ASP.NET 2.0 Security Reference Implementation
By Don Kiely
This fact is deeply depressing to me: application security in 2006 is still incredibly difficult. We re six years into the new millennium and going on 15 years since the Web was born, and still there are no easy ways to secure applications. Put an interesting application on the Web, and it s a sure bet that it ll be hacked, or at least attacked. Developers I talk to complain that Windows itself is still too insecure, that the security features in .NET and especially ASP.NET are great, but are way too hard to learn and use effectively. And even if you put them to use, there is no way to be sure that a site is secure. So most people do the easy best practices whether they are appropriate for a particular site or not and hope for the best.
This is NOT a good way to make the Web more secure!
Microsoft feels our pain, being the source of much of it. On the one hand, they have provided some incredible tools and technologies for building secure Web sites, including membership and role providers, great infrastructure for authentication and authorization, health monitoring, and way more, including the many tools built into or shipping with Visual Studio 2005. But now it seems that there is just too much: too much to learn, too much to implement (even with the built-in infrastructure), and too much deadline pressure to make it all happen.
Fortunately, Microsoft has committed to providing a steady stream of documentation and educational materials to help solve the problem. Their latest ASP.NET security freebie has the rather unwieldy moniker of ASP.NET 2.0 Security Reference Implementation. This product is a combination of documentation and source code that is worthwhile to study to get right at the best practices that you can implement in ASP.NET 2.0 Web sites. The package itself is a bit daunting, but it doesn t take long to figure out what s what.
The documentation consists of two Word documents. Start with ASP.NET 2.0 Internet Security Reference Implementation. This has the meat of the problems and solutions addressed by the package, along with details about how the solutions are implemented in the code. The other document, Scenario and Solution: Forms Auth to SQL, Roles in SQL, contains more implementation details. This document is relatively more about the application than the ASP.NET infrastructure.
The other major part of the package is the code, consisting of 17 projects in a single solution file. Yikes! It is a secure implementation of Pet Shop, an application that started life as a Java reference implementation that has historically had nothing to do with security. You could probably lift entire projects out of here to use in your applications, saving a ton of time and development work. But it will take some time to fully grok how everything works. It s a fairly standard multi-tier application, with UI, business logic middle tier, and data access layers, along with supporting objects.
A note of caution: The implementation is designed to provide best practices for a rather specific scenario, as spelled out in the documentation. The scenario: In this scenario, the machine hosting the Web application is a dedicated Web server hosted by the organization that developed the application. The application is accessed over the Internet by the general public, using a variety of browsers. It is administered by the organization s IT department. The solution: The Web application uses forms authentication configured with the SQLMembershipProvider. The SQLRoleProvider is used for user authorization. Role and membership information is stored in a SQL database. As long as your application doesn t stray too far from this scenario and solution, you ll find some great advice here. Fortunately, I suspect that most real-world ASP.NET 2.0 applications are like the reference implementation. Or perhaps should be.
One annoyance about the package is that if you install the code you re forced to install SQL Express. This is whether you have SQL Server 2005 installed already or not. This can be a royal pain, as it was for me because I have most of my C: drive compressed, which SQL Server doesn t much like, and I run as a least-privileged user. I had to separately install SQL Express, even though I have an instance of the Standard Edition of SQL Server 2005 already installed. Aargh. As is all too often the case, I wasted hours getting past this roadblock.
It would be nice if you could get at the code and configure the database to use existing resources, but Microsoft hasn t provided this option. Fortunately, the GotDotNet license allows free distribution of modified versions of the package. So I ve gone through the pain of installing it and providing just the source code for your viewing pleasure, which you can download here (see end of article for details). If you want to run the app or view the documentation, you ll need to download it from GotDotNet using the link below.
The good news is that this reference implementation has some good advice, distilled from much larger and more dense documentation on MSDN and Microsoft s Patterns & Practices group. It is a fine way to see what is necessary to secure an ASP.NET 2.0 application, as long as it doesn t stray too far from the specific scenario covered.
Next time I ll write about a great tool by Microsoft s least privilege guru Aaron Marosis, LUA Buglight. It s still a work in progress, but it s going to go a long way toward writing more secure applications. If you can t wait, check out the current release on his blog post here.
The files referenced in this article are available for download.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.