Related Security Resources

.NET Framework Security

J.D. Meier, Alex Mackman, Srinath Vasireddy, Michael Dunner, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Related Microsoft patterns & practices Guidance

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication on the MSDN® Web site at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp
This guide focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications. It is written for architects and developers.
Designing Application-Managed Authorization on the MSDN Web site at http://msdn.microsoft.com/library/?url=/library/en-us/dnbda/html/damaz.asp
This guide focuses on common authorization tasks and scenarios, and it provides information that helps you choose the best approaches and techniques. It is written for architects and developers.
Understanding Microsoft Windows 2000 Security on the Microsoft Technet Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/secwin2k/default.asp
This guide delivers procedures and best practices for system administrators to lock down their Windows 2000-based servers and maintain secure operations once they're up and running. It is written for IT Pros.

More Information

For more information on patterns and practices, refer to the Microsoft patterns & practices home page at http://msdn.microsoft.com/practices/

Security-Related Web Sites

Microsoft Security-Related Web Sites

Microsoft Security & Privacy home page at http://www.microsoft.com/security/
Microsoft Security Bulletin Search at http://www.microsoft.com/technet/security/current.aspx
Technet Security home page at http://www.microsoft.com/technet/security/
MSDN Security home page at http://msdn.microsoft.com/security/
.NET Framework Security home page at http://msdn.microsoft.com/net/security/
Security and Trustworthy Computing at http://www.microsoft.com/enterprise/security/
Microsoft Training & Certification Security Product and Technology Resources at http://www.microsoft.com/traincert/centers/security.asp

Third-Party, Security-Related Web Sites

CERT (Computer Emergency Response Team) at http://www.cert.org/
SANS Institute Web site at http://www.sans.org/
Computer Security Resource Center at http://csrc.nist.gov/

Microsoft Security Services

Awareness and educational services
- Enterprise Security Strategy Seminar
- Securing the Enterprise Platforms Workshop
Security assessment services
- Vulnerability assessment
Security solutions services
- Security design reviews
- Incident response service

For information on these services, contact Microsoft Consulting Services:

Microsoft Consulting Services (MCS) home page at http://www.microsoft.com/business/services/mcs.asp
U.S. sales offices at http://www.microsoft.com/usa/
Worldwide at http://www.microsoft.com/worldwide/

For free support on virus issues:

The Microsoft 1-866-PCSAFETY line (U.S. and Canada)
Microsoft local support resources (all other locations) at http://support.microsoft.com/common/international.aspx

Partners and Service Providers

Microsoft USA Partner site at http://www.microsoft.com/usa/partner/default.asp
Microsoft Service Providers at http://www.microsoft.com/serviceproviders/default.asp

Communities and Newsgroups

Newsgroup Home Pages

Microsoft Product Support Newsgroups at http://support.microsoft.com/newsgroups/default.aspx
MSDN Newsgroups at http://msdn.microsoft.com/newsgroups/
Technet Newsgroups at http://www.microsoft.com/technet/community/newsgroups/default.mspx

For security issues within specific .NET Framework technologies, refer to the appropriate newsgroup:

Microsoft Security Newsgroups at http://www.microsoft.com/technet/community/newsgroups/default.mspx
Virus Newsgroup at http://www.microsoft.com/technet/community/newsgroups/default.mspx
.NET Framework Security Newsgroup at http://msdn.microsoft.com/newsgroups/loadframes.asp?icp=msdn&slcid=us&newsgroup=microsoft.public.dotnet.security
ASP.NET Security Newsgroup at http://msdn.microsoft.com/newsgroups/loadframes.asp?icp=msdn&slcid=us&newsgroup=microsoft.public.dotnet.framework.aspnet.security

Patches and Updates

Hotfix and Security Bulletin Service at http://www.microsoft.com/technet/security/current.aspx
View the security bulletins that are available for your system.

Service Packs

Microsoft Service Packs at http://support.microsoft.com/default.aspx?scid=FH;[LN];sp&
.NET Framework Service Packs:
- Article 318836, "INFO: How to Obtain the Latest .NET Framework Service Pack" in the Microsoft Knowledge Base at http://support.microsoft.com/default.aspx?scid=kb;en-us;318836
- Article 318785, "INFO: Determining Whether Service Packs Are Installed on .NET Framework" in the Microsoft Knowledge Base at http://support.microsoft.com/default.aspx?scid=kb;en-us;318785

Alerts and Notification

Microsoft Security Notification Services

Virus alerts for Microsoft products at http://www.microsoft.com/technet/security/alerts/default.mspx
Microsoft Technical Security Notifications at http://www.microsoft.com/technet/security/bulletin/notify.mspx
Use this service to register for regular e-mail bulletins that notify you of the availability of new fixes and updates.

Third Party Security Notification Services

CERT Mailing Lists at http://www.cert.org/other_sources/usenet.html
Informative advisories are sent when vulnerabilities are reported.
Windows and .NET Magazine Security UPDATE at http://email.winnetmag.com/winnetmag/winnetmag_prefctr.asp#Security
This announces the latest security breaches and corresponding fixes. It also gives advice on reacting to vulnerabilities.
NTBugtraq at http://www.ntbugtraq.com/default.aspx.
This is an open discussion of Windows security bugs and exploits. Vulnerablities that do not have patches are discussed.
Internet Storm Center at http://isc.incidents.org
This site tracks the frequency of worms, denial of service attacks, as well as other kinds of attacks.
Security Focus Web site at http://www.securityfocus.com

Additional Resources

Checklists and Assessment Guidelines

IIS 5.0 Security Checklist at http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5chk.mspx
Security Tools at http://www.microsoft.com/technet/security/tools/default.mspx

Common Criteria

Windows 2000 Common Criteria Guide at http://www.microsoft.com/technet/Security/prodtech/win2000/secureev.mspx
The Windows 2000 Common Criteria Security Target (ST) provides a set of security requirements taken from the Common Criteria (CC) for Information Technology Security Evaluation. The Windows 2000 product was evaluated against the Windows 2000 ST and satisfies the ST requirements.
This document is written for those who are responsible for ensuring that the installation and configuration process results in a secure configuration. A secure configuration is one that enforces the requirements presented in the Windows 2000 ST, referred to as the Evaluated Configuration.

Reference Hub

Reference hub from Building Secure ASP.NET Applications at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP03.asp?frame=true

Security Knowledge in Practice

CERT Security Improvement Modules at http://www.cert.org/security-improvement/skip.html

Vulnerabilities

SANs TOP 20 List at http://www.sans.org/top20/
CERT (Computer Emergency Response Team) at http://www.cert.org

World Wide Web Security FAQ

http://www.w3.org/Security/faq/www-security-faq.html

Contents