Web Platform Security

Vimal Rajyaguru
Security Engineer
Microsoft ACE Security Team

Need for Security

Web applications are most vulnerable to attacks.
Popular web development platforms are ASP.Net, LAMP
and J2EE platform
All these platforms offer certain security features to
mitigate against common security vulnerabilities.
However it is up to the developers to use these features
effectively and develop secure applications.

Agenda
ASP.NET Security
IIS Security
Summary

Common attacks

Code injection
Session hijacking
Identity spoofing
Parameter manipulation
Network eavesdropping

ASP.NET Security

Why ASP.NET?
ASP.NET as a Web Platform consists of security as an
in-built mechanism for many of the common
requirements.

The built-in architecture and APIs help in developing

secure web applications quickly

ASP.NET Security
Secured by Design
Form Validation
View State Tampering
Input Validation

Secured by Default
Web Configuration
Authentication / Authorization Techniques
Membership Provider

Secured by Deployment
Precompiled Deployment in ASP.NET 2.0
PE Verification

Protection against XSS

ValidateRequest: Checks request for potentially
dangerous content like javascript, html etc.
Enabled by default.
Can be toggled at application level in web.config
<pages validateRequest="true" />

Can also be toggled at page level also

<%@ Page Language="C#" ValidateRequest="true"

*Use output encoding to effectively defend against Cross-Site scripting attacks. Use Microsoft Anti-Xss library
(http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfafe11625130c25&displaylang=en) to encode output.

Protection against XSS contd

Encode all user-controllable output using Microsoft AntiXSS Librarys approriate encoding methods.
Anti-Xss Library can be downloaded from
http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82bfaf-e11625130c25&displaylang=en

Use XSSDetect A freely available tool from MSDN to

analyze .Net code for XSS vulnerabilities.
XssDetect can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyID=19A9E348-BDB945B3-A1B7-44CCDCB7CFBE&displaylang=en

Protection against XSRF/One-Click attack

One-click attack relies on the ability of an attacker to
create a prefilled form which a user submits
unknowingly.
Page.ViewStateUserKey ensures that the viewstate
cannot be calculated which prevents an attacker from
preparing a prefilled form.
override protected void OnInit(EventArgs e)
{
// ...
Page.ViewStateUserKey = Session.SessionID;
// ...
}

ViewState Protection
ViewState is tamper-proof by default. This is controlled
by the key
<pages enableViewStateMac="true"/>

An HMAC is calculated and appended to the ViewState

to ensure integrity. The key and algorithm used is
defined in the element
<machineKey validationKey="AutoGenerate,IsolateApps validation="SHA1" />

Viewstate can also be encrypted to ensure

confidentiality.
<pages viewStateEncryptionMode="Always">

Protecting Forms Authentication cookie

Authentication cookie can be protected.
<forms

loginUrl="Login.aspx
protection="All
timeout=20
slidingExpiration="false
requireSSL="true

*Authentication cookies are httpOnly by default in ASP.Net 2.0

Event Validation in ASP.Net 2.0

Event Validation verifies that arguments to postback or
callback events originate from the server control that
originally rendered them.
Can be toggled at page level by
<%@ Page EnableEventValidation=true" %>

Also at application level by

<pages enableEventValidation=true"/>

ASP.NET Validation Controls

Framework provides a variety of controls for common
validation tasks

Required Field Validator

Compare Validator
Range Validator
Regular Expression Validator
Custom Validator

Validates at client and server side. However

Page.IsValid property of the control needs to be checked
to ensure that server validation has succeeded.

Authentication & Authorization

Authorization

File authorization
URL authorization
Impersonation

What is the caller

allowed to do?
Use process identity
or caller identity?

Authentication

Windows
Passport
Forms

Who did the

request come
from?

Configuring Authentication
Web.config
<configuration>
<system.web>
<!-- mode="Windows|Passport|Forms|None" -->
<authentication mode="Windows" />
</system.web>
</configuration>

ASP.NET Authorization
File authorization
Typically combined with Windows auth
Uses NTFS permissions to control access to resources based on
caller's Windows identity

URL authorization
Typically combined with forms authentication
Controls access to resources based on caller's Windows,
Passport, or forms identity
Applied in Web.config

Role and Membership providers

Provide features to implement authentication and
authorization quickly and securely.
ASP.Net comes with SqlMembershipProvider and
ActiveDirectoryMembershipProvider
Provides a lot of security features like password length
and complexity, storing hashed or encrypted passwords,
configuring account lockouts, password retrieval etc.

Protected Configuration Provider

Protected Configuration Provider helps improve the
security of an application by letting you encrypt sensitive
information that is stored in a web.config file.
Sections that contains sensitive information

<appSettings>
<connectionStrings>
<identity>
<sessionState>

IIS Security

IIS Security Architecture

Protection and Pooling

Where should the

code execute?

Auditing/Request Tracing

Authorization

Windows Access Controls Lists

Authorization rules (IIS 7)

What is the caller

allowed to do?

Authentication

Anonymous
Basic
Digest
SSL/TLS
IP Restrictions

X.509 Certificates
Integrated Windows
Passport (IIS 6)
Forms (IIS 7)

Who did the request

come from?

Should traffic be
encrypted?
Are calls from this
IP address allowed?

Application pools in IIS

Application pools separate applications by process
boundaries to prevent an application from affecting
another application on the server.
Each application pool can be configured to run under a
separate service account.

*Application pools are available only in IIS 6 and IIS 7.

Worker Process Identity

On IIS 5, ASP.NET runs as ASPNET by default.
Weak local account with limited privileges
Created at install time
Password autogenerated

On IIS 6 & IIS 7, ASP.NET runs as Network Service

(machine$) by default.
Weak account with limited privileges
Has network credentials
Built into Windows 2003 Server

IIS 7 Security Enhancements

Integrated Request Pipeline
Authentication and Authorization modules available to all types
of content like ASP, static files etc.
Can use features like .Net Role or membership providers for any
content.
Can configure Authorization rules for all types of content in IIS.

Request filtering
A tool like URLScan which can be used to filter requests
based on rules like URL patterns, content lengths,
encodings, verbs etc.
Hidden Namespaces/Segments: Used to prevent IIS
from serving certain sections of url.
e.g. web.config, bin, App_code, App_Data etc.
This can be used to protect sections of website which should not be
accessible to user.

Web Development Best Practices

Don't trust user input.
Encode all user-controllable outputs before displaying.
Use parameterized SQL statements and stored
procedures.
Employ the Principle of Least Privilege.
Reduce attack surface by locking down web server and
application.
Use structured exception handling.

Summary
ASP.Net provides a large number of security features to
enable developers to write secure code
Familiarize yourself with the security features offered by the
framework.
Use these features wisely according to your needs.

Use IIS security features to lock down your web

applications against intrusion.
Use appropriate authentication methods.
Isolate applications to minimize damage due to a rouge or
compromised application.

Resources
Security Developer Center:
http://msdn.microsoft.com/security
Threats & Countermeasures:
http://msdn2.microsoft.com/en-us/library/ms994921.aspx
Building Secure ASP.NET Applications
http://msdn2.microsoft.com/en-us/library/Aa302415.aspx
http://www.iis.net

http://blogs.msdn.com/ace_team/

Application Security Consulting Services

Services offered by Microsoft ACE Services:
Application Security Code Reviews
Threat Modeling/Design Reviews
Training:
Secure Application Development
Threat Modeling
Assistance with developing and deploying SDL-IT
within your environment

Contact
vimalr@microsoft.com
SDL-IT@microsoft.com

Questions?
Email: vimalr@microsoft.com
Blog: http://blogs.msdn.com/ace_team