Export (0) Print
Expand All

Security Checklist: ADO.NET 2.0

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe

Microsoft Corporation

October 2005

Applies To

  • ADO.NET version 2.0

Summary

This checklist presents a set of consolidated security guidelines for applications using ADO.NET version 2.0. The answers and recommendations presented in this module are designed to supplement the companion modules and additional guidance. The guidelines are organized by various categories that represent those areas where mistakes are most often made.

Contents

How To Use This Module
Input / Data Validation
SQL Injection
Configuration and Connection Strings
Authentication
Authorization
Exception Management
Sensitive Data
Code Access Security
Deployment Considerations
Companion Guidance

How to Use This Module

This checklist is a companion to "Security Guidelines: ADO.NET 2.0." Use "Security Guidelines: ADO.NET 2.0" to learn about the ADO.NET 2.0 guidelines and to learn what you should do, why you should do it, and how you can implement each guideline. Use this checklist as you develop your data access code.

You should expand and evolve this security checklist by adding data access practices that you discover during software development.

Input / Data Validation

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifRegular expressions are used to validate input against expected patterns.
Ff650230.z02bthcm01(en-us,PandP.10).gifIn ASP .NET applications, ASP.NET validator controls are used to constrain and validate input.
Ff650230.z02bthcm01(en-us,PandP.10).gifThe application does not rely only on ASP.NET request validation.
Ff650230.z02bthcm01(en-us,PandP.10).gifAll untrusted input is validated inside data access methods.

SQL Injection

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifInput data is constrained and sanitized. Data is checked for type, length, format, and range.
Ff650230.z02bthcm01(en-us,PandP.10).gifType-safe SQL parameters are used for data access.
Ff650230.z02bthcm01(en-us,PandP.10).gifWhere possible, dynamic queries that accept untrusted input are avoided.
Ff650230.z02bthcm01(en-us,PandP.10).gifWith dynamic SQL, character escaping is used to handle special input characters.
Ff650230.z02bthcm01(en-us,PandP.10).gifThe application login is restricted and has limited database permissions.

Configuration and Connection Strings

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifWhere possible, Windows authentication is used to avoid placing credentials in connection strings.
Ff650230.z02bthcm01(en-us,PandP.10).gifAspnet_regiis is used to encrypt credentials stored in connection strings in configuration files.
Ff650230.z02bthcm01(en-us,PandP.10).gifRSA encryption is used to protect credentials stored in connection strings on Web farm servers.
Ff650230.z02bthcm01(en-us,PandP.10).gifIn the connection string, the PersistSecurityInfo attribute is not specified or is set to false or no.
Ff650230.z02bthcm01(en-us,PandP.10).gifWhere possible, connection strings are not constructed with user input.
Ff650230.z02bthcm01(en-us,PandP.10).gifIf user input must be used to build connection strings, the input is validated and ConnectionStringBuilder is used.
Ff650230.z02bthcm01(en-us,PandP.10).gifWhere possible, Universal Data Link (UDL) files for OLE DB data sources are avoided.

Authentication

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifWhere possible, Windows authentication is used to connect to the database.
Ff650230.z02bthcm01(en-us,PandP.10).gifIf SQL authentication is used, then strong passwords are used and enforced.
Ff650230.z02bthcm01(en-us,PandP.10).gifIf SQL authentication is used, then IPSec or SSL is used to protect credentials on the network.
Ff650230.z02bthcm01(en-us,PandP.10).gifIf SQL authentication is used, then Aspnet_regiis is used to encrypt connection strings in configuration files.
Ff650230.z02bthcm01(en-us,PandP.10).gifRSA encryption is used to protect credentials stored in connection strings on Web farm servers.
Ff650230.z02bthcm01(en-us,PandP.10).gifThe account used to connect to the database has restricted database permissions.

Authorization

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifRole checks or declarative or imperative principal permission checks are used to restrict calling users..
Ff650230.z02bthcm01(en-us,PandP.10).gifWhere appropriate, the data access library code is designed to restrict the access of calling code.
Ff650230.z02bthcm01(en-us,PandP.10).gifThe data access library code uses strong names to constrain partial trust callers.
Ff650230.z02bthcm01(en-us,PandP.10).gifApplication-specific data access code is placed in the application's bin directory.
Ff650230.z02bthcm01(en-us,PandP.10).gifThe application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access.

Exception Management

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifDatabase connections are closed with using statements or in finally blocks.
Ff650230.z02bthcm01(en-us,PandP.10).gifADO.NET exceptions are not propagated to users. Only generic exception information is displayed.
Ff650230.z02bthcm01(en-us,PandP.10).gifIn ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client.
Ff650230.z02bthcm01(en-us,PandP.10).gifADO.NET exception details are logged on the server.

Sensitive Data

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifIf sensitive data must be stored, then a strong symmetric encryption algorithm such as AES is used to encrypt it. DPAPI is used to protect symmetric encryption keys.
Ff650230.z02bthcm01(en-us,PandP.10).gifSensitive data is protected with IPSec or SSL on the network.
Ff650230.z02bthcm01(en-us,PandP.10).gifPasswords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format.

Code Access Security

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifA custom ASP.NET policy is used to access non-SQL Server databases from partial trust ASP.NET applications.
Ff650230.z02bthcm01(en-us,PandP.10).gifExtended OleDbPermission syntax is used to restrict database access on hosted servers.
Ff650230.z02bthcm01(en-us,PandP.10).gifStrongNameIdentityPermission is not the only means used to restrict full trust callers.

Deployment Considerations

CheckDescription
Ff650230.z02bthcm01(en-us,PandP.10).gifOnly required ports are opened and firewall restrictions are applied for the application.
Ff650230.z02bthcm01(en-us,PandP.10).gifIf credentials are stored in configuration files, they are encrypted. RSA encryption is used on Web farm servers.
Ff650230.z02bthcm01(en-us,PandP.10).gifDatabase auditing is enabled and failed login attempts are logged.

Companion Guidance

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, please visit the Microsoft Product Support Web site at http://support.microsoft.com.

Community and Newsgroups

Community support is provided in the forums and newsgroups:

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.

Contributors and Reviewers

  • External Contributors and Reviewers: Anil John; Frank Heidt
  • Microsoft Product Group: Don Willits, Pablo Castro, Stefan Schackow
  • Microsoft IT Contributors and Reviewers: Akshay Aggarwal, Shawn Veney, Talhah Mir
  • Microsoft Services and PSS Contributors and Reviewers: Adam Semel, Tom Christian, Wade Mascia
  • Microsoft patterns & practices Contributors and Reviewers: Carlos Farre
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation
  • Release Management: Sanjeev Garg, Microsoft Corporation.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
© 2014 Microsoft