Take Control: Use SharePoint to Manage Your Windows Services Pav Cherny - April 2009 In this article, we show you how to integrate a Windows Services-based solution with SharePoint. The results enable you to provision, start, stop, and remove service instances through SharePoint 3.0 Central Administration.
Geneva Framework: Building A Custom Security Token Service Michele Leroux Bustamante - January 2009 A Security Token Service, or STS, acts as a security gateway to authenticate callers and issue security tokens carrying claims that describe the caller. See how you can build a custom STS with the “Geneva” Framework.
Security Quiz: Test Your Security IQ Michael Howard and Bryan Sullivan - November 2008 Our security experts present 10 vulnerable pieces of code. Your mission is to find the holes (a.k.a. bad security practices) in the code.
CLR Inside Out: Security In Silverlight 2 Andrew Dai - October 2008 Andrew Dai of the CLR team discusses the Transparency model, which creates a strong isolation boundary between privileged and unprivileged code for Silverlight apps.
Service Station: Authorization In WCF-Based Services Dominick Baier and Christian Weyer - October 2008 Windows Communication Foundation (WCF) provides an easy role-based system and a more powerful and complex claims-based API for implementing authorization in services.
Security Briefs: SDL Embraces The Web Bryan Sullivan - September 2008 In this installment we introduce you to new Web-oriented security guidance and tools straight from the Security Development Lifecycle (SDL) team at Microsoft.
Security Briefs: Penetration Testing James A. Whittaker - May 2008 In this installment of Security Briefs, James Whittaker explains the rules and the pitfalls of penetration testing so you'll know how to avoid them.
Cutting Edge: AJAX Application Architecture, Part 1 Dino Esposito - September 2007 In the first of a two-part column, Dino explains AJAX from an architectural standpoint to help developers, architects, designers, and administrators better understand the issues that affect their sites.
.NET Matters: Tales from the CryptoRandom Stephen Toub and Shawn Farkas - September 2007 Stephen Toub and Shawn Farkas discuss creating an adapter that takes the functionality of RNGCryptoServiceProvider and adapts it to the interface of Random.
CLR Inside Out: New Library Classes in "Orcas" Mike Downen, Inbar Gazit, and Justin Van Patten - April 2007 The next version of Visual Studio currently code-named “Orcas”supports advanced encryption algorithms, Elliptic curve cryptography, big integers, and other security enhancements. The CLR team explains.
SQL Security: New SQL Truncation Attacks And How To Avoid Them Bala Neerumalla - November 2006 Exploits using SQL injection have drawn a lot of attention for their ability to get through firewalls and intrusion detection systems to compromise your data layers. Whether it's a first-order or second-order injection, if you look at the basic code pattern, it is similar to any other injection issue where you use untrusted data in the construction of a statement.
CLR Inside Out: Using Strong Name Signatures Mike Downen - July 2006 Strong name signatures (and signing in general) are a key facet of Microsoft® . NET Framework security. But regardless of how well designed . NET signatures may be, they won’t offer the maximum benefit if you don’t know how to use them properly.
Service Station: WSE 3.0, SOAP Transports, and More Aaron Skonnard - June 2006 It's that time again. Time to answer some of the questions I get on a regular basis. This month I'll look at service orientation and policy-based compatibility, SOAP's transport-neutral design, and Web Services Enhancements (WSE) 3.0.
Extreme ASP.NET: Keeping secrets in ASP.NET 2.0. Rob Howard - May 2006 Storing data securely in a configuration system is not an easy problem to solve. While I was on the ASP. NET team, this particular feature, secure connection string storage, looked as if it wouldn’t get done.
Security Briefs: Step-by-Step Guide to InfoCard Keith Brown - May 2006 In my April 2006 column I began a discussion of InfoCard, the upcoming identity metasystem, which is being prepared for release in the Windows Vista™ timeframe. If you haven’t read that column, you should definitely start there because I’m going to assume you’re familiar with the basics I covered.
Security Briefs: A First Look at InfoCard Keith Brown - April 2006 The Web can be annoying at times. I'm certain that I'm not alone in my frustration with filling out the same old forms on every Web site I visit. Like most other techies, I've acquired many tools over the years to help combat this repetition, and I even wrote my own password manager for my hundreds of different identities on the Web.
Security Briefs: Encrypting Without Secrets Keith Brown - January 2006 Do you have a Web site or other system that deals in secrets of any sort? It seems like every time I give a security talk, people ask how to deal with the sticky problem of storing secrets. Connection strings with passwords are an obvious problem.
Are You in the Know?: Find Out What's New with Code Access Security in the .NET Framework 2.0 Mike Downen - November 2005 Unlike role-based security measures, code access security is not based on user identity. Instead, it is based on the identity of the code that is running, including information such as where the code came from. Here Mike Downen discusses the role of code access security (CAS) in .NET and outlines some key new features and changes in CAS for the .NET Framework 2.0.
Are You Protected?: Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0 Mike Volodarsky - November 2005 Ensuring the security of a Web application is critical and requires careful planning throughout the design, development, deployment, and operation phases. It is not something that can be slapped onto an existing application. In this article, Mike Volodarsky outlines best practices that allow you to take advantage of the security features of ASP.NET 2.0 and IIS 6.0 to build and deploy more secure Web applications.
Who Goes There?: Upgrade Your Site's Authentication with the New ASP.NET 2.0 Membership API Dino Esposito and Andrea Saltarello - November 2005 Here Dino Esposito and Andrea Saltarello cover the plumbing of the Membership API and its inherently extensible nature, based on pluggable providers. To demonstrate the features, they take an existing ASP.NET 1.x authentication mechanism and port it to ASP.NET 2.0, exposing the legacy authentication mechanism through the new Membership API.
How Do They Do It?: A Look Inside the Security Development Lifecycle at Microsoft Michael Howard - November 2005 In this article, Microsoft security expert Michael Howard outlines how to apply the Security Development Lifecycle to your own software development processes. He explains how you can take some of the lessons learned at Microsoft when implementing SDL and use them in your own development process.
Editor's Note: Many Levels of Security - November 2005 Every year at this time, we bring you our now-famous security issue. We recognize the vast importance of writing and deploying secure code—it affects so many areas of concern—which is why we devote an entire issue each year to the topic.
Security Briefs: Security Features in WSE 3.0 Keith Brown - November 2005 I've been spending a lot of time lately building secure Web services with the Microsoft® . NET Framework 2. 0, and Web Services Enhancements (WSE) 3. 0 has been a lifesaver for me, so I thought it would be appropriate to dedicate a column to security features in this new product.
Stay Alert: Use Managed Code To Generate A Secure Audit Trail Mark Novak - October 2005 In today's security-conscious environments, a reliable audit trail is a valuable forensic tool The Windows Server 2003 operating system provides features that let you enable a wide range of applications to make use of auditing functionality. This article looks at auditing from the operating system perspective and describes a sample managed code implementation that will allow you to add auditing to your own server applications.
Best Practices: Fast, Scalable, and Secure Session State Management for Your Web Applications Mike Volodarsky - September 2005 ASP.NET provides a number of ways to maintain user state, the most powerful of which is session state. This article takes an in-depth look at designing and deploying high-performance, scalable, secure session solutions, and presents best practices for both existing and new ASP.NET session state features straight from the ASP.NET feature team.
Security Briefs: Credentials and Delegation Keith Brown - September 2005 I get loads of security questions from friends and former students, and recently I've gotten a number of questions about building secure data-driven Web sites for internal enterprise systems. I've decided to answer them here to hopefully save you some headaches in your own projects.
Hackers Beware: Keep Bad Guys at Bay with the Advanced Security Features in SQL Server 2005 Don Kiely - June 2005 Get a peek at the new security features in SQL Server 2005 from a developer's point of view. While there are lots of admin enhancements, there are also plenty of dev-specific security improvements you can take advantage of, such as endpoint authentication and support for the security context of managed code that executes on the server. Here Don Kiely elucidates.
Security Briefs: Customizing GINA, Part 2 Keith Brown - June 2005 GINA, the Graphical Identification and Authentication component, is a part of WinLogon that you can customize or replace. Last month I introduced GINA customization; this month, I'm going to drill down to implement each of the GINA entry points.
Safe!: Repel Attacks on Your Code with the Visual Studio 2005 Safe C and C++ Libraries Martyn Lovell - May 2005 When Visual Studio 2005 ships, it will include a major upgrade to the Visual C++ Libraries that was the result of a complete security review of the functions contained in the C Runtime Library, Standard C++ Library, ATL, and MFC. From that extensive review came the Safe C and C++ Libraries, which can improve the security and robustness of your apps.
Security Briefs: Customizing GINA, Part 1 Keith Brown - May 2005 Over the years I've had many people ask me to write about GINA, the Graphical Identification and Authentication component that serves as the gateway for interactive logons. This month I'll begin my coverage of this topic to help you get started if you're tasked to build such a beast.
Security: Unify Windows Forms and ASP.NET Providers for Credentials Management Juval Lowy - April 2005 The .NET Framework 2.0 provides custom credentials management to ASP.NET apps out of the box. Using it, you can easily authenticate users without using Windows accounts. In this article the author presents a set of helper classes that let a Windows Forms application use the ASP.NET credentials management infrastructure as easily as if it were an ASP.NET application.
Security: Manipulate Privileges in Managed Code Reliably, Securely, and Efficiently Mark Novak - March 2005 When the author was faced with implementing support for changing a security descriptor on an object, he noticed there was not support for that operation in .NET. So he devised two solutions to the problem: the first, simpler one, is tailored to the .NET Framework 1.1 and can be used today. The second solution incorporates several advanced features available only in the .NET Framework 2.0. Both are presented here.
Security Briefs: Access Control List Editing in .NET Keith Brown - March 2005 Access control lists (ACLs) can be complex beasts, and user interfaces for editing them are incredibly tricky to implement properly. That's why I was really excited when Windows® 2000 shipped with a programmable ACL editor, shown in Figure 1.
Security Briefs: Security Enhancements in the .NET Framework 2.0 Keith Brown - January 2005 As I write this column, version 2. 0 of the Microsoft® . NET Framework is at Beta 1. When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1.
Attack Surface: Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users Michael Howard - November 2004 In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code.
Cryptography: Employ Strong Encryption in Your Apps with Our CryptoUtility Component Michael Stuart and J Sawyer - November 2004 When storing sensitive data, you need to be able to identify threats, determine how these threats interact with each other, and how issues can combine to constitute a vulnerability that will leave your data exposed. With a good understanding of the various cryptographic algorithms, salt, hashes, ACLs, and other available techniques, you'll be in a better position to protect your critical data.
Trustworthy Code: Exchange Data More Securely with XML Signatures and Encryption Mike Downen and Shawn Farkas - November 2004 You can sign any kind of data using XML Signature, including part of an XML document, other XML documents, or other data of any format. However, in practice, XML signatures are most frequently used to sign other data represented in XML. In this article, the authors discuss the new standard and how you can benefit from it in your apps.
Safety in Windows: Manage Access to Windows Objects with ACLs and the .NET Framework Mark Novak - November 2004 Until now, Microsoft did not provide explicit support in the .NET Framework for manipulating security settings. With the .NET Framework 1.x, access can only be granted to users via a series of cumbersome P/Invoke calls. By introducing the concepts of security objects and rules, the .NET Framework 2.0 allows developers to manipulate security settings of objects in a few easy steps using managed code. Want to know more? Read on.
Intrusion Prevention: Build Security Into Your Web Services with WSE 2.0 and ISA Server 2004 Dino Esposito - November 2004 Once you've addressed security in your code, it's time to look at the environment it runs in. Firewalls stop unauthorized traffic from getting into your network, and smart Web service-specific firewalls, like the one that comes with Internet Security and Acceleration (ISA) Server 2004, bring XML intrusion prevention to your system for that added layer of safety.
Service Station: Securing Web Services with WSE 2.0 Aaron Skonnard - October 2004 Beginning this month, The XML Files will run under the name Service Station. We have made this change so that the column can discuss broader topics such as Web services, service-oriented architecture, and the like.
Security Briefs: Password Minder Internals Keith Brown - October 2004 In my last column I introduced Password Minder, the tool I use to manage all of my passwords. It generates a long, random password for each site I visit, and makes it possible for me to use the most complex passwords possible, without ever having to see the actual password material or type it in manually.
Data Security: Stop SQL Injection Attacks Before They Stop You Paul Litwin - September 2004 To execute a SQL injection attack, a hacker writes a Web page that captures text in a textbox to be used to execute a query against a database. The hacker enters a malformed SQL statement into the textbox that causes the back-end database to perform operations the owners did not intend it to perform, like making unauthorized updates. This article explains how you can protect against the all too common SQL injection attack in your own database. The steps covered include data validation, proper exception handing, and much more.
The XML Files: What's New in WSE 2.0 Aaron Skonnard - August 2004 Microsoft has recently released Web Services Enhancements for Microsoft® . NET (WSE) 2. 0. WSE 2. 0 provides extensions to the existing ASP. NET Web services framework (. asmx) as well as a standalone messaging framework that's completely transport independent.
Wicked Code: Foiling Session Hijacking Attempts Jeff Prosise - August 2004 Let's face it: every minute of every day, someone, somewhere, is patrolling the Web looking for sites to hack. ASP. NET developers must constantly be on their guard to ensure attempted hacks can't be successful.
Security: Security Headaches? Take ASP.NET 2.0! Keith Brown - June 2004 ASP.NET 2.0 provides significant advantages with respect to security, especially for folks developing Web sites that use Forms authentication. By providing a user profile repository with support for roles, Forms authentication will move beyond the purview of the ASP.NET internals guru, and should become much more broadly accessible. This article introduces security in ASP.NET 2.0 to give you a head start with upcoming features.
ClickOnce: Deploy and Update Your Smart Client Projects Using a Central Server Brian Noyes - May 2004 ClickOnce is a new deployment technology that allows users to download and execute Windows-based client applications over the Web, a network share, or from a local disk. Users get the rich interactive and stateful experience of Windows Forms, but still have the ease of deployment and updates available to Web applications. ClickOnce applications can be run offline and support a variety of automatic and manual update scenarios.Learn all about it here.
Security Briefs: Beware of Fully Trusted Code Keith Brown - April 2004 The vast majority of managed applications run with full trust, but based on my experience teaching . NET security to developers with a broad range of experience, most really don't understand the implications of fully trusted code.
Office 2003: Secure and Deploy Business Solutions with Microsoft Visual Studio Tools for Office Brian A. Randell and Ken Getz - March 2004 Microsoft Visual Studio Tools for the Microsoft Office System is a new technology that brings the advanced features of Visual Studio .NET and the .NET Framework to applications built for Microsoft Office Word 2003 and Microsoft Office Excel 2003. Deploying solutions built with this technology requires that you understand how runtime security is enforced in managed applications and how to configure users' systems to run your solutions without introducing security holes.To promote that understanding, this article will demonstrate how to establish trust, explain policy considerations and permissions, and explain what trusted code is all about. Secure assembly deployment is also covered in detail.
MSMQ and .NET: Send MSMQ Messages Securely Across the Internet with HTTP and SOAP David S. Platt - December 2003 When creating a distributed system you frequently need to provide for communication between two entities that are not in sync. Microsoft Message Queue Server (MSMQ) provides the kind of store-and-forward messaging in a pre-built infrastructure that can help you address these kinds of messaging needs. In the past, MSMQ was accessed using a COM wrapper. Now there's a .NET wrapper that lets you accomplish your messaging goals easily from your Framework-based code. To illustrate the use of the wrapper, the author builds a messaging application, sends MSMQ messages over the Web, and discusses messaging security.
Protect It: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code Alek Davis - November 2003 Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API.
Encrypt It: Keep Your Data Secure with the New Advanced Encryption Standard James McCaffrey - November 2003 The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specification for the encryption of electronic data. It is expected to become the accepted means of encrypting digital information, including financial, telecommunications, and government data. This article presents an overview of AES and explains the algorithms it uses. Included is a complete C# implementation and examples of encrypting .NET data. After reading this article you will be able to encrypt data using AES, test AES-based software, and use AES encryption in your systems.
Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager Keith Brown - November 2003 Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample.
Review It: Expert Tips for Finding Security Defects in Your Code Michael Howard - November 2003 Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like "password", "secret," and other obvious but common security blunders, can be searched for and remedied.
Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets Neeraj Srivastava - November 2003 As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.
Obfuscate It: Thwart Reverse Engineering of Your Visual Basic .NET or C# Code Gabriel Torok and Bill Leach - November 2003 One of the advantages of the .NET architecture is that assemblies built with it contain lots of useful information that can be recovered using ILDASM, the intermediate language disassembler. A side effect, though, is that someone with access to your binaries can recover a good approximation of the original source code. Here the authors present program obfuscation as a way to deter reverse engineering. In addition, they discuss the different types of obfuscation technologies available and demonstrate the new obfuscation tool that is included in Visual Studio .NET 2003.
Plug-Ins: Let Users Add Functionality to Your .NET Applications with Macros and Plug-Ins Jason Clark - October 2003 Most user applications benefit from the ability to be extended by other developers. It's often easier and more efficient to extend an existing application that users are already familiar with and trained on than it is to develop one from scratch. Thus, extensibility makes your application more attractive. You can build extensibility into your application by supporting features like plug-ins or macros. This is easily accomplished using the .NET Framework even if the core application isn't a .NET Framework app. In this article, the author describes extensibility features of the .NET Framework including late binding and reflection and how to use them, along with plug-in security considerations.
Windows Server 2003: Discover Improved System Info, New Kernel, Debugging, Security, and UI APIs Matt Pietrek - June 2003 There's a lot to say about Windows Server 2003. First of all, it's the first operating system with built-in .NET Framework support, and it's the first 64-bit OS from Microsoft. But wait, there's more! There are lots of new features and APIs in this version as well. For instance, Windows Server 2003 features Hot Add Memory and a number of other arcane new tidbits. There are new APIs for handling threads, directories, and files, and new features like the low fragmentation heap for managing memory and system information. There's vectored exception handling and new UI APIs as well.OS internals expert Matt Pietrek takes a look at the additions he finds most interesting and useful so you'll have a good place to start when you dive into Windows Server 2003.
.NET Remoting: Secure Your .NET Remoting Traffic by Writing an Asymmetric Encryption Channel Sink Stephen Toub - June 2003 As .NET Remoting gains popularity in the enterprise space, it must meet business demands for trustworthy computing. Remoting traffic can be secured when objects are hosted in IIS, but when they aren't hosted in IIS, custom security solutions can be developed to secure them. This article provides an in-depth look at writing channel sinks for .NET. It also details the flow of data through custom channel sinks and explains the kinds of manipulations that can be performed on that data.
Virus Hunting: Understand Common Virus Attacks Before They Strike to Better Protect Your Apps Jason Fisher - May 2003 Developer's machines can often be more vulnerable to viruses than the average corporate user because of their more frequent access to remote machines and shares, and the differing administrative privileges they maintain across mutiple machines. Reliance on antivirus software is fine as a first line of defense, but you need a basic arsenal of skills for securing the executables on your system and coping with viruses on your own. This article reviews proactive methods you can use to defend yourself against malicious executable code in resources, component libraries, scripts and macros, as well as how to avoid a handful of other potential vulnerabilities.
WS-Security: New Technologies Help You Make Your Web Services More Secure David Chappell - April 2003 Without good security, Web Services will never reach their potential. WS-Security and its associated technologies, the focus of this article, represent the future of security for Web Services. Provided here is an overview of these emerging security standards that explains what they do, how they work, and how they get along together. Topics discussed include integrity and confidentiality and how these are provided by public key cryptography, WS-Security, and more. Some of the key components of WS-Security, such as the wsu namespace, are also covered.
Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003 Keith Brown - April 2003 Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls.
Windows Forms: .NET Framework 1.1 Provides Expanded Namespace, Security, and Language Support for Your Projects Chris Sells - March 2003 With the much-anticipated release of the .NET Framework 1.1, developers are eager to know what's been added to their programming bag of tricks. In this article, the author focuses on new developments in Windows Forms, such as namespace additions, support for hosting managed controls in unmanaged clients, and designer support for C++ and J#. Integrated access to the Compact Framework and new mobile code security settings also make this release noteworthy. Along with these features, the author reviews the best ways to handle multiple versions of the common language runtime and highlights some potential pitfalls.
Resource File: Web Services Security Specs and TrustBridge - October 2002 WS-Security is a recently proposed specification from Microsoft, IBM, and VeriSign. It has been submitted to OASIS for industry standardization. WS-Security builds on the SOAP specification to provide you with a standard mechanism to exchange secure, signed messages in a Web Services environment.
Security Tips: Defend Your Code with Top Ten Security Tips Every Developer Must Know Michael Howard and Keith Brown - September 2002 There are many ways to get into trouble when it comes to security. You can trust all code that runs on your network, give any user access to important files, and never bother to check that code on your machine has not changed. You can run without virus protection software, not build security into your own code, and give too many privileges to too many accounts. You can even use a number of built-in functions carelessly enough to allow break-ins, and you can leave server ports open and unmonitored. Obviously, the list continues to grow. What are some of the really important issues, the biggest mistakes you should watch out for right now so that you don't compromise your data or your system? Security experts Michael Howard and Keith Brown present 10 tips to keep you out of hot water.
Security in .NET: The Security Infrastructure of the CLR Provides Evidence, Policy, Permissions, and Enforcement Services Don Box - September 2002 The common language runtime of the .NET Framework has its own secure execution model that isn't bound by the limitations of the operating system it's running on. In addition, unlike the old principal-based security, the CLR enforces security policy based on where code is coming from rather than who the user is. This model, called code access security, makes sense in today's environment because so much code is installed over the Internet and even a trusted user doesn't know when that code is safe.In this article, Don Box explains how code access security works in the CLR. He discusses the kinds of evidence required by policy, how permissions are granted, and how policy is enforced by the runtime.
Security in IIS 6.0: Innovations in Internet Information Services Let You Tightly Guard Secure Data and Server Processes Wayne Berry - September 2002 Security improvements have been a top priority in the evolution of IIS. IIS 6.0, which will be part of Windows .NET Server, has improved security features and a new approach to server configuration. New security-related tools for IIS, including IIS LockDown, make securing your server against attack easier than ever. The author explains how and why you can shut down services with IIS LockDown. He discusses limiting port access with TCP/IP filtering, controlling how files are served with extension mapping, what's new for Secure Sockets Layer, the use of URLScan, and more.
Passport Secure Sign-In: Provide Your Users with Secure Authentication Capabilities Using Microsoft .NET Passport Michael Kogotkov-Lisin - September 2002 Secure sign-in, a new feature in version 2.0 of the .NET Passport single sign-in and profile service, is a functionality that will be especially useful for sites containing confidential information or anywhere security is a primary concern. Such sites include banks, medical sites, and so on. Secure sign-in is as safe as any SSL-based Web site login used today and provides a way to virtually eliminate vulnerability to replay and dictionary attacks.This article explains secure sign-in and demonstrates how you can implement this feature with very little effort in either ASP using the Passport.Manager COM object or in ASP.NET using the .NET class PassportIdentity.
HTTP Pipelines: Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET Tim Ewald and Keith Brown - September 2002 ASP.NET is a flexible and extensible framework for server-side HTTP programming. While most people think of ASP.NET in terms of pages served, there is a lower-level infrastructure sitting beneath this page model. The underlying plumbing is based on a pipeline of app, module, and handler objects. Understanding how this pipeline works is key if you want to get the most out of ASP.NET as an HTTP server platform, while making your process more efficient, and keeping your server secure. This article introduces the architecture of the pipeline and shows how you can use it to add sophisticated functionality to an ASP.NET-based app.
Tamper-Resistant Apps: Cryptographic Hash Algorithms Let You Detect Malicious Code in ASP.NET Jason Coombs - September 2002 Cryptographic hash algorithms produce fixed-length sequences based on input of arbitrary length. A given input always produces the same output, called a hash code. Using these algorithms, you can compute and validate hash codes to ensure that code running on your machine has not been tampered with or otherwise changed. ASP.NET provides a software mechanism for validating hash code fingerprints for every page requested by a client. In this article, the author shows how to use hash codes with ASP.NET applications to detect tampering and prevent malicious code from running when tampering is detected.
Editor's Note: Start Your Own Security Push - September 2002 Earlier this year, Bill Gates outlined a comprehensive vision for trustworthy computing. Simply put, to achieve trustworthy computing developers must pay attention to security and reliability—the two biggest issues facing the world of computing today.
Resource File: Skills Development - September 2002 Two Microsoft Web sites have been created to assist developers in writing secure code using the latest technology.
Commerce with ASP.NET: Leverage the Authentication and Form Validation Features of ASP.NET to Bolster Your Commerce App Jason Lefebvre and Robert Lair - August 2002 If you're planning to build an e-commerce site, you'll be pleased to see that ASP.NET makes it easier than ever. Existing controls can be used and extended to add a great deal more functionality than you might expect. In this article, forms-based authentication is used to verify the identity of users and make certain areas of the site, such as the check-out page, inaccessible to unauthorized users. The power and flexibility of validation controls are demonstrated using the CustomValidator control to connect to a Web Service that verifies addresses. A shopping cart is then implemented in ASP.NET using the DataGrid, and finally, credit card authorization and billing are performed.
Security: Protect Private Data with the Cryptography Namespaces of the .NET Framework Dan Fox - June 2002 The .NET Framework includes a set of cryptographic services that extend the services provided by Windows through the Crypto API. In this article, the author explores the System.Security.Cryptography namespace and the programming model used to apply cryptographic transformations. He discusses reasons why cryptography is easier in .NET than it was before, including the easy programmatic acccess developers have to the cryptography APIs and the difference between symmetric and asymmetric algorithms. Along the way, a brief discussion of the most widely used algorithms, including RSA, DSA, Rijndael, SHA, and other hash algorithms, is provided.
Return of the Rich Client: Code Access Security and Distribution Features in .NET Enhance Client-Side Apps Jason Clark - June 2002 Rich clients employ many of the features and conveniences of the operating system they run on, and the list of these features has been growing since the dawn of the PC. But as apps have migrated to the Web, the trend towards increasing client-side functionality has ground to a virtual halt. There are several reasons for this; chief among them are security and deployment problems. But that's all about to change. With the .NET Framework, you can participate in building the distributable rich client of the future. In this article, the author enumerates the pertinent features of .NET that will allow you to build safe, easily deployable controls. The features discussed include managed code, code access security, versioning control, Windows Forms classes, and isolation.
Security: Unify the Role-Based Security Models for Enterprise and Application Domains with .NET Juval Lowy - May 2002 Role-based security allows administrators to assign access permissions to users based on the roles they play rather than on their individual identities. These privileges can be used to control access to objects and methods, and are easier to identify and maintain than user-based security. The .NET Framework provides two role-based security models, which are exposed as two namespaces: System.Enterprise-Services and System.Security.Permissions. Presented here is a comparison of the two options and a discussion of when each is the right choice. The author also demonstrates the process involved in setting up access security and discusses role memberships.
Scripting: Windows Script Host 5.6 Boasts Windows XP Integration, Security, New Object Model Dino Esposito - May 2002 Windows Script Host (WSH) 5.6, a major upgrade for the WSH environment, provides some significant improvements over previous versions. A brand new security model that is tightly integrated with security in Windows XP allows administrators to place fine-grained restrictions on scripts reducing the risk from malicious code. In addition, local scripts can now run on remote machines, and enhancements to the object model reduce the amount of boilerplate code needed when writing professional code. This overview of WSH 5.6 explains these changes and how .NET and scripting work together.
ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2 Jeff Prosise - May 2002 Forms authentication is one of the most compelling and useful new features of ASP.NET. It enables developers to declaratively specify which files on their site can be accessed and by whom, and allows identification of a login page. When an unauthenticated user attempts to retrieve a page protected by forms authentication, ASP.NET automatically redirects them to the login page and asks them to identify themselves. Included here is an overview of forms authentication and what you need to know to put it to work. Also included is hard-to-find information on the security of cookie authentication and on combining forms authentication with role-based URL authorizations.
ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS Jeff Prosise - April 2002 ASP.NET and Microsoft Internet Information Services (IIS) work together to make building secure Web sites a breeze. But to do it right, you have to know how the two interrelate and what options they provide for securing access to a Web site's resources. This article, the first in a two-part series, explains the ABCs of Web security as seen through the eyes of ASP.NET and includes a hands-on tutorial demonstrating Windows authentication and ACL authorizations. A range of security measures and authentication methods are discussed, including basic authentication, digest authentication, and role-based security.
Virus Hunting: Track and Report Server Attacks Quickly and Easily with the .NET Networking Classes G. Andrew Duthie - April 2002 To help stop the spread of worms, viruses, and other hostile activity, it is important to track down and report the servers used in these attacks along with those used to send spam. Many Web administrators, however, don't take the time to track them because the manual process can be quite cumbersome. The Microsoft .NET Framework comes to the rescue with several networking classes, including the Dns class and the TcpClient class, that abstract away the complexity of performing DNS and WHOIS lookups. These classes make it easy to create a simple, straightforward ASP.NET-based utility for performing these lookups and automating this very important task.
DHTML and .NET: Host Secure, Lightweight Client-Side Controls in Microsoft Internet Explorer Jay Allen - January 2002 In the past, Web developers often used ActiveX controls if they wanted customized client-side functionality incorporated into their Web applications. Now, they can build objects supported by the Microsoft .NET Framework which are more compact, lightweight, secure, and seamlessly integrated. By hosting .NET Windows Forms controls in Internet Explorer, developers can realize many of their client-side Web development goals. This article adapts ActiveX concepts for use with Windows Forms, and builds a multifile upload application that demonstrates these techniques.
Windows Media Technologies: Using Windows Media Rights Manager to Protect and Distribute Digital Media Andrea Pruneda - December 2001 Media distributors have been looking for a way to prevent users from getting saleable content for free ever since independent distributors and peer-to-peer systems began distributing files without licensing them. Windows Media Services addresses these concerns by providing encryption, licensing, and management capabilities. One of its components, Windows Media Rights Manager, allows companies to issue licenses that consumers must pay for before their media files will play. This article explains this and other components of Windows Media Services so you can begin protecting your media files today.
ISAPI Filters: Designing SiteSentry, an Anti-Scraping Filter for IIS Rodney Bennett - October 2001 The Microsoft Internet API for IIS, ISAPI, sits between the client and the Web server. Therefore, you can access the HTTP data stream before IIS gets to see it. The project in this article takes advantage of the ISAPI architecture to create a filter that monitors access to a Web site to determine if visits are from typical users or from automated processes designed to pilfer information from your site. The author tracks the regularity of visits to the site to determine the likely source. Once the determination is made, the app either redirects the user or continues to track information about those hits.
Windows Script Host: New Code-Signing Features Protect Against Malicious Scripts Eric Lippert - April 2001 Downloading scripts from the Web or e-mail leaves users vulnerable to security risks because scripts can't be signed. But now developers can use Windows Script Host (WSH) to hash scripts so users can verify their source and safety. With WSH, scripts can be signed or verified using all the same tools ordinarily used to sign EXE, CAB, DLL, and OCX files. This article discusses public-key cryptosystems, the process of signing and verifying scripts in WSH, and several warnings about attacks that could potentially be made against cryptographically secured scripts and ways in which to avoid them.
Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and Digital Certificates John Papa - April 2001 Security is one of the most important factors in the future growth of e-businesses. Making sure that communications remain secure between customers and the Web server is a critical issue. Secure Sockets Layer (SSL) is the standard that secure Web sites are built upon today. This article presents an overview of SSL-based Web security, explaining such fundamental concepts as digital certificates and their distribution, encryption, and the proper configuration of Microsoft Internet Information Services (IIS). Acquiring a certificate, installing it, and configuring IIS for SSL are outlined in a step-by-step process.
Security in .NET: Enforce Code Access Rights with the Common Language Runtime Keith Brown - February 2001 Component-based software is vulnerable to attack. Large numbers of DLLs that are not tightly controlled are at the heart of the problem. Code access security in the Common Language Runtime of the Microsoft .NET Framework addresses this common security hole. In this model, the CLR acts as the traffic cop to assemblies, keeping track of where they came from and what security restraints should be placed on them. Another way the .NET Framework addresses security is by providing preexisting classes which have built-in security. These are the classes that are invoked in .NET when performing risky operations such as reading and writing files, displaying dialog boxes, and so on. Of course, if a component calls unmanaged code, it can bypass code access security measures. This article covers these and other security issues.
Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Process Isolation Keith Brown - July 2000 This article, the second of two parts, continues coverage of Web security for Windows. It introduces the Web Application Manager in IIS that allows Web processes to be isolated, decreasing the security risk associated with running in a logon session. The article then picks up where Part One left off-it discusses authentication methods such as basic authentication, digest authentication, integrated Windows authentication, and anonymous logons, and the benefits and drawbacks of each.
Web Security: Putting a Secure Front End on Your COM+ Distributed Applications Keith Brown - June 2000 The Internet requires that developers provide a different security model for clients than is used on a closed network. Because it would be too resource-intensive for both the client and server to prove their identity to each other, you need to look at other ways to ensure secure communications. This article covers the options, from digital certificates to public and private key encryption to Secure Sockets Layer and Web certificates. The discussion covers the installation of certificates in Microsoft Internet Information Services along with other options specific to IIS. This article was adapted from Keith Brown's Programming Windows Security (Addison-Wesley), due out in July 2000.