Introduction

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Microsoft Corporation

Published: June 2003

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: This section allows you to quickly see the scope and coverage of the individual chapters in the guide.

Contents

Why We Wrote This Guide
What Is a Hack-Resilient Application?
Scope of This Guide
Who Should Read This Guide
How to Use This Guide
Organization of This Guide
Approach Used in This Guide
Positioning of This Guide
Feedback and Support
The Team Who Brought You This Guide
Tell Us About Your Success
Summary

This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.

The information in this guide is based on proven practices for improving your Web application's security. The guidance is task-based and presented in parts that correspond to product life cycles, tasks, and roles.

  • Part I, "Introduction to Threats and Countermeasures," identifies and illustrates the various threats facing the network, host, and application layers. The process of threat modeling helps you to identify those threats that can harm your application. By understanding these threats, you can identify and prioritize effective countermeasures.
  • Part II, "Designing Secure Web Applications," gives you the guidance you require to design secure Web applications. Even if you have deployed your application, we recommend that you examine and evaluate the concepts, principles, and techniques outlined in this part.
  • Part III, "Building Secure Web Applications," allows you to apply the secure design practices introduced in Part II to create secure implementations. You will learn defensive coding techniques that make your code and application resilient to attack.
  • Part IV, "Securing Your Network, Host, and Application," describes how you will apply security configuration settings to secure these three interrelated levels. Instead of applying security randomly, you will learn the rationale behind the security recommendations.
  • Part V, "Assessing Your Security," provides the tools you require to evaluate the success of your security efforts. Starting with the application, you'll take an inside-out approach to evaluating your code and design. You'll follow this with an outside-in view of the security risks that challenge your network, host and application.

Why We Wrote This Guide

Traditionally, security has been considered a network issue, where the firewall is the primary defense (the fortress model) or something that system administrators handle by locking down the host computers. Application architects and developers have traditionally treated security as an afterthought or as a feature to be considered as time permits — usually after performance considerations are addressed.

The problem with the firewall, or fortress model, is that attacks can pass through network defenses directly to the application. A typical firewall helps to restrict traffic to HTTP, but the HTTP traffic can contain commands that exploit application vulnerabilities. Relying entirely on locking down your hosts is another unsuccessful approach. While several threats can be effectively countered at the host level, application attacks represent a serious and increasing security issue.

Another area where security problems occur is deployment. A familiar scenario is when an application fails when it is deployed in a locked-down production environment, which forces the administrator to loosen security settings. This often leads to new security vulnerabilities. In addition, a lack of security policy or application requirements that are inconsistent with policy can compromise security. One of the goals of this guide is to help bridge this gap between development and operations.

Random security is not enough. To make your application hack-resilient, you need a holistic and systematic approach to securing your network, host, and application. The responsibility spans phases and roles across the product life cycle. Security is not a destination; it is a journey. This guide will help you on your way.

What Is a Hack-Resilient Application?

This guide helps you build hack-resilient applications. A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host (server) in a secure network and is developed using secure design and development guidelines.

In 2002, eWeek sponsored its fourth Open Hack challenge, which proved that hack-resilient applications can be built using .NET technologies on servers running the Microsoft® Windows® 2000 operating system. The Open Hack team built an ASP.NET Web application using Microsoft Windows 2000 Advanced Server, Internet Information Services (IIS) 5.0, Microsoft SQL Server®2000, and the .NET Framework. It successfully withstood more than 82,500 attempted attacks and emerged from the competition unscathed.

This guide shares the methodology and experience used to secure Web applications including the Open Hack application. In addition, the guide includes proven practices that are used to secure networks and Web servers around the world. These methodologies and best practices are condensed and offered here as practical guidance.

Scope of This Guide

Web application security must be addressed across the tiers and at multiple layers. A weakness in any tier or layer makes your application vulnerable to attack.

Securing the Network, Host, and Application

Figure 1 shows the scope of the guide and the three-layered approach that it uses: securing the network, securing the host, and securing the application. It also shows the process called threat modeling, which provides a structure and rationale for the security process and allows you to evaluate security threats and identify appropriate countermeasures. If you do not know your threats, how can you secure your system?

Ff649432.fa4thcm01(en-us,PandP.10).gif

Figure 1

The scope of Improving Web Application Security: Threats and Countermeasures

The guide addresses security across the three physical tiers shown in Figure 1. It covers the Web server, remote application server, and database server. At each tier, security is addressed at the network layer, host layer, and application layer. Figure 1 also shows the configuration categories that the guide uses to organize the various security configuration settings that apply to the host and network, and the application vulnerability categories used to structure application security considerations.

Technologies in Scope

While much of the information in this guide is technology agnostic, the guide focuses on Web applications built with the .NET Framework and deployed on the Windows 2000 Server family of operating systems. The guide also pays special attention to .NET Framework code access security, particularly in relation to the use of code access security with ASP.NET. Where appropriate, new features provided by Windows Server 2003 are highlighted. Table 1 shows the products and technologies that this guidance is based on.

Table 1 Primary Technologies Addressed by This Guide

Area Product/Technology
Platforms .NET Framework 1.1

Windows 2000 Server family

Windows Server 2003 security features are also highlighted.

Web Server IIS 5.0 (included with Windows 2000 Server)
Application Server Windows 2000 Server with .NET Framework 1.1
Database Server SQL Server 2000
Middleware Technologies ASP.NET, Enterprise Services, XML Web Services, .NET Remoting
Data Access ADO.NET

Who Should Read This Guide

This guide is for anyone concerned with planning, building, deploying, or operating Web applications. The guide contains essential information for designers, developers, system administrators, and security analysts.

Designers will learn how to avoid costly security mistakes and how to make appropriate design choices early in the product development life cycle. Developers will learn how to implement defensive coding techniques and build secure code. System administrators will learn how to methodically secure servers and networks, and security analysts will learn how to perform security assessments.

How to Use This Guide

Each chapter in the guide is modular. The guidance is task-based, and is presented in parts which correspond to the various stages of the product development life cycle and to the people and roles involved during the life cycle including architects, developers, system administrators, and security analysts.

Applying the Guidance to Your Role

Each person, regardless of role, who works on the design, development, deployment, or maintenance of Web applications and their underlying infrastructure should read Part I of this guide. Part I, "Introduction to Threats and Countermeasures," highlights and explains the primary threats to Web applications at the network, host, and application layers. It also shows you how to create threat models to help you identify and prioritize those threats that are most relevant to your particular application. A solid understanding of threats and associated countermeasures is essential for anyone who is interested in securing Web applications.

If you are responsible for or are involved in the design of a new or existing Web application, you should read Part II, "Designing Secure Web Applications." Part II helps you identify potential vulnerabilities in your application design.

If you are a developer, you should read Part III, "Building Secure Web Applications." The information in this part helps you to develop secure code and components, including Web pages and controls, Web services, remoting components, and data access code. As a developer, you should also read Part IV, "Securing Your Network, Host, and Application" to gain a better understanding of the type of secure environment that your code is likely to be deployed in. If you understand more about your target environment, the risk of issues and security vulnerabilities appearing at deployment time is reduced significantly.

If you are a system administrator, you should read Part IV, "Securing Your Network, Host, and Application." The information in this part helps you create a secure network and server infrastructure — one that is tuned to support .NET Web applications and Web services.

Anyone who is responsible for reviewing product security should read Part V, "Assessing Your Security". This helps you identify vulnerabilities caused by insecure coding techniques or deployment configurations.

Applying the Guidance to Your Product Life Cycle

Different parts of the guide apply to the different phases of the product development life cycle. The sequence of chapters in the guide mirrors the typical phases of the life cycle. Figure 2 shows how the parts and chapters correspond to the phases of a classic product development life cycle.

Ff649432.fa4thcm02(en-us,PandP.10).gif

Figure 2

Improving Web Application Security: Threats and Countermeasures as it relates to product lifecycle

Microsoft Solutions Framework

If you use and are more familiar with the Microsoft Solutions Framework (MSF), Figure 3 shows a similar life cycle mapping, this time in relation to the MSF Process Model.

Ff649432.fa4thcm03(en-us,PandP.10).gif

Figure 3

Improving Web Application Security: Threats and Countermeasures as it relates to MSF

Organization of This Guide

You can read this guide from end to end, or you can read the chapters you need for your job. For a quick overview of the guide, refer to the "Fast Track" section.

Solutions at a Glance

The "Solutions at a Glance" section provides a problem index for the guide, highlighting key areas of concern and where to go for more detail.

Fast Track

The "Fast Track" section in the front of the guide helps you implement the recommendations and guidance quickly and easily.

Parts

This guide is divided into five parts:

  • Part I, Introduction to Threats and Countermeasures
  • Part II, Designing Secure Web Applications
  • Part III, Building Secure Web Applications
  • Part IV, Securing Your Network, Host, and Application
  • Part V, Assessing Your Security

Part I, Introduction to Threats and Countermeasures

This part identifies and illustrates the various threats facing the network, host, and application layers. By using the threat modeling process, you can identify the threats that are relevant to your application. This sets the stage for identifying effective countermeasures. This part includes:

  • Chapter 1, "Web Application Security Fundamentals"
  • Chapter 2, "Threats and Countermeasures"
  • Chapter 3, "Threat Modeling"

Part II, Designing Secure Web Applications

This part provides the guidance you need to design your Web applications securely. Even if you have an existing application, you should review this section and then revisit the concepts, principles, and techniques that you used during your application design. This part includes:

  • Chapter 4, "Design Guidelines for Secure Web Applications"
  • Chapter 5, "Architecture and Design Review for Security"

Part III, Building Secure Web Applications

This part helps you to apply the secure design practices and principles covered in the previous part to create a solid and secure implementation. You'll learn defensive coding techniques that make your code and application resilient to attack. Chapter 6 presents an overview of the .NET Framework security landscape so that you are aware of the numerous defensive options and tools that are at your disposal. Part III includes:

  • Chapter 6, ".NET Security Fundamentals"
  • Chapter 7, "Building Secure Assemblies"
  • Chapter 8, "Code Access Security in Practice"
  • Chapter 9, "Using Code Access Security with ASP.NET"
  • Chapter 10, "Building Secure ASP.NET Pages and Controls"
  • Chapter 11, "Building Secure Serviced Components"
  • Chapter 12, "Building Secure Web Services"
  • Chapter 13, "Building Secure Remoted Components"
  • Chapter 14, "Building Secure Data Access"

Part IV, Securing Your Network, Host, and Application

This part shows you how to apply security configuration settings to secure the interrelated network, host, and application levels. Rather than applying security randomly, you'll learn the reasons for the security recommendations. Part IV includes:

  • Chapter 15, "Securing Your Network"
  • Chapter 16, "Securing Your Web Server"
  • Chapter 17, "Securing Your Application Server"
  • Chapter 18, "Securing Your Database Server"
  • Chapter 19, "Securing Your ASP.NET Application and Web Services"
  • Chapter 20, "Hosting Multiple Web Applications"

Part V, Assessing Your Security

This part provides you with the tools you need to evaluate the success of your security efforts. It shows you how to evaluate your code and design and also how to review your deployed application, to identify potential vulnerabilities.

  • Chapter 21, "Code Review"
  • Chapter 22, "Deployment Review"

Checklists

This section contains printable, task-based checklists, which are quick reference sheets to help you turn information into action. This section includes the following checklists:

  • Checklist: Architecture and Design Review
  • Checklist: Securing ASP.NET
  • Checklist: Securing Web Services
  • Checklist: Securing Enterprise Services
  • Checklist: Securing Remoting
  • Checklist: Securing Data Access
  • Checklist: Securing Your Network
  • Checklist: Securing Your Web Server
  • Checklist: Securing Your Database Server
  • Checklist: Security Review for Managed Code

"How To" Articles

This section contains "How To" articles, which provide step-by-step procedures for key tasks. This section includes the following articles:

  • How To: Implement Patch Management
  • How To: Harden the TCP/IP Stack
  • How To: Secure Your Developer Workstation
  • How To: Use IPSec for Filtering Ports and Authentication
  • How To: Use the Microsoft Baseline Security Analyzer
  • How To: Use IISLockdown.exe
  • How To: Use URLScan
  • How To: Create a Custom Encryption Permission
  • How To: Use Code Access Security Policy to Constrain an Assembly

Approach Used in This Guide

If your goal is a hack-resilient application, how do you get there? The approach used in this guide is as follows:

  • Secure your network, host, and application
  • Focus on threats
  • Follow a principle-based approach

Secure Your Network, Host, and Application

Security must be addressed at three levels: network, host, and application. A weakness at any layer can be exploited by an attacker. This guide takes a holistic approach to application security and applies it at all three levels. The holistic approach to security is shown in Figure 4.

Ff649432.fa4thcm04(en-us,PandP.10).gif

Figure 4

A holistic approach to security

Figure 4 shows the multiple layers covered by the guide, including the network, host, and application. The host layer covers the operating system, platform services and components, and run-time services and components. Platform services and components include SQL Server and Enterprise Services. Run-time services and components include ASP.NET and .NET code access security among others.

Focus on Threats

Your application's security measures can become useless, or even counter productive, if those measures are applied without knowing the threats that the security measures are designed to mitigate.

Threats can be external, such as attacker on the Internet, or internal, for example, a disgruntled employee or administrator. This guide helps you identify threats in two ways:

  • It enumerates the top threats that affect Web applications at the network, host, and application levels.
  • It helps you to identify which threats are relevant to your application through a process called threat modeling.

Follow a Principle-Based Approach

Recommendations used throughout this guide are based on security principles that have proven themselves over time. The analysis and consideration of threats prior to product implementation or deployment lends itself to a principle-based approach where core principles can be applied, regardless of implementation technology or application scenario.

Positioning of This Guide

This is Volume II in a series dedicated to helping customers plan, build, deploy, and operate secure Web applications: Volume I*,Building Secure ASP.NET Applications*: Authentication, Authorization, and Secure Communication, and Volume II, Improving Web Application Security:Threats and Countermeasures.

Volume I, Building Secure ASP.NET Applications

Building Secure ASP.NET Applications helps you to build a robust authentication and authorization mechanism for your application. It focuses on identity management through the tiers of a distributed Web application. By developing a solid authentication and authorization strategy early in the design, you can eliminate a high percentage of application security issues. The primary audience for Volume I is architects and lead developers.

Figure 5 shows the scope of Volume I. The guide addresses authentication, authorization, and secure communication across the tiers of a distributed Web application. The technologies that are covered are the same as the current guide and include Windows Server, IIS, ASP.NET Web applications and Web services, Enterprise Services, .NET Remoting, SQL Server, and ADO.NET.

Ff649432.fa4thcm05(en-us,PandP.10).gif

Figure 5

Scope of Volume I, Building Secure ASP.NET Applications

Volume II, Improving Web Application Security

This guide helps you build and maintain hack-resilient applications. It takes a broader look at security across the tiers, focusing on threats and countermeasures at the network, host, and application levels. The intended audience is broader and the guidance can be applied throughout the product life cycle.

For additional related work, see the "Resources" chapter provided at the end of the guide.

Feedback and Support

We have made every effort to ensure the accuracy of this guide and its companion content.

Feedback on the Guide

If you have comments on this guide, send e-mail to secguide@microsoft.com. We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues
  • Writing and editing issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guide is provided by Microsoft Product Support Services (PSS). For product support information, please visit the Microsoft Product Support Web site at https://support.microsoft.com.

Community and Newsgroup Support

MSDN Newsgroups: https://www.microsoft.com/communities/newsgroups/default.mspx

Table 2 Newsgroups

Newsgroup Address
.NET Framework Security microsoft.public.dotnet.security
ASP.NET Security microsoft.public.dotnet.framework.aspnet.security
Enterprise Services microsoft.public.dotnet.framework_component_services
Web Services microsoft.public.dotnet.framework.aspnet.webservices
Remoting microsoft.public.dotnet.framework.remoting
ADO.NET microsoft.public.dotnet.framework.adonet
SQL Server Security microsoft.public.sqlserver.security
MBSA microsoft.public.security.baseline_analyzer
Virus microsoft.public.security.virus
IIS Security microsoft.public.inetserver.iis.security

The Team Who Brought You This Guide

This guide was produced by the following .NET development specialists:

  • J.D. Meier, Microsoft, Program Manager, Prescriptive Architecture Guidance (PAG)
  • Alex Mackman, Content Master Ltd, Founding member and Principal Technologist
  • Srinath Vasireddy, Microsoft, Developer Support Engineer, PSS
  • Michael Dunner, Microsoft, Developer Support Engineer, PSS
  • Ray Escamilla, Microsoft, Developer Support Engineer, PSS
  • Anandha Murukan, Satyam Computer Services

Contributors and Reviewers

Many thanks to the following contributors and reviewers:

  • Thanks to external reviewers: Mark Curphey, Open Web Application Security Project and Watchfire; Andy Eunson (extensive review); Anil John (code access security and hosting scenarios); Paul Hudson and Stuart Bonell, Attenda Ltd. (extensive review of the Securing series); Scott Stanfield and James Walters, Vertigo Software; Lloyd Andrew Hubbard; Matthew Levine; Lakshmi Narasimhan Vyasarajan, Satyam Computer Services; Nick Smith, Senior Security Architect, American Airlines (extensive review of the Securing series); Ron Nelson; Senthil Rajan Alaguvel, Infosys Technologies Limited; Roger Abell, Engineering Technical Services, Arizona State University; and Doug Thews.
  • Microsoft Product Group: Michael Howard (Threat Modeling, Code Review, and Deployment Review); Matt Lyons (demystifying code access security); Caesar Samsi; Erik Olson (extensive validation and recommendations on ASP.NET); Andres De Vivanco (securing SQL Server); Riyaz Pishori (Enterprise Services); Alan Shi; Carlos Garcia Jurado Suarez; Raja Krishnaswamy, CLR Development Lead; Christopher Brown; Dennis Angeline; Ivan Medvedev (code access security); Jeffrey Cooperstein (Threat Modeling); Frank Swiderski; Manish Prabhu (.NET Remoting); Michael Edwards, MSDE; Pranish Kumar, (VC++ PM); Richard Waymire (SQL Security); Sebastian Lange; Greg Singleton; Thomas Deml (IIS Lead PM); Wade Hilmo (IIS); Steven Pratschner; Willis Johnson (SQL Server); and Girish Chander (SQL Server).
  • Microsoft Consulting Services and Product Support Services (PSS): Ilia Fortunov (Senior Architect) for providing continuous and diligent feedback; Aaron Margosis (extensive review, script injection, and SQL Injection); Jacquelyn Schmidt; Kenny Jones; Wade Mascia (Web Services and Enterprise services); Aaron Barth; Jackie Richards; Aaron Turner; Andy Erlandson (Director of PSS Security); Jayaprakasam Siddian Thirunavukkarasu (SQL Server security); Jeremy Bostron; Jerry Bryant; Mike Leuzinger; Robert Hensing (reviewing the Securing series); Gene Ferioli; David Lawler; Jon Wall (threat modeling); Martin Born; Michael Thomassy; Michael Royster; Phil McMillan; and Steven Ramirez.
  • Thanks to Joel Scambray; Rich Benack; Alisson Sol; Tavi Siochi (IT Audit); Don Willits (raising the quality bar); Jay Nanduri (Microsoft.com) for reviewing and sharing real world experience; Devendra Tiwari and Peter Dampier, for extensive review and sharing best IT practices; Denny Dayton; Carlos Lyons; Eric Rachner; Justin Clarke; Shawn Welch (IT Audit); Rick DeJarnette; Kent Sharkey (Hosting scenarios); Andy Oakley; Vijay Rajagopalan (Dev Lead MS Operations); Gordon Ritchie, Content Master Ltd; Chase Carpenter (Threat Modeling); Matt Powell (for Web Services security); Joel Yoker; Juhan Lee [MSN Operations]; Lori Woehler; Mike Sherrill; Mike Kass; Nilesh Bhide; Rebecca Hulse; Rob Oikawa (Architect); Scott Greene; Shawn Nandi; Steve Riley; Mark Mortimore; Matt Priestley; and David Ross.
  • Thanks to our editors: Sharon Smith; Kathleen Hartman (S&T OnSite); Tina Burden (Entirenet); Cindy Riskin (S&T OnSite); and Pat Collins (Entirenet) for helping to ensure a quality experience for the reader.
  • Finally, thanks to Naveen Yajaman; Philip Teale; Scott Densmore; Ron Jacobs; Jason Hogg; Per Vonge Nielsen; Andrew Mason; Edward Jezierski; Michael Kropp; Sandy Khaund; Shaun Hayes; Mohammad Al-Sabt; Edward Lafferty; Ken Perilman; and Sanjeev Garg (Satyam Computer Services).

Tell Us About Your Success

If this guide helps you, we would like to know. Tell us by writing a short summary of the problems you faced and how this guide helped you out. Submit your summary to:

MyStory@Microsoft.com.

Summary

In this introduction, you were shown the structure of the guide and the basic approach used by the guide to secure Web applications. You were also shown how to apply the guidance to your role or to specific phases of your product development life cycle.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.