patterns & practices ASP.NET 2.0 Security Guidance Index
Retired Content |
---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
patterns & practices Developer Center
J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Kishore Gopalan
Microsoft Corporation
August 2005
This page provides an index to available and emerging patterns & practices security guidance on ASP.NET version 2.0. The guidance includes modular content of various types including practices at a glance, guidelines, checklists, architecture and design reviews, deployment reviews, and How Tos.
Security Frame
Security Guidelines
Practices at a Glance
Security Design Guidelines
Threat Modeling
Security Architecture and Design Review
Security Code Review
Security Deployment Review
Security Checklists
How Tos
Security frames define a set of pattern-based categories that organize repeatable problems and solutions. You can use these categories to divide your application architecture for further analysis and to help identify application vulnerabilities. The categories within the frame represent the critical areas where mistakes are most often made. See the following security frame:
Security Guidelines are specific, actionable recommendations at the implementation level. Each recommendation is presented to address "what to do", "why", and "how." The recommendations are principle-based and they are organized using pattern-based categories for easy consumption.
Security Practices are proven and emerging practices expressed as precisely as possible. Each practice is presented using a problem and solution format and the set of practices are organized using pattern-based categories. See the following practices at a glance resource:
Security design guidelines provide pattern-based recommendations around architecturally significant challenges. See the following security design guidelines resource:
Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk. See the following threat modeling resource:
Security architecture and design reviews provide question-driven analysis of key application design decisions. See the following security architecture and design review resource:
Security code reviews provide question-driven analysis of coding practices and implementation. See the following security code review resource:
- How To: Perform a Security Code Review for Managed Code (Baseline Activity)
- Security Question List: ASP.NET 2.0
Security deployment reviews provide configuration and run-time analysis.
Checklists enumerate recommendations as itemized lists. The recommendations within the checklists are typically organized using an information model based on a problem domain. See the following security checklists:
- Security Checklist: Architecture and Design Review for Web Applications
- Security Checklist: ASP.NET 2.0
How Tos provide step-by-step, task-based guidance. See the following How Tos:
- How To: Configure the Machine Key in ASP.NET 2.0
- How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
- How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
- How To: Create a Service Account for an ASP.NET 2.0 Application
- How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
- How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
- How To: Instrument ASP.NET 2.0 Applications for Security
- How To: Improve Security When Hosting Multiple Applications in ASP.NET 2.0
- How To: Prevent Cross-Site Scripting in ASP.NET
- How To: Protect Forms Authentication in ASP.NET 2.0
- How To: Protect From Injection Attacks in ASP.NET
- How To: Protect From SQL Injection in ASP.NET
- How To: Use ADAM for Roles in ASP.NET 2.0
- How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
- How To: Use Code Access Security in ASP.NET 2.0
- How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
- How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
- How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
- How To: Use Health Monitoring in ASP.NET 2.0
- How To: Use Impersonation and Delegation in ASP.NET 2.0
- How To: Use Medium Trust in ASP.NET 2.0
- How To: Use Membership in ASP.NET 2.0
- How To: Use the Network Service Account to Access Resources in ASP.NET
- How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
- How To: Use Regular Expressions to Constrain Input in ASP.NET
- How To: Use Role Manager in ASP.NET 2.0
- How To: Use Windows Authentication in ASP.NET 2.0
Provide feedback by using either a Wiki or e-mail:
- Wiki. Security guidance feedback page at
https://channel9.msdn.com/wiki/securityguidancefeedback/ - E-mail. Send e-mail to secguide@microsoft.com.
We are particularly interested in feedback regarding the following:
- Technical issues specific to recommendations
- Usefulness and usability issues
Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, see the Microsoft Support Web site at https://support.microsoft.com
Community support is provided in the forums and newsgroups:
- MSDN Newsgroups: https://www.microsoft.com/communities/newsgroups/default.mspx
- ASP.NET Forums:http://forums.asp.net
To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.
- Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
- Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
- Release Management: Sanjeev Garg, Microsoft Corporation
Retired Content |
---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |