patterns & practices ASP.NET 1.1 Security Guidance Index

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Kishore Gopalan

Microsoft Corporation

August 2005

Summary

This page provides an index of the patterns & practices security guidance available on ASP.NET version 1.1. The guidance includes modular content of various types including scenarios and solutions, guidelines, explained, checklists, architecture and design reviews, code reviews, deployment reviews, and How Tos.

Contents

Security Frame
Guides
Scenarios and Solutions
Security Guidelines
Security Design Guidelines
Threat Modeling
Security Architecture and Design Review
Security Code Review
Security Deployment Review
Security Checklists
Explained
How Tos

Security Frame

Security frames define a set of pattern-based categories that organize repeatable problems and solutions. You can use these categories to divide your application architecture for further analysis and to help identify application vulnerabilities. The categories within the frame represent the critical areas where mistakes are most often made. See the following security frame:

• Cheat Sheet: Web Application Security Frame

Guides

The following guides are available on MSDN and are also available as books:

• Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
• Improving Web Application Security: Threats and Countermeasures

Scenarios and Solutions

Scenario and Solution modules show common end-to-end application scenarios, such as a Web server to database server intranet scenario, and present the common solutions. See the following scenarios and solutions:

• Intranet Scenarios and Solutions for ASP.NET 1.1
• Extranet Scenarios and Solutions for ASP.NET 1.1
• Internet Scenarios and Solutions for ASP.NET 1.1

Security Guidelines

Security Guidelines are specific, actionable recommendations at the implementation level. Each recommendation is presented to address "what to do", "why", and "how." The recommendations are principle-based and they are organized using pattern-based categories for easy consumption.

• Security Guidelines: ASP.NET 1.1

Security Design Guidelines

Security design guidelines provide pattern-based recommendations around architecturally significant challenges. See the following security design guidelines resource:

• Security Design Guidelines for Web Applications

Threat Modeling

Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk. See the following threat modeling resource:

• Threat Modeling Web Applications

Security Architecture and Design Review

Security architecture and design reviews provide question-driven analysis of key application design decisions. See the following security architecture and design review resource:

• Security Architecture and Design Review for Web Applications

Security Code Review

Security code reviews provide question-driven analysis of coding practices and implementation. See the following security code review resource:

• How To: Perform Security Code Review for Managed Code (Baseline Activity)
• Security Code Review for ASP.NET 1.1
• Security Code Review for Cross-Site Scripting
• Security Code Review for SQL Injection

Security Deployment Review

Security deployment reviews provide configuration and run-time analysis. See the following security deployment review resource:

• Security Deployment Review for ASP.NET 1.1

Security Checklists

Checklists enumerate recommendations as itemized lists. The recommendations within the checklists are typically organized using an information model based on a problem domain. See the following security checklists:

• Security Checklist: Architecture and Design Review for Web Applications
• Security Checklist: ASP.NET 1.1

Explained

Explained modules address how things work along with design intentions, extensibility points, and usage scenarios. See the following explained resource:

• Explained: ASP.NET 1.1 Request Processing

How Tos

How Tos provide step-by-step, task-based guidance. See the following How Tos:

• How To: Create a Custom Account to Run ASP.NET
• How To: Create a DPAPI Library
• How To: Create an Encryption Library
• How To: Create GenericPrincipal Objects with Forms Authentication
• How To: Implement IPrincipal
• How To: Implement Kerberos Delegation for Windows 2000
• How To: Prevent Cross-Site Scripting in ASP.NET
• How To: Protect From Injection Attacks in ASP.NET
• How To: Set Up SSL on a Web Server
• How To: Set Up Client Certificates
• How To: Store an Encrypted Connection String in the Registry
• How To: Use DPAPI (Machine Store) from ASP.NET
• How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
• How To: Use Forms Authentication with Active Directory
• How To: Use Forms Authentication with SQL Server 2000
• How To: Use the Network Service Account to Access Resources in ASP.NET
• How To: Use Regular Expressions to Constrain Input in ASP.NET
• How To: Use Role-based Security with Enterprise Services

Feedback

Provide feedback by using either a Wiki or e-mail:

• Wiki. Security guidance feedback page at
  https://channel9.msdn.com/wiki/securityguidancefeedback/
• E-mail. Send e-mail to secguide@microsoft.com.

We are particularly interested in feedback regarding the following:

• Technical issues specific to recommendations
• Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, see the Microsoft Support Web site at https://support.microsoft.com.

Community and Newsgroups

Community support is provided in the forums and newsgroups:

• **MSDN Newsgroups:**https://msdn.microsoft.com/newsgroups/default.asp
• ASP.NET Forums:http://forums.asp.net

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.

Test, Edit, and Release Team

• Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
• Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
• Release Management: Sanjeev Garg, Microsoft Corporation