ASP.NET Security
Posted October 3, 2002
Chat Date: September 12, 2002
Chat Participants:
- Erik Olson, Program Manager, ASP.NET
- Rob Howard, Program Manager, ASP.NET
Host Guide_Keith_MS:
Welcome to today's Chat. Our topic is ASP.NET Security. Questions, comments, and suggestions are welcome.
Host Guide_Keith_MS:
The Input Room (below) is where you can enter questions for our Hosts today. We will read them and select questions to answer.
Host Guide_Keith_MS:
The questions and answers will be posted in this room, the Reading Room.
Host Guide_Keith_MS:
Please feel free to begin posting your questions in the room below. Please begin your questions with a Q: this will help us quickly identify the questions.
Host Guide_Keith_MS:
We will make an effort to answer as many questions as we can. There may be times when a question may be asked that we do not have an immediate answer for or cannot get to. We encourage you to post any of these questions in the driver newsgroups.
Host Guide_Keith_MS:
Let's introduce our Hosts for today.
Host Guest_MS_Erik:
Hi, I'm Erik Olson, a program manager on the ASP.NET team
Host Guest_rhoward_ms:
Hi, my name is Rob Howard and I'm a Program Manager on the ASP.NET team
Host Guide_Keith_MS:
Welcome everyone, let's get started!
Host Guest_MS_Erik:
Q: What do i need to have a webform with two textboxes for user name and password to authenticate against windows security?
Host Guest_MS_Erik:
A: For that, you'll probably need an ISAPI filter. ASP.NET is an ISAPI extension so
Host Guest_MS_Erik:
A: IIS has already negotiated authentication by the time ASP.NET sees the request.
Host Guest_MS_Erik:
A: Wish there were an easier answer! <eom>
Host Guest_MS_Erik:
A: (doh! flip the Q & A around)
Host Guest_MS_Erik:
Q: mav: How is the viewstate encoded? Is it encrypted?
Host Guest_MS_Erik:
A: No, it isn't encrypted. It's Base64 encoded. By default, there's also a HMACSHA1digest appended that prevents it from tampering. <end>
Host Guest_rhoward_ms:
Q: Is it possible to use Oracle authentication with ASP.Net?
Host Guest_rhoward_ms:
A: Yes. There are tons of great examples, such as IBuySpy, that demonstrate how to authenticate against
Host Guest_rhoward_ms:
A: a database (SQL Server). You could replace those SQL calls with calls to Oracle. FYI, in .NET Framework 1.1
Host Guest_rhoward_ms:
A: we'll ship an Oracle Provider, in the 1.0 version you'll need to use the OleDB class libraries.
Host Guest_MS_Erik:
Q: Oscar: we want to set up a secure IIS web server that Hosts Web Services. The service will allow a Windows Forms application to see if updates are available and, if so, provide the updated assemblies. How do I return an assembly from a secure web se
Host Guest_MS_Erik:
A: You could return a byte[] containing the assembly bits and protect it with any standard HTTPauthentication mechanism. There's a continuum ranging from things like client certs over SSLto digest auth to basic. If the assemblies are large, you might wish to return a URL tothe binaries (also protected) and use a standard HTTP GET to retrieve them.<end>
Host Guest_rhoward_ms:
Q: I am using SQL Server for my database. I am passing the username and password to the server as part of the connection string. Then I retrieve the database rolls for the user to handle the rolls on the website.
Host Guest_rhoward_ms:
A: Actually that's a great strategy, and one we use in IBuySpy, Forums, www.asp.net, etc. However, one small (but important) difference
Host Guest_rhoward_ms:
A: once we fetch the data from the database we store the roles (encrypted) within a cookie we send back to the client. On subsequent requests
Host Guest_rhoward_ms:
A: we simply decrypt the cookie. Download IBuySpy (see www.asp.net --- look for the projects tab) for some great sample code.
Host Guide_Keith_MS:
Hello. For those just joining the chat - Our topic is ASP.NET Security. Questions, comments and suggestions are welcome.
Host Guest_MS_Erik:
Q: I understand that the __VIEWSTATE is only base64 encoded, is it possible to apply crypto on this for addded security?
Host Guest_MS_Erik:
A: That's right, it is base64 encoded. It's protected with an HMACSHA1 digest computedwith the viewstate and a randomly generated 512 server secret so it is tamper resistant.If you want encryption on the wire, SSL is the best bet. If you put values in viewstate explicitly,you could symmetrically encrypt/decrypt them in the application. <end>
Host Guest_rhoward_ms:
Q: How is security enforced on the state bag?
Host Guest_rhoward_ms:
A: Could you provide some more details on *which* statebag?
Host Guest_MS_Erik:
Q: Is there a document available listing required/minimum permissions for ASPNET applications on WIN2K? Analogy would be setting READ/EXECUTE permissoins on the ASP.DLL for ASP applications
Host Guest_MS_Erik:
A: Try: **https://support.microsoft.com/default.aspx?scid=kb;en-us;Q317012**.\<end>
Host Guest_MS_Erik:
Q: Does this chat session encompass Mobile ASP.Net security (WAP) ? I need a URL of a good example of using mobile Forms authentication.
Host Guest_MS_Erik:
A: Rats, none of the mobile folks are around right now. I apologize for not having that information at hand. You might want tocheck out the mobile tab at www.asp.net for some pointers.
Host Guest_MS_Erik:
One comment on https://support.microsoft.com/default.aspx?scid=kb;en-us;Q317012:
Host Guest_MS_Erik:
You do *not* need write access to content directories unless your application needs it for some reason
Host Guest_rhoward_ms:
Q: state can be saved in a separate process other than the asp.NET process.
Host Guest_rhoward_ms:
A: Yes, Session State can be saved in a separate process (a Windows NT Service or SQL Server). By default
Host Guest_rhoward_ms:
A: when using the State Server we use clear-text and SQL Server depends entirely upon what type of connection is
Host Guest_rhoward_ms:
A: being used. Erik just mentioned to me that you can use IPvSEC between the web server and state server...<end>
Host Guest_rhoward_ms:
Q: ...easy way to leverage the row based security on AS400 DB.
Host Guest_rhoward_ms:
A: It would be custom application logic that you would need to write, i.e. verify that the user attempting to access
Host Guest_rhoward_ms:
A: the row had the necessary permissions.
Host Guest_MS_Erik:
Q: What are the differences between IIS 5.1 and 6.0 and will 6.0 be available for download?
Host Guest_MS_Erik:
A: There are lots of differences. Here are a couple:
Host Guest_MS_Erik:
A: IIS 6 has a new process model which enables multiple worker processes. All ISAPIs run insidesthose as a weak account (network Service)
Host Guest_MS_Erik:
A: IIS 6 has been locked down by default. You can selectively enable only the features you needrather than disabling ones you don't use.
Host Guest_MS_Erik:
A: Passport auth is supported natively in IIS 6
Host Guest_MS_Erik:
A: IIS 6 is included with .NET server. AFAIK, it won't be shipped independently. I believeyou can download or order .NET server RC1 from MSDN currently. <end>
Host Guest_MS_Erik:
Q: how can I override the default security setting to allow for write access to the registry for my Web Services.
Host Guest_MS_Erik:
A: You can change the DACL on the registry hive you want to allow access to.
Host Guest_MS_Erik:
A: On Win2K, use regedt32 and use the "Security" menu. On XP or .NET server,you can use regedit and just right click the key and choose "Permissions". Add write access for the ASPNET account or a group containing the impersonation accounts you're using (if applicable).<end>
Host Guest_MS_Erik:
A: BTW, you probably want to do it as discretely as possible. I.e. only change the DACL onthe smallest possible section <end>
Host Guest_MS_Erik:
A: One more addendum: you could have a ServicedComponent derived object running as a user that had rights to modify the regkey, and have ASP.NET talk to it. This might also help reduce the attack service.
Host Guest_MS_Erik:
Q: How can i write a secure class? How apply security to a class?
Host Guest_MS_Erik:
A: You can change the DACL on the registry hive you want to allow access to.
Host Guest_MS_Erik:
A: There are lots of aspects to security but at a minimum I'd suggest:
Host Guest_MS_Erik:
A: * never trust input data: validate it and/or encode it before using it or echo'ing it back
Host Guest_MS_Erik:
A: * be very careful about constructing SQL queries in text using user input. Prefer paramterized stored procedures if you can use them.
Host Guest_MS_Erik:
A: * Validate arguments to p/invoke calls and minimize the use of "unsafe" code in C#
Host Guest_MS_Erik:
A: There is a white paper on www.msdn.microsoft.com/net/security about security coding guidelines with more recommendations.
Host Guest_MS_Erik:
A: And a great book called "Writing Secure Code" with some managed code guidelines in addition to lots of traditional stuff <end>
Host Guest_MS_Erik:
Q: Erik you mentioned " If you want encryption on the wire, SSL is the best bet." SSL really slows the application. Is there any way to boost performance when using SSL, other than adding hardware?
Host Guest_MS_Erik:
A: You're right, hardware is probably the best approach for a single machine. I believe that the SSL implementation in .NET server hasmade some perf gains. Sometimes terminating SSL at the firewall is a useful approach.<end>
Host Guest_MS_Erik:
Q: If the session state is stored in a separate process (NT Service), does the NT Service HAVE to run as a certain user (.\ASPNET) so that the ASP.NET runtime can access it, or can I change the identity of the NT Service to another user?
Host Guest_MS_Erik:
A: The service doesn't really interact with resources: it just holds onto state data so
Host Guest_MS_Erik:
A: I don't think that anything bad would happen. I haven't tested it personally, though.<end>
Host Guest_MS_Erik:
Q: If you go to an wrong url in an aspx enabled site, per default the exception block is commented into the html-output, why?, isn't that an security risk?, For an example, look at this link: https://activeserverpages.com/freebook/learn/
Host Guest_MS_Erik:
A: Interesting question. The stack trace in that case has only ASP.NET methods on it and doesn't echoback data so it doesn't have any specific risks. Still, I think you might be right: why have it at all?I'll look into that--I appreciate that question!<end>
Host Guest_MS_Erik:
Q: i've tryed <identity impersonate="true" userName="myDom/myAdm" password="pass" /> to get my webapp to run as a specific user but this gives compiler error on my machine (error page says its compiling autogenerated code - looks like my app's) any help?
Host Guest_MS_Erik:
A: Is this on Win2K? Using a configured account doesn't work on Win2K unless you change the processidentity or elevate the permissions of the default account. This is because LogonUser (used to generate tokens)requires a privilege called SE_TCB_NAME (act as part of the operating system).
Host Guest_MS_Erik:
A: This has been changed in newer versions of Windows and we're also investigating thepossibility of fixing this in ASP.NET through a workaround on Win2K in the next release.
Host Guest_MS_Erik:
A: Does that look like what you're seeing? <end>
Host Guest_MS_Erik:
Q: about the wrong url/stacktrace, You also will find the path for the web, in this case: D:\domains\learnasp.com\freebook\learn\.aspx, that one is of more concern..
Host Guest_MS_Erik:
A: Good point. Custom 404 error pages can be used to hide that and I'll see what we can do about itfor future releases. Thanks!
Host Guest_ptorr_ms:
Q: How to use security demands
Host Guest_ptorr_ms:
A: In an ordinary scenario, the data access layer will demand the appropriate permissions for you, and they will propogate up through your code to the top of the stack until they see an Assert or a frame that does not have the permission.
Host Guide_Keith_MS:
We are going to have to wrap up this chat in about 15 minutes. We will continue to work on answers to questions. If you asked a question earlier that we missed, please go ahead and repost it now.
Host Guest_ptorr_ms:
A: If you want to build your own permission (eg, "AccesMyDatabasePermission") then you will need to implement the permission yourself, along with a way of adding that to policy.
Host Guest_ptorr_ms:
A: Can you provide more info on your scenario?
Host Guest_MS_Erik:
Q: That fits. But I am running on XP Pro
Host Guest_MS_Erik:
A: OK, the LogonUser thing doesn't apply on XP. I'm not exactly sure what you're seeingbut you might investigate adding read/write/delete access for that account to theTemporary ASP.NET Files directory and %windir%\temp (if using .asmx files)and see if it resolves your issue. Sorry for the weak answer!
Host Guest_ptorr_ms:
A: echo: The two most likely reasons for doing demands are (i) accessing things not already covered by the runtime, or (ii) to protect yourself before asserting a more dangerous permission (such as UnmanagedCode)
Host Guest_MS_Erik:
Q: What about Cross-site scripting, is it done anything to prevent that?
Host Guest_MS_Erik:
A: Cross-site scripting is a tough issue for web applications. ASP.NET has some support for helping butthere's still a lot of work for application developers. Validation controls can be very usefulin helping to ensure that data is valid. The most effective technique is to look at allof your input data and ensure that it's either validated or appopriately encoded.
Host Guest_MS_Erik:
A: We're looking at more general ways to address the problem in future versions of ASP.NETbut it's a hard problem for a general purpose framework<end>
Host Guide_Keith_MS:
We'll be ending in about 10 minutes. Please ask any final questions you may have now and we'll try and get to them.
Host Guest_ptorr_ms:
Q: How to protect against SQL Injection attacks
Host Guest_ptorr_ms:
A: The best way is not to concatenate SQL strings in the first place -- use parameterised queires instead.
Host Guest_ptorr_ms:
A: You should also use regular expressions to make sure that only 'appropriate' data is entered into fields. For example, a ZIP code should only ever be numbers, so you can have a RegExp like \d{5} to enforce 5 digits (US postal code).
Host Guest_ptorr_ms:
A: You should also look for things like quotes and hyphens which may be signs of someone trying to inject code, but remember that they are also valid characters sometimes (eg, a surname like D'Agulera).
Host Guest_ptorr_ms:
A: Mike Howard's book has info on this - you should look into it.
Host Guest_MS_Erik:
Q: How do you architecture an application so that an entity can manage itself as well as its child companies with lesser permissions and parent companies with lesser permissions
Host Guest_MS_Erik:
A: I'm not exactly sure what you're after here, but are some general guidelines.
Host Guest_MS_Erik:
A: Trusted Hosts can load untrusted code into application domains with restrictive policies.
Host Guest_MS_Erik:
A: This doesn't work for all scenarios in the first Frameworks release since some things(like ASP.NET) require full trust. In the next release, more things (including ASP.NET)will support partial trust which makes this easier.
Host Guide_Keith_MS:
We are going to have to end in a few minutes. Would anyone like to add anything?
Host Guest_MS_Erik:
Q: Starfighter : Is the chat built with .Net? If so, is the source available?
Host Guest_MS_Erik:
A: I *think* it's a standard ActiveX control but I'm not certain on either of those unfortunately.
Host Guest_ptorr_ms:
Question for you all: How many people use URLScan?
Host Guest_ptorr_ms:
URLScan is a tool that basically throws away any suspicious looking HTTP requests, such as those containing parent paths, long strings, etc.
Host Guest_ptorr_ms:
You should really consider putting it on your server. Can't get the URL right but if you search microsoft.com for it you can get the download.
Host Guide_Keith_MS:
Thanks for joining us today and thanks for the questions. It's time for us to go now. You'll be able to find the transcript of this chat soon on the MSDN Web site at https://msdn.microsoft.com/chats/recent.asp.
Host Guide_Keith_MS:
Please see the chats schedule for upcoming topics.
Host Guide_Keith_MS:
Thanks!
Host Guest_ptorr_ms:
Looks like you can install URLScan without IISLOCKD
Host Guest_ptorr_ms:
Bye - thanks for joining us!
.gif "Top of Page")
Top of Page