BLACK JACK

Get busy living, or get busy dying.

导航

Security Guidelines: ASP.NET 2.0 [目录] & [How to列表]

Posted on 2005-12-11 02:19  J. Lin  阅读(2485)  评论(2编辑  收藏  举报
原文:http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0001.asp

Index of Guidelines

Input/Data Validation 输入/数据验证

  1. Do not rely on ASP.NET request validation
    不要依赖ASP.NET request验证
  2. Validate input for length, range, format, and type
    验证输入数据的长度、范围、形式和数据类型
  3. Validate input from all sources like QueryString, cookies, and HTML controls
    验证各种输入源的输入数据
  4. Do not rely on client-side validation
    不要依赖客户端验证
  5. Avoid user-supplied file name and path input
    避免用户输入文件名和路径
  6. Do not echo untrusted input
    不要响应不可信任的输入
  7. If you need to write out untrusted data, encode the output
    如果要输出不可信任的数据,加密它们

Authentication 权限验证

Forms Authentication   Form认证模式

  1. Use membership providers instead of custom authentication
    使用membership providers 代替传统的自定义认证 
  2. Use SSL to protect credentials and authentication cookies
    使用SSL保护认证cookies
  3. If you cannot use SSL, consider reducing session lifetime
    如果你无法使用SSL,限制session的生命周期
  4. Validate user login information 
    验证用户登陆信息
  5. Do not store passwords directly in the user store 
    不要直接存储密码
  6. Enforce strong passwords 
    强制使用强安全性的密码
  7. Protect access to your credential store
    保护证书的存储
  8. Do not persist authentication cookies
    不要持续验证cookie
  9. Restrict authentication tickets to HTTPS connections
  10. Consider partitioning your site to restricted areas and public areas
    考虑分割你的站点为公众区域和受限区域
  11. Use unique cookie names and paths
    使用独特的cookie名称和路径

Windows Authentication  Windows认证模式

  1. Choose Windows authentication when you can
    尽量选择Windows认证模式
  2. Enforce strong password policies
    加强密码安全性组策略

Authorization 授权

  1. Use URL authorization for page and directory access control
    使用URL授权和目录授权控制
  2. Configure ACLs on your Web site files
    配置站点文件的ACL
  3. Use ASP.NET role manager for roles authorization
    使用ASP.NET role管理器来进行role授权
  4. If your role lookup is expensive, consider role caching
    缓存role信息
  5. Protect your authorization cookie
    保护你的授权cookei

Code Access Security 代码访问安全性

  1. Consider code access security for partial trust applications
  2. Choose a trust level that does not exceed your application's requirements
  3. Create a custom trust policy if your application needs additional permissions
  4. Use Medium trust in shared hosting environments

Data Access 数据访问

  1. Encrypt your connection strings
    加密你的数据连接串
  2. Use least-privileged accounts for database access
    使用较低权限的帐号连接数据库
  3. Use Windows authentication where possible
    尽量使用windows认证
  4. If you use Windows authentication, use a trusted service account
    如果你使用Windows认证,用一个受信的服务帐号
  5. If you cannot use a domain account, consider mirrored accounts
    如果你不能使用域帐号,考虑使用镜像帐号
  6. When using SQL authentication, use strong passwords
    使用SQL 帐号认证时,用一个强安全性的密码
  7. When using SQL authentication, protect credentials over the network
    使用SQL帐号认证时,保护网络上的证书
  8. When using SQL authentication, protect credentials in configuration files
    使用SQL帐号认证时,保护配置文件里的证书
  9. Validate untrusted input passed to your data access methods
    防止不安全的输入进入你的数据操作
  10. When constructing SQL queries, use type safe SQL parameters
    进行SQL查询时,使用类型安全性的SQL参数
  11. Avoid dynamic queries that accept user input
    避免使用基于用户输入信息的动态查询

Exception Management 异常处理

  1. Use structured exception handling 
    使用结构化的异常处理
  2. Do not reveal exception details to the client
    不要把异常信息传递到客户端
  3. Use a global error handler to catch unhandled exceptions
    使用全局的错误处理handler捕获列外异常

Impersonation/Delegation 模拟和委托

  1. Know your tradeoffs with impersonation
  2. Avoid Calling LogonUser
  3. Avoid programmatic impersonation where possible
  4. If you need to impersonate, consider threading issues
  5. If you need to impersonate, clean up appropriately

Parameter Manipulation 参数处理

  1. Do not make security decisions based on parameters accessible on the client-side
    不要把安全性判断基于客户端参数
  2. Validate all input parameters
    验证所有的输入参数
  3. Avoid storing sensitive data in ViewState
    避免在ViewState里存储敏感
  4. Encrypt ViewState if it must contain sensitive data
    如果ViewState里有敏感信息的话,加密它

Sensitive Data 敏感数据

  1. Avoid plaintext passwords in configuration files
    避免糟糕的密码
  2. Use platform features to manage keys where possible
    在可能的地方使用platform特性管理key
  3. Do not pass sensitive data from page to page
    不要在页间传递敏感信息
  4. Protect sensitive data over the wire
    保护线缆上的敏感信息
  5. Do not cache sensitive data
    不要缓存敏感信息

Session Management Session管理

  1. Do not rely on client-side state management options
    不要依赖客户端状态管理选项
  2. Protect your out-of-process state service
    保护线程外的session state服务
  3. Protect SQL Server session state
    保护SQL Server内的session信息

Auditing and Logging 审核和日志

  1. Use health monitoring to log and audit events 
    使用health monitoring来记录和审核事件
  2. Instrument for user management events
    监控用户管理事件
  3. Instrument for unusual activity
    监控异常行为
  4. Instrument for significant business operations
    监控重要的业务操作
  5. Consider using an application-specific event source
    考虑使用特殊的事件源
  6. Protect audit and log files
    保护日志文件

Deployment Considerations 发布考谅

  1. Use a least-privileged account for running ASP.NET applications
    使用具有较低权限的帐号来运行ASP.NET程序
  2. Encrypt configuration sections that store sensitive data
    加密有敏感内容的配置信息
  3. Consider your key storage location
    考谅key的存贮位置
  4. Block Protected File Retrieval by Using HttpForbiddenHandler
    使用HttpForbiddenHandler阻挡被保护文件的恢复
  5. Configure the MachineKey to use the same keys on all servers in a Web farm
    在Web Farm环境中配置所有的服务器使用相同的MachineKey
  6. Lock configuration settings to enforce policy settings
    锁定配置信息

Communication Security 传递安全性

  1. Consider SSL vs. IPSec 考虑使用SSL还是IPSec
  2. Optimize pages that use SSL  优化使用SSL的页面


Companion Guidance 相关Guidance

The following companion guidance is in the sequence that is referenced by this document. This is useful if you want to print the How To documents and refer to them in order.

  1. How To: Protect from Injection Attacks in ASP.NET
    How To: 防止注入攻击
  2. How To: Use Regular Expressions to Constrain Input in ASP.NET
    How To: 使用正则表达式来约束数据输入
  3. How To: Protect from SQL Injection in ASP.NET
    How To: 防止SQL注入攻击
  4. How To: Prevent Cross-Site Scripting in ASP.NET
    How To: 防止夸站教本攻击
  5. How To: Use Membership in ASP.NET 2.0 
    How To: 使用ASP.NET 2.0中的Membership  中文 by LoveCherry
  6. How To: Protect Forms Authentication in ASP.NET 2.0
    How To: 保护Form认证
  7. How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
    How To: 使用基于SQL Server数据库的Form验证
  8. How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
    How To: 使用基于活动目录的Form验证
  9. How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
    How To: 在多域AD中使用使Form验证
  10. How To: Use Windows Authentication in ASP.NET 2.0
    How To: 使用Windows认证模式
  11. How To: Use Role Manager in ASP.NET 2.0.
    How To: 使用Role Manager
  12. How To: Use ADAM for Roles in ASP.NET 2.0
    How To: 使用ADAM作为Roles
  13. How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
    How To: 使用验证管理器(AzMan)
  14. How To: Use the Network Service Account to Access Resources in ASP.NET
    How To: 使用Network Service帐号访问ASP.NET资源
  15. How To: Use Code Access Security in ASP.NET 2.0
    How To: 使用代码访问安全性
  16. How To: Use Medium Trust in ASP.NET 2.0
    How To: 使用中等信任级别
  17. How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
    How To: 使用DPAPI加密配置信息
  18. How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
    How To: 使用RSA加密配置信息
  19. How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
    How To: 使用Windows信任连接SQL Server
  20. How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
    How To: 使用SQL帐号连接SQL Server
  21. How To: Use Protocol Transition and Constrained Delegation with ASP.NET 2.0
    How To:  使用协议转换和Constrained Delegation
  22. How To: Use Impersonation and Delegation in ASP.NET 2.0
    How To: 使用代理和委托
  23. How To: Configure the Machine Key in ASP.NET 2.0
    How To: 配置Machine Key
  24. How To: Use Health Monitoring in ASP.NET 2.0
    How To: 使用Health Monitoring
  25. How To: Instrument ASP.NET 2.0 Applications for Security
    How To: 监控ASP.NET 2.0程序安全性
  26. How To: Create a Service Account for an ASP.NET 2.0 Application
    How To: 为ASP.NET 2.0程序建立一个服务器帐号