Return to
HomePage
Note:
This document is now live on MSDN! _See _Security Checklist: ADO.NET 2.0'' at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGCK0002.asp
Security Checklist: ADO.NET 2.0
J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe
Input / Data Validation
* Regular expressions are used to validate input against expected patterns.
* In ASP .NET applications, ASP.NET validator controls are used to constrain and validate input.
* The application does not rely only on ASP.NET request validation.
* All untrusted input is validated inside data access methods.
SQL Injection
* Input data is constrained and sanitized. Data is checked for type, length, format, and range.
* Type-safe SQL parameters are used for data access.
* Where possible, dynamic queries that accept untrusted input are avoided.
* With dynamic SQL, character escaping is used to handle special input characters.
* The application login is restricted and has limited database permissions.
Configuration and Connection Strings
* Where possible, Windows authentication is used to avoid placing credentials in connection strings.
* Aspnet_regiis is used to encrypt credentials stored in connection strings in configuration files.
* RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
* In the connection string, the
PersistSecurityInfo attribute is not specified or is set to false or no.
* Where possible, connection strings are not constructed with user input.
* If user input must be used to build connection strings, the input is validated and
ConnectionStringBuilder is used.
* Where possible, Universal Data Link (UDL) files for OLE DB data sources are avoided.
Authentication
* Where possible, Windows authentication is used to connect to the database.
* If SQL authentication is used, then strong passwords are used and enforced.
* If SQL authentication is used, then
IPSec or SSL is used to protect credentials on the network.
* If SQL authentication is used, then Aspnet_regiis is used to encrypt connection strings in configuration files.
* RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
* The account used to connect to the database has restricted database permissions.
Authorization
* Role checks or declarative or imperative principal permission checks are used to restrict calling users..
* Where appropriate, the data access library code is designed to restrict the access of calling code.
* The data access library code uses strong names to constrain partial trust callers.
* Application-specific data access code is placed in the application's bin directory.
* The application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access.
Exception Management
* Database connections are closed with using statements or in finally blocks.
* ADO.NET exceptions are not propagated to users. Only generic exception information is displayed.
* In ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client.
* ADO.NET exception details are logged on the server.
Sensitive Data
* If sensitive data must be stored, then a strong symmetric encryption algorithm such as AES is used to encrypt it. DPAPI is used to protect symmetric encryption keys.
* Sensitive data is protected with
IPSec or SSL on the network.
* Passwords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format.
Code Access Security
* A custom ASP.NET policy is used to access non-SQL Server databases from partial trust ASP.NET applications.
* Extended
OleDbPermission syntax is used to restrict database access on hosted servers.
*
StrongNameIdentityPermission is not the only means used to restrict full trust callers.
Deployment Considerations
* Only required ports are opened and firewall restrictions are applied for the application.
* If credentials are stored in configuration files, they are encrypted. RSA encryption is used on Web farm servers.
* Database auditing is enabled and failed login attempts are logged.
Return to
HomePage
TechNet Edge: Windows Server 2008 R2 : New Power Management Features
WindowsClient: Application Accessibility Testing
Channel 9: Sharepoint 2010 and Claims-Based Identity
Channel 10: Microsoft Teams Up with Nielsen
