Building Secure Microsoft ASP.NET Applications

Building secure distributed Web applications can be challenging. It usually involves integrating several different technologies and products-yet your complete application will only be as secure as its weakest link. This guide presents a practical, scenario-driven approach to designing and building secure ASP.NET applications for Microsoft Windows 2000 and version 1.1 of the Microsoft .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications.

• Authentication (to identify the clients of your application)
• Authorization (to provide access controls for those clients)
• Secure communication (to ensure that messages remain private and are not altered by unauthorized parties)

Patterns & practices contain specific recommendations Illustrating how to design, build, deploy, and operate architecturally sound solutions to challenging business and technical scenarios. The technical guidance is reviewed and approved by Microsoft engineering teams, consultants, and and customers.

• Practical-Based on field experience
• Authoritative-Offer the best advice available
• Accurate-Technically validated and tested
• Actionable-Provide the steps to success
• Relevant-Address real-world problems

Contents

1. Introduction
2. Security Model for ASP.NET Applications
3. Authentication and Authorization Design
4. Secure Communication
5. Intranet Security
6. Extranet Security
7. Internet Security
8. ASP.NET Security
9. Enterprise Services Security
10. Web Services Security
11. .NET Remoting Security
12. Data Access Security
13. Troubleshooting Security Issues

• How To: Create a Custom Account to Run ASP.NET
• How To: Use Forms Authentication with Active Directory
• How To: Use Forms Authentication with SQL Server 2000
• How To: Create GenericPrincipal Objects with Forms Authentication
• How To: Implement Kerberos Delegation for Windows 2000
• How To: Implement IPrincipal
• How To: Create a DPAPI Library
• How To: Use DPAPI (Machine Store) from ASP.NET
• How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
• How To: Create an Encryption Library
• How To: Store an Encrypted Connection String in the Registry
• How To: Use Role-based Security with Enterprise Services
• How To: Call a Web Service Using Client Certificates from ASP.NET
• How To: Call a Web Service Using SSL
• How To: Host a Remote Object in a Windows Service
• How TO : Set Up SSL on a Web Server
• How To: Set Up Client Certificates
• How To: Use IPSec to Provide Secure Communication Between Two Servers
• How To: Use SSL to Secure Communication with SQL Server 2000

Base Configuration

Configuration Stores and Tools

Reference Hub

How Does It Work?

ASP.NET Identity Matrix

Cryptography and Certificates

.NET Web Application Security