Professional ASP.NET 2.0 Security, Membership, and Role Management
There are disappointingly few books available that discuss ASP.NET security in a holistic way. Many books cover membership and role management, and maybe a bit about authentication and authorization, but aren t really about securing a Web site. As a result, I think a lot of ASP.NET developers implement membership management and leave it at that, leaving their sites vulnerable to a vast array of threats.
So I was quite excited to get a copy of Stefan Schackow s book, Professional ASP.NET 2.0 Security, Membership, and Role Management. Stefan is a program manager on Microsoft s ASP.NET product team and is now working on some of the newer security technologies emerging from Microsoft, such as the Windows Communication Foundation. He s probably in the perfect position to write an ASP.NET security book.
In its 594 pages, the book covers all of the important security topics that a developer needs to know about, without losing its focus and deteriorating into a discussion of Web security in general. There are plenty of books that go there, and it was definitely better to keep this book tightly focused on ASP.NET topics. The author covers both the hip new authentication and authorization management features like membership and role management, as well as things like partially trusted applications and viewstate protection. Each of these sets of topics protect against very different threats.
The book starts out with a look at the anatomy of a Web request through IIS and the security implications. This discussion could easily have evolved into a discourse on IIS security, but that s not what the book is about. Schackow covers what you need to know about Web requests so that you can understand how IIS and ASP.NET work together, and how you can keep those requests secure.
There are chapters about the different authentication methods in ASP.NET, securing session state, and using and configuring providers, as well as the membership and role management features. There s a whole chapter on successfully using Active Directory as a membership provider. An interesting chapter covers integrating ASP.NET security with classic ASP, sometimes called ASP.moldy. You have to jump through some hoops to make the two technologies play nicely together, but at least it is possible as a transition strategy.
My favorite chapter in the book is Chapter 3, cleverly titled A Matter of Trust . One of the evils of ASP.NET development is that it defaults to full trust, which essentially turns off code access security (CAS). This means that the CLR does not enforce any code security, making it far easier for an attacker to take advantage of the Web application to attack a server. With a little extra work surprisingly little you can create a partially trusted application that has exactly the permissions it needs, but no more. You can use any of the pre-defined trust levels, such as medium, but the correct way to do it is to define a custom trust level. Chapter 3 talks about all these issues and how to implement a custom trust level, as well as how to work with the PartiallyTrustedCallerAttribute that controls whether partially trusted code is able to access a class methods. This chapter should be required reading for all ASP.NET developers.
The book has a nice selection of topics, written by someone with access to the internal workings of ASP.NET. As a result, it is useful to read it from cover to cover perhaps skipping topics not of immediate interest then keeping it handy at your development machine for reference throughout a project.
If I have any complaint about the book at all, it is that it doesn t discuss how to determine which of the many features covered should be used in a given Web application. In other words, in response to the threats you ve identified for the application, which features should I implement, and how? But this is a minor quibble; the author simply assumes that you know the threats and can relate the security features to those threats. The book s focus is tight, which is not a bad thing.
I highly recommend this title for ASP.NET developers. If you re interested in other books with a wider range of security topics, see my asp.netNOW column Tome Time: The Best Security Books for Windows and .NET Development.
Title: Professional ASP.NET 2.0 Security, Membership, and Role Management
Author: Stefan Schackow
Publisher: Wrox Press
Page Count: 594