patterns & practices Security How Tos Index

 

Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Microsoft Corporation

August 2005

Summary

This page provides an index of patterns & practices Security How Tos organized into multiple views by category. The "A Through Z" section at the bottom lists each How To in alphabetical order.

Contents

ASP.NET 2.0
Authentication and Authorization
Code Access Security
Code Review
Communications Security
Configuration
Cryptography
Deployment Review
Enterprise Services (.NET Framework 1.1)
Impersonation and Delegation
Input and Data Validation
Patching and Updating
SQL Server 2000
Threat Modeling
Web Services (.NET Framework 1.1)
A Through Z

ASP.NET 2.0

• How To: Configure the Machine Key in ASP.NET 2.0
• How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
• How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
• How To: Create a Service Account for an ASP.NET 2.0 Application
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
• How To: Instrument ASP.NET 2.0 Applications for Security
• How To: Improve Security When Hosting Multiple Applications in ASP.NET 2.0
• How To: Perform a Security Deployment Review for ASP.NET 2.0
• How To: Prevent Cross-Site Scripting in ASP.NET
• How To: Protect Forms Authentication in ASP.NET 2.0
• How To: Protect From Injection Attacks in ASP.NET
• How To: Protect From SQL Injection in ASP.NET
• How To: Use ADAM for Roles in ASP.NET 2.0
• How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
• How To: Use Code Access Security in ASP.NET 2.0
• How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
• How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
• How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
• How To: Use Health Monitoring in ASP.NET 2.0
• How To: Use Impersonation and Delegation in ASP.NET 2.0
• How To: Use Medium Trust in ASP.NET 2.0
• How To: Use Membership in ASP.NET 2.0
• How To: Use the Network Service Account to Access Resources in ASP.NET
• How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
• How To: Use Regular Expressions to Constrain Input in ASP.NET
• How To: Use Role Manager in ASP.NET 2.0
• How To: Use Windows Authentication in ASP.NET 2.0

Authentication and Authorization

• How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
• How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
• How To: Create GenericPrincipal Objects with Forms Authentication
• How To: Protect Forms Authentication in ASP.NET 2.0
• How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
• How To: Use Forms Authentication with Active Directory
• How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
• How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
• How To: Use Forms Authentication with SQL Server 2000
• How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
• How To: Use Windows Authentication in ASP.NET 2.0

Code Access Security

• How To: Create a Custom Encryption Permission
• How To: Use Code Access Security in ASP.NET 2.0
• How To: Use Code Access Security Policy to Constrain an Assembly

Code Review

• How To: Perform a Security Code Review for Managed Code (Baseline Activity)

Communications Security

• How To: Call a Web Service Using Client Certificates from ASP.NET
• How To: Call a Web Service Using SSL
• How To: Set Up SSL on a Web Server
• How To: Set Up Client Certificates
• How To: Use IPSec for Filtering Ports and Authentication
• How To: Use IPSec to Provide Secure Communication Between Two Servers
• How To: Use SSL to Secure Communication with SQL Server 2000

Configuration

• How To: Create a Custom Account To Run ASP.NET
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

Cryptography

• How To: Create a DPAPI Library
• How To: Create an Encryption Library
• How To: Store an Encrypted Connection String in the Registry
• How To: Use DPAPI (Machine Store) from ASP.NET
• How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services

Deployment Review

• How To: Perform a Security Deployment Review for ASP.NET 2.0

Enterprise Services (.NET Framework 1.1)

• How To: Use Role-based Security with Enterprise Services

Impersonation and Delegation

• How To: Implement Kerberos Delegation for Windows 2000
• How To: Use Impersonation and Delegation in ASP.NET 2.0

Input and Data Validation

• How To: Prevent Cross-Site Scripting in ASP.NET
• How To: Protect From Injection Attacks in ASP.NET
• How To: Protect From SQL Injection in ASP.NET
• How To: Use Regular Expressions to Constrain Input in ASP.NET

Patching and Updating

• How To: Secure Your Developer Workstation
• How To: Implement Patch Management

SQL Server 2000

• How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
• How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
• How To: Protect From SQL Injection in ASP.NET
• How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
• How To: Use SSL to Secure Communication with SQL Server 2000

Threat Modeling

• How To: Create a Threat Model for a Web Application at Design Time

Web Services (.NET Framework 1.1)

• How To: Call a Web Service Using Client Certificates from ASP.NET
• How To: Call a Web Service Using SSL

A Through Z

• How To: Call a Web Service Using Client Certificates from ASP.NET
• How To: Call a Web Service Using SSL
• How To: Create a Custom Account to Run ASP.NET
• How To: Create a Custom Encryption Permission
• How To: Create a DPAPI Library
• How To: Create an Encryption Library
• How To: Create GenericPrincipal Objects with Forms Authentication
• How To: Configure the Machine Key in ASP.NET 2.0
• How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
• How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
• How To: Create a Service Account for an ASP.NET 2.0 Application
• How To: Create a Threat Model for a Web Application at Design Time
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
• How To: Harden the TCP/IP Stack
• How To: Host a Remote Object in a Windows Service
• How To: Implement IPrincipal
• How To: Implement Kerberos Delegation for Windows 2000
• How To: Implement Patch Management
• How To: Improve Security When Hosting Multiple Applications in ASP.NET 2.0
• How To: Instrument ASP.NET 2.0 Applications for Security
• How To: Perform a Security Code Review for Managed Code (Baseline Activity)
• How To: Perform a Security Deployment Review for ASP.NET 2.0
• How To: Prevent Cross-Site Scripting in ASP.NET
• How To: Protect Forms Authentication in ASP.NET 2.0
• How To: Protect From Injection Attacks in ASP.NET
• How To: Protect From SQL Injection in ASP.NET
• How To: Secure Your Developer Workstation
• How To: Set Up SSL on a Web Server
• How To: Set Up Client Certificates
• How To: Store an Encrypted Connection String in the Registry
• How To: Use ADAM for Roles in ASP.NET 2.0
• How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
• How To: Use Code Access Security in ASP.NET 2.0
• How To: Use Code Access Security Policy to Constrain an Assembly
• How To: Use DPAPI (Machine Store) from ASP.NET
• How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
• How To: Use Forms Authentication with Active Directory
• How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
• How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
• How To: Use Forms Authentication with SQL Server 2000
• How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
• How To: Use Health Monitoring in ASP.NET 2.0
• How To: Use IISLockdown.exe
• How To: Use Impersonation and Delegation in ASP.NET 2.0
• How To: Use IPSec for Filtering Ports and Authentication
• How To: Use IPSec to Provide Secure Communication Between Two Servers
• How To: Use Medium Trust in ASP.NET 2.0
• How To: Use Membership in ASP.NET 2.0
• How To: Use the Network Service Account to Access Resources in ASP.NET
• How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
• How To: Use Regular Expressions to Constrain Input in ASP.NET
• How To: Use Role-based Security with Enterprise Services
• How To: Use Role Manager in ASP.NET 2.0
• How To: Use SSL to Secure Communication with SQL Server 2000
• How To: Use URLScan
• How To: Use Windows Authentication in ASP.NET 2.0

Feedback

Provide feedback by using either a Wiki or e-mail:

• Wiki. Security guidance feedback page at
  https://channel9.msdn.com/wiki/securityguidancefeedback/
• E-mail. Send e-mail to mailto:secguide@microsoft.com.

We are particularly interested in feedback regarding the following:

• Technical issues specific to recommendations
• Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, see the Microsoft Support Web site at https://support.microsoft.com.

Community and Newsgroups

Community support is provided in the forums and newsgroups:

• MSDN Newsgroups: https://www.microsoft.com/communities/newsgroups/default.mspx
• ASP.NET Forums: http://forums.asp.net

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.

Test, Edit, and Release Team

• Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
• Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
• Release Management: Sanjeev Garg, Microsoft Corporation

Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.