distributed application architecture; if you have implemented the .NET web application solution, you should also understand the architecture and deployment mode of your own application.
Back to top
How to read this guide
The content of this guide is divided into several relatively independent modules. This way you can choose to read the chapter to read. For example, if you are interested in the depth defense security functions provided by specific technologies, you can directly read this guide (Chapter 8 to Chapter 12), which contains ASP.NET, Enterprise Services, Web Services, .NET Remoting and Data Access Details.
However, we recommend that you read the first few chapters of this guide (Chapter 1 to Chapter 4), that is, Part I, because these chapters can help you understand the security model and help you determine your core technology and security services. Application Architecture Designers must read Chapter 3, which provides important knowledge about design authentication and authorization strategies for different layers of web applications. Part I provides some basic information that help you fully understand and apply knowledge in this guide.
In this guideline section II section (Chapter 5 to Chapter 7) explains how to protect the security of specific applications. If you know the architecture and deployment mode of your application, you can use the architecture and deployment mode, you can learn about the relevant security issues through this part of this guide, and the basic configuration steps required to protect the security of specific schemes.
Finally, supplementary information and reference materials in Part IV in this guide can help you deepen understanding of specific technical fields. This section also provides basic knowledge articles highlights to guide you to develop a practical security solution in the shortest possible time.
Back to top
Content composition of this guide
This guide is divided into four parts. The goal is to divide each component according to logic, which helps you easily digest content.
Part I, Safety Model
Part I of this guide is the foundation of other parts. Familiar with the concepts, principles and technologies described in Part I, can help you fully understand and apply knowledge in this guide in this guide. Part I include the following chapters: • Chapter 1, Introduction • Security Models for ASP.NET applications • Chapter 3, Authentication and Authority • Chapter 4, Secure Communications
Part II, application plan
Most applications can be classified as intranet applications, Extranet applications, or Internet applications. This part of this guide introduces a set of common application programs that are one of the above categories. Among them, the main features of each program were introduced and their potential security threats were analyzed.
Next, how to configure and implement the most suitable authentication, authorization, and secure communication strategies for each application scheme. Each solution also includes several sections that include detailed analysis, common hazards, and common problems (FAQ). Part II includes the following chapters:
• Chapter 5, IntraNet Security • Chapter 6, Extranet Security • Chapter 7, Internet Security
Part III, protect the safety of each layer
This part of this guide provides detailed information about the various layers of the application, as well as technologies related to the protection and .NET related web applications. Part III includes the following chapters:
• Chapter 8, ASP.NET Security • Chapter 9, Enterprise Service Security • Chapter 10, Web Services Security • Chapter 11, .NET Remoting Security • Chapter 12, Data Access Security
Chapters outline the safety architecture of specific technologies that apply to the discussed. For each technique, the authentication and authorization policies, configurable security options, and programming security options are discussed separately, and the practical recommendations for when to use specific strategies are also proposed.
Each chapter provides some guidance and instructions, you can choose from this information to select and implement the most suitable authentication, authorization, and secure communication options. In addition, each chapter provides additional information for each particular technology. Finally, each chapter uses a concise suggestion as a concluding.
Part IV, reference
This reference section of this guide provides some additional information to help you deepen the understanding of the technologies, strategies, and security solutions to the previous chapters. Detailed "Basic Knowledge" topics provide step-by-step steps to help you implement specific security solutions. This part contains the following chapters:
• Chapter 13, Solving Security Issues • Basic Knowledge • Basic Configuration • Configuring Storage & Tools • References • Working • ASP.NET Identification Matrix • Encryption Technology, Key and Certificate • Vocabulary
Back to top
System Requirements
This guide will help you use the .NET Framework to design and build secure ASP.NET applications for Windows 2000. We target the .NET Framework version 1 (Service Pack 2), although the next version of the concept and code in the next version .NET Framework. This guide describes the new security features that will be provided in the next release, and other features that will be provided with Windows .NET Server 2003 (Microsoft's next-generation Windows Server operating system).
To use this guide, you need at least one computer running Windows XP Professional or Windows 2000 Server SP3. In addition, you also need to install Visual Studio .NET, .NET Framework SP2, and SQL Server 2000 SP2.
To implement certain solutions discussed, you also need the second computer that runs Windows 2000 Server SP3, Windows 2000 Advanced Server SP3 or Windows 2000 Datacenter Server SP3. Back to top
Install sample file
You can download sample files from this guide http://www.microsoft.com/mspress/guides/6501.asp. To download the sample file, click "Companion Content" link in the "more information" menu on the right side of the page. After clicking, the "Companion Content" page is downloaded, which contains the link to download the sample file.
Back to top
stand by
We have done the biggest efforts in editing to ensure that this guide and the accompanying content is accurate. If you have any questions or feedback to these content, please send an email to Secguide@microsoft.com.
