Web Platform Security

Vimal Rajyaguru

Security Engineer

Microsoft ACE Security Team

Need for Security

Web applications are most vulnerable to attacks.

Popular web development platforms are ASP.Net, LAMP and J2EE platform

All these platforms offer certain security features to mitigate against common security vulnerabilities.

However it is up to the developers to use these features effectively and develop secure applications.

Agenda

ASP.NET Security

IIS Security

Summary

Common attacks

Code injection Session hijacking Identity spoofing Parameter manipulation Network eavesdropping

ASP.NET Security

Why ASP.NET?

ASP.NET as a Web Platform consists of security as an in-built mechanism for many of the common

requirements.

The built-in architecture and APIs help in developing secure web applications quickly

ASP.NET Security

Secured by Design Form Validation View State Tampering Input Validation

Secured by Default Web Configuration Authentication / Authorization Techniques Membership Provider

Secured by Deployment Precompiled Deployment in ASP.NET 2.0 PE Verification

Protection against XSS

ValidateRequest: Checks request for potentially dangerous content like javascript, html etc.

Enabled by default.

Can be toggled at application level in web.config

Can also be toggled at page level also

Protection against XSS contd

Encode all user-controllable output using Microsoft Anti-XSS Librarys approriate encoding methods.

Anti-Xss Library can be downloaded from http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-

bfaf-e11625130c25&displaylang=en

Use XSSDetect A freely available tool from MSDN to analyze .Net code for XSS vulnerabilities.

XssDetect can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=19A9E348-BDB9-

45B3-A1B7-44CCDCB7CFBE&displaylang=en

Protection against XSRF/One-Click attack

One-click attack relies on the ability of an attacker to create a prefilled form which a user submits

unknowingly.

Page.ViewStateUserKey ensures that the viewstatecannot be calculated which prevents an attacker from

preparing a prefilled form.

override protected void OnInit(EventArgs e){// ...

Page.ViewStateUserKey = Session.SessionID;// ...}

ViewState Protection

ViewState is tamper-proof by default. This is controlled by the key

An HMAC is calculated and appended to the ViewStateto ensure integrity. The key and algorithm used is

defined in the element

Protecting Forms Authentication cookie

Authentication cookie can be protected.

Event Validation in ASP.Net 2.0

Event Validation verifies that arguments to postback or callback events originate from the server control that

originally rendered them.

Can be toggled at page level by

ASP.NET Validation Controls

Framework provides a variety of controls for common validation tasks

Required Field Validator

Compare Validator

Range Validator

Regular Expression Validator

Custom Validator

Validates at client and server side. However Page.IsValid property of the control needs to be checked

to ensure that server validation has succeeded.

Authentication & Authorization

Authentication

Authorization

File authorization

URL authorization

Windows

Passport

Forms

Impersonation

Who did the

request come

from?

What is the caller

allowed to do?

Use process identity

or caller identity?

Configuring Authentication

Web.config

ASP.NET Authorization

File authorization

Typically combined with Windows auth

Uses NTFS permissions to control access to resources based on caller's Windows identity

URL authorization

Typically combined with forms authentication

Controls access to resources based on caller's Windows, Passport, or forms identity

Applied in Web.config

Role and Membership providers

Provide features to implement authentication and authorization quickly and securely.

ASP.Net comes with SqlMembershipProvider and ActiveDirectoryMembershipProvider

Provides a lot of security features like password length and complexity, storing hashed or encrypted passwords,

configuring account lockouts, password retrieval etc.

Protected Configuration Provider

Protected Configuration Provider helps improve the security of an application by letting you encrypt sensitive

information that is stored in a web.config file.

Sections that contains sensitive information

IIS Security

Authentication

Authorization

Windows Access Controls Lists

Authorization rules (IIS 7)

Anonymous

Basic

Digest

SSL/TLS

Who did the request

come from?

What is the caller

allowed to do?

IP Restrictions Are calls from this

IP address allowed?

X.509 Certificates

Integrated Windows

Passport (IIS 6)

Forms (IIS 7)

Protection and PoolingWhere should the

code execute?

Should traffic be

encrypted?

Au

dit

ing

/Req

uest

Tra

cin

gIIS Security Architecture

Application pools in IIS

Application pools separate applications by process boundaries to prevent an application from affecting

another application on the server.

Each application pool can be configured to run under a separate service account.

*Application pools are available only in IIS 6 and IIS 7.

Worker Process Identity

On IIS 5, ASP.NET runs as ASPNET by default.

Weak local account with limited privileges

Created at install time

Password autogenerated

On IIS 6 & IIS 7, ASP.NET runs as Network Service (machine$) by default.

Weak account with limited privileges

Has network credentials

Built into Windows 2003 Server

IIS 7 Security Enhancements

Integrated Request Pipeline

Authentication and Authorization modules available to all types of content like ASP, static files etc.

Can use features like .Net Role or membership providers for any content.

Can configure Authorization rules for all types of content in IIS.

Request filtering

A tool like URLScan which can be used to filter requests based on rules like URL patterns, content lengths,

encodings, verbs etc.

Hidden Namespaces/Segments: Used to prevent IIS from serving certain sections of url.

e.g. web.config, bin, App_code, App_Data etc.

This can be used to protect sections of website which should not be

accessible to user.

Web Development Best Practices

Don't trust user input.

Encode all user-controllable outputs before displaying.

Use parameterized SQL statements and stored procedures.

Employ the Principle of Least Privilege.

Reduce attack surface by locking down web server and application.

Use structured exception handling.

Summary

ASP.Net provides a large number of security features to enable developers to write secure code Familiarize yourself with the security features offered by the

framework.

Use these features wisely according to your needs.

Use IIS security features to lock down your web applications against intrusion. Use appropriate authentication methods. Isolate applications to minimize damage due to a rouge or

compromised application.

Resources

Security Developer Center: http://msdn.microsoft.com/security

Threats & Countermeasures: http://msdn2.microsoft.com/en-us/library/ms994921.aspx

Building Secure ASP.NET Applications http://msdn2.microsoft.com/en-us/library/Aa302415.aspx

http://www.iis.net

http://blogs.msdn.com/ace_team/

Application Security Consulting Services

Services offered by Microsoft ACE Services: Application Security Code Reviews Threat Modeling/Design Reviews Training:

Secure Application Development Threat Modeling

Assistance with developing and deploying SDL-IT within your environment

Contact vimalr@microsoft.com SDL-IT@microsoft.com

Questions?

Email: vimalr@microsoft.com

Blog: http://blogs.msdn.com/ace_team