[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: Securing ASP.NET for Hosting
From:       "David Sommers" <dsommers () dialogmedical ! com>
Date:       2002-10-29 15:31:26
[Download RAW message or body]

Building Secure ASP.NET Applications:
Authentication, Authorization, and Secure Communication

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
c/html/secnetlpMSDN.asp


This white paper (608 printed pages) is listed under the .NET
Security/Technical Articles section which also contains several other
interested and useful documents.

Including:
	> Secure Coding Guidelines for the .NET Framework
	> Security in .NET: Enforce Code Access Rights with the Common
Language Runtime
	> The Security Infrastructure of the CLR Provides Evidence,
Policy, Permissions, and Enforcement Services
	> Code Access Security and Distribution Features in .NET Enhance
Client-Side Apps
	> .NET Framework Enterprise Security Policy Administration and
Deployment

- David Sommers.


-----Original Message-----
From: Henry Sieff [mailto:hsieff@orthodon.com] 
Sent: Friday, October 25, 2002 7:39 PM
To: 'Tyler Davis'; focus-ms@securityfocus.com
Subject: RE: Securing ASP.NET for Hosting


No, sadly. Part of the problem is that the technology isn't mature yet,
the other part is that .net really puts the burden for security on the
the application design.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/h
tml/
authaspdotnet.asp discusses authentication in a .net environment.

http://www.dotnetjunkies.com/tutorials.aspx?tutorialid=396 gives a nice
overview of how IIS, Windows, and .NET work together. One of the
articles he references is
http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx,
which is also not bad.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide
/htm
l/cpconsecuringyourapplication.asp

When this topic came up earlier, somebody mentioned this article:
http://tiberi.us/view_article.aspx?article_id=27, not bad.


But none of them speak exactly to what you're asking, which is what
every admin who needs to support .net is going to be asking, which is
"Exactly what do I do to make sure the server itself is as secure as
possible?"

Again, the two factors previously mentioned are responsible: once you've
done the locking down of IIS, you need to move onto setting security on
the Web services themselves, things like code access (remember, the
whole idea behind .net is to expose executable code to the world via
http: WHOOOOOO-HOOOOOOOO). Also, auhtentication to specific apps. And
unlike the best practices for securing IIS, all of the BP's stuff I've
read is really geared towards developers or focuses on securing access
to the components.

At this point, we are not using ASP.NET for remotely accessible
applications. We definitely will, but not until me and the developers at
my Co. can figure out what we need to do.

Anyways, sorry for the ramble; this issue has come up here before, and I
watched hoping for someone to come up with a white paper. Then I did
some searching; I found no comprehensive guide, but a lot of good
resources. At this point, you, me, and everyone else tasked with
deploying .net based apps will have to formulate our own best practices
based on careful study of the basic info out there.

Henry
> -----Original Message-----
> From: Tyler Davis [mailto:tdavis@sonicdev.com]
> Sent: Friday, October 25, 2002 1:58 AM
> To: focus-ms@securityfocus.com
> Subject: Securing ASP.NET for Hosting
> 
> 
> Anyone got a link to any sites or whitepapers with info on securing 
> asp.net in a hosting environment? Ive already got win2k and iis5 
> locked down, just need some info on asp.net
> 
> Thanks,
> Tyler
> 
[prev in list] [next in list] [prev in thread] [next in thread]