sagar joshi senior security consultant | ace team, microsoft information security...
TRANSCRIPT
![Page 1: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/1.jpg)
Weaving Security in .Net Application.Net 2.0
Sagar JoshiSenior Security Consultant | ACE Team, Microsoft Information [email protected]
![Page 2: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/2.jpg)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
![Page 3: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/3.jpg)
SDL-IT
SDLC
SDL-IT
Envision
Application Entry / Risk Assessment
Security Review
Develop / Purchase
Security Deployment Review
Test Release / Sustainment
Creation AssimilationSignoff
Threat Model / Design Review
Design
Iterative Process
Security Deployment Review
DefineModelMeasure
ValidateOptimize
![Page 5: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/5.jpg)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
![Page 6: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/6.jpg)
Methods of Authentication
BasicDigestIntegrated
Kerberos v5NTLM
ASP.NET Forms AuthenticationDigital signatures and digital certificates Smart CardsBiometrics
![Page 7: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/7.jpg)
Authentication Techniques
Windows authenticationForms authentication
![Page 8: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/8.jpg)
AuthenticationMembershipProvider
Provides a consistent and simple APIs for user storage and management and enables easy implementation of Forms Authentication.
ActiveDirectoryMembershipProvider SqlMembershipProvider
aspnet_regsql -S (local) -E -A mS specifies the server, which is (local) in this example. E specifies to use Windows authentication to connect to SQL Server. A m specifies to add only the membership feature. For simple authentication against a SQL Server user store, only the membership feature is required.
![Page 9: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/9.jpg)
Authentication and Membership Provider and Discovering the client identity
DEMO
![Page 10: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/10.jpg)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
![Page 11: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/11.jpg)
Authorization
What is authorization?URL Authorization
selectively deny or allow access to specific files or folders
File AuthorizationApplicable to file types like .aspx or .asmxAccess check will be made for user based on windows token
Role based authorization
![Page 12: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/12.jpg)
RBAC
Role manager simple APIs for role authorization and role managementWindowsTokenRoleProvider / AuthorizationStoreRoleProvider (Azman)SqlRoleProvider
![Page 15: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/15.jpg)
Imperative authorization
Example of an Imperative check
if(Thread.CurrentPrincipal.IsInRole(‘Administrators'))
{// Authorized
}
![Page 16: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/16.jpg)
Imperative authorization
Example of an Imperative check using the ASP.NET role provider:
if (Roles.IsUserInRole(@"accounting")) {
//authorized }
![Page 17: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/17.jpg)
Declarative authorization
PrincipalPermission Example [PrincipalPermission(SecurityAction.Demand,
Role = “Administrators")] public double Add(double a, double b) { return
a + b; }
![Page 18: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/18.jpg)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
![Page 19: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/19.jpg)
How to encrypt the Web.Config
Use aspnet_regiis RSAConfigurationProvider
If you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RSAProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data.
"DataProtectionConfigurationProvider"
![Page 21: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/21.jpg)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
![Page 22: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/22.jpg)
Input Validation
Protection against common attacksWhite list Vs BlacklistClient side Vs Server SideRegex validator controls
![Page 24: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/24.jpg)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
![Page 25: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/25.jpg)
Cryptographic Algorithms
Symmetric AlgorithmsUses same key for encryption and decryptionComputationally cheaperUsed to exchange or store information in secret
Asymmetric AlgorithmsUses separate keys for encryption and decryptionComputationally more expensiveNormally used to negotiate a symmetric key
Both only require one key to be kept secretHashing Algorithms
![Page 26: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/26.jpg)
.Net supported Cryptographic Algorithms
SymmetricAESDES Deprecated3DESRC2 DeprecatedRijndaelManaged
AsymmetricDSACryptoServiceProvider RSACryptoServiceProvider ECDiffieHellmanCng ECDsaCng
![Page 27: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/27.jpg)
.Net supported Cryptographic Algorithms
.NET Supported Hash AlgorithmsMD5 (produces 128-bit hash value)
Collisions discovered!
SHA1 (produces 160-bit hash value)Has been compromised!
SHA256 (produces 256-bit hash value)SHA384 (produces 384-bit hash value)SHA512 (produces 512-bit hash value)
![Page 28: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/28.jpg)
Agenda
AuthenticationAuthorizationSensitive data protectionInput validationCryptographyAuditing and logging
![Page 29: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/29.jpg)
Auditing & Logging Threats
Failure to spot the signs of intrusionInability to prove a user's actionsDifficulties in problem diagnosis.
29
![Page 30: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/30.jpg)
Logging
Keep a log trail of authentication attemptsBoth successful and failed
Keep a log trail of all accesses to assetsLog as close to an asset as possible
SQL Server Stored ProcedureSometimes… a log trail is the only mitigation
![Page 31: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/31.jpg)
What you Log
“Don’t write sensitive information in logsPasswords
Identify the (“who, what, where & when”):IdentityActionComponent/Service/Object/MethodTimestamp
Enterprise Library Logging Application Block
![Page 32: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/32.jpg)
Feedback / QnA
Your Feedback is Important!Please take a few moments to fill out our
online feedback form
Use the Question Manager on LiveMeeting to ask your questions now!
![Page 33: Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security Sagar.joshi@microsoft.com](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e755503460f94b77001/html5/thumbnails/33.jpg)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.