Security Guidelines: ASP.NET 2.0 [目录] & [How to列表]

原文：http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0001.asp

Index of Guidelines

Input/Data Validation 输入/数据验证

1. Do not rely on ASP.NET request validation
   不要依赖ASP.NET request验证
2. Validate input for length, range, format, and type
   验证输入数据的长度、范围、形式和数据类型
3. Validate input from all sources like QueryString, cookies, and HTML controls
   验证各种输入源的输入数据
4. Do not rely on client-side validation
   不要依赖客户端验证
5. Avoid user-supplied file name and path input
   避免用户输入文件名和路径
6. Do not echo untrusted input
   不要响应不可信任的输入
7. If you need to write out untrusted data, encode the output
   如果要输出不可信任的数据，加密它们

Authentication 权限验证

Forms Authentication   Form认证模式

1. Use membership providers instead of custom authentication
   使用membership providers 代替传统的自定义认证 
2. Use SSL to protect credentials and authentication cookies
   使用SSL保护认证cookies
3. If you cannot use SSL, consider reducing session lifetime
   如果你无法使用SSL，限制session的生命周期
4. Validate user login information 
   验证用户登陆信息
5. Do not store passwords directly in the user store 
   不要直接存储密码
6. Enforce strong passwords 
   强制使用强安全性的密码
7. Protect access to your credential store
   保护证书的存储
8. Do not persist authentication cookies
   不要持续验证cookie
9. Restrict authentication tickets to HTTPS connections
10. Consider partitioning your site to restricted areas and public areas
    考虑分割你的站点为公众区域和受限区域
11. Use unique cookie names and paths
    使用独特的cookie名称和路径

Windows Authentication  Windows认证模式

1. Choose Windows authentication when you can
   尽量选择Windows认证模式
2. Enforce strong password policies
   加强密码安全性组策略

Authorization 授权

1. Use URL authorization for page and directory access control
   使用URL授权和目录授权控制
2. Configure ACLs on your Web site files
   配置站点文件的ACL
3. Use ASP.NET role manager for roles authorization
   使用ASP.NET role管理器来进行role授权
4. If your role lookup is expensive, consider role caching
   缓存role信息
5. Protect your authorization cookie
   保护你的授权cookei

Code Access Security 代码访问安全性

1. Consider code access security for partial trust applications
2. Choose a trust level that does not exceed your application's requirements
3. Create a custom trust policy if your application needs additional permissions
4. Use Medium trust in shared hosting environments

Data Access 数据访问

1. Encrypt your connection strings
   加密你的数据连接串
2. Use least-privileged accounts for database access
   使用较低权限的帐号连接数据库
3. Use Windows authentication where possible
   尽量使用windows认证
4. If you use Windows authentication, use a trusted service account
   如果你使用Windows认证，用一个受信的服务帐号
5. If you cannot use a domain account, consider mirrored accounts
   如果你不能使用域帐号，考虑使用镜像帐号
6. When using SQL authentication, use strong passwords
   使用SQL 帐号认证时，用一个强安全性的密码
7. When using SQL authentication, protect credentials over the network
   使用SQL帐号认证时，保护网络上的证书
8. When using SQL authentication, protect credentials in configuration files
   使用SQL帐号认证时，保护配置文件里的证书
9. Validate untrusted input passed to your data access methods
   防止不安全的输入进入你的数据操作
10. When constructing SQL queries, use type safe SQL parameters
    进行SQL查询时，使用类型安全性的SQL参数
11. Avoid dynamic queries that accept user input
    避免使用基于用户输入信息的动态查询

Exception Management 异常处理

1. Use structured exception handling 
   使用结构化的异常处理
2. Do not reveal exception details to the client
   不要把异常信息传递到客户端
3. Use a global error handler to catch unhandled exceptions
   使用全局的错误处理handler捕获列外异常

Impersonation/Delegation 模拟和委托

1. Know your tradeoffs with impersonation
2. Avoid Calling LogonUser
3. Avoid programmatic impersonation where possible
4. If you need to impersonate, consider threading issues
5. If you need to impersonate, clean up appropriately

Parameter Manipulation 参数处理

1. Do not make security decisions based on parameters accessible on the client-side
   不要把安全性判断基于客户端参数
2. Validate all input parameters
   验证所有的输入参数
3. Avoid storing sensitive data in ViewState
   避免在ViewState里存储敏感
4. Encrypt ViewState if it must contain sensitive data
   如果ViewState里有敏感信息的话，加密它

Sensitive Data 敏感数据

1. Avoid plaintext passwords in configuration files
   避免糟糕的密码
2. Use platform features to manage keys where possible
   在可能的地方使用platform特性管理key
3. Do not pass sensitive data from page to page
   不要在页间传递敏感信息
4. Protect sensitive data over the wire
   保护线缆上的敏感信息
5. Do not cache sensitive data
   不要缓存敏感信息

Session Management Session管理

1. Do not rely on client-side state management options
   不要依赖客户端状态管理选项
2. Protect your out-of-process state service
   保护线程外的session state服务
3. Protect SQL Server session state
   保护SQL Server内的session信息

Auditing and Logging 审核和日志

1. Use health monitoring to log and audit events 
   使用health monitoring来记录和审核事件
2. Instrument for user management events
   监控用户管理事件
3. Instrument for unusual activity
   监控异常行为
4. Instrument for significant business operations
   监控重要的业务操作
5. Consider using an application-specific event source
   考虑使用特殊的事件源
6. Protect audit and log files
   保护日志文件

Deployment Considerations 发布考谅

1. Use a least-privileged account for running ASP.NET applications
   使用具有较低权限的帐号来运行ASP.NET程序
2. Encrypt configuration sections that store sensitive data
   加密有敏感内容的配置信息
3. Consider your key storage location
   考谅key的存贮位置
4. Block Protected File Retrieval by Using HttpForbiddenHandler
   使用HttpForbiddenHandler阻挡被保护文件的恢复
5. Configure the MachineKey to use the same keys on all servers in a Web farm
   在Web Farm环境中配置所有的服务器使用相同的MachineKey
6. Lock configuration settings to enforce policy settings
   锁定配置信息

Communication Security 传递安全性

1. Consider SSL vs. IPSec 考虑使用SSL还是IPSec
2. Optimize pages that use SSL  优化使用SSL的页面

Companion Guidance 相关Guidance

The following companion guidance is in the sequence that is referenced by this document. This is useful if you want to print the How To documents and refer to them in order.

1. How To: Protect from Injection Attacks in ASP.NET
   How To: 防止注入攻击
2. How To: Use Regular Expressions to Constrain Input in ASP.NET
   How To: 使用正则表达式来约束数据输入
3. How To: Protect from SQL Injection in ASP.NET
   How To: 防止SQL注入攻击
4. How To: Prevent Cross-Site Scripting in ASP.NET
   How To: 防止夸站教本攻击
5. How To: Use Membership in ASP.NET 2.0 
   How To: 使用ASP.NET 2.0中的Membership  中文 by LoveCherry
6. How To: Protect Forms Authentication in ASP.NET 2.0
   How To: 保护Form认证
7. How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
   How To: 使用基于SQL Server数据库的Form验证
8. How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
   How To: 使用基于活动目录的Form验证
9. How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
   How To: 在多域AD中使用使Form验证
10. How To: Use Windows Authentication in ASP.NET 2.0
    How To: 使用Windows认证模式
11. How To: Use Role Manager in ASP.NET 2.0.
    How To: 使用Role Manager
12. How To: Use ADAM for Roles in ASP.NET 2.0
    How To: 使用ADAM作为Roles
13. How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
    How To: 使用验证管理器（AzMan）
14. How To: Use the Network Service Account to Access Resources in ASP.NET
    How To: 使用Network Service帐号访问ASP.NET资源
15. How To: Use Code Access Security in ASP.NET 2.0
    How To: 使用代码访问安全性
16. How To: Use Medium Trust in ASP.NET 2.0
    How To: 使用中等信任级别
17. How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
    How To: 使用DPAPI加密配置信息
18. How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
    How To: 使用RSA加密配置信息
19. How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
    How To: 使用Windows信任连接SQL Server
20. How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
    How To: 使用SQL帐号连接SQL Server
21. How To: Use Protocol Transition and Constrained Delegation with ASP.NET 2.0
    How To:  使用协议转换和Constrained Delegation
22. How To: Use Impersonation and Delegation in ASP.NET 2.0
    How To: 使用代理和委托
23. How To: Configure the Machine Key in ASP.NET 2.0
    How To: 配置Machine Key
24. How To: Use Health Monitoring in ASP.NET 2.0
    How To: 使用Health Monitoring
25. How To: Instrument ASP.NET 2.0 Applications for Security
    How To: 监控ASP.NET 2.0程序安全性
26. How To: Create a Service Account for an ASP.NET 2.0 Application
    How To: 为ASP.NET 2.0程序建立一个服务器帐号