Return to HomePage

---

ASP.NET 2.0 Security FAQ s

Welcome to the ASP.NET 2.0 Security FAQ page. This page provides an index to common questions and answers. The questions act as another index into the security guidance.

Authentication

* What's new in ASP.NET 2.0 in terms of Authentication?
* How do I decide my Authentication strategy in ASP.NET?
* How do I use Forms Authentication with SQL Server database?
* How do I use Forms Authentication with Active Directory?
* How do I enable Forms Authentication to work with multiple Active Directory domains?
* How do I protect Forms Authentication?
* How do I enforce strong passwords using membership feature in ASP.NET 2.0
* How do I protect passwords in user store?
* What are the issues with Forms Authentication in Web Farm Scenario?
* How do I implement single sign on using forms authentication?
* How do I use my custom user / identity store with forms authentication?
* How do I configure account lockout using membership feature in ASP.Net 2.0?
* When and how do I use windows authentication in ASP.NET 2.0?
* When and how do I use Kerberos authentication in ASP.NET 2.0?

Authorization

* What's new in ASP.NET 2.0 in terms of Authorization?
* What is the difference between URL authorization, File authorization and Role authorization??
* How do I use URL Authorization in ASP.NET 2.0?
* How do I use File Authorization in ASP.NET 2.0?
* How do I use Role Authorization in ASP.NET 2.0?
* How is the different from Authorization Manager APIs?
* How do I use Windows Groups for role authorization in ASP.NET 2.0?
* How do I use my custom role store for roles authorization?
* How do I cache roles in ASP.NET 2.0?
* How do I protect authorization cookie when using role caching in ASP.NET 2.0?
* How do I lock authorization settings?
* How do I use in my application?

Auditing and Logging

* What's new in ASP.NET 2.0 in terms of Auditing and Logging?
* How do I use the Health monitoring feature in ASP.NET 2.0?
* What all security events do health monitoring feature logs by default?
* How do I instrument my application for security?
* When writing to a new event source from my ASP.NET application running under the Network service security context, I get registry permission exception. Why is this and how do I correct this
* How do I protect audit and log files?

Code Access Security

* What's new in ASP.NET 2.0 in terms of Code Access Security?
* How do I use code access security with ASP.NET?
* How do I create a custom trust level for ASP.NET?
* What are the permissions at the various trust levels?
* How do I write partial trust applications?
* When should I put assemblies in GAC, what are security implications?

Impersonation / Delegation

* When do I use impersonation in ASP.NET 2.0?
* How do I impersonate the original caller?
* How do I temporarily impersonate the original caller?
* How do I impersonate a specific (fixed) identity?
* When should I use programmatic impersonation?
* How do I use programmatic impersonation?
* What is protocol transition and when do I care?
* What is Constrained Delegation?
* How can I retain impersonation in the new thread created from ASP.NET application?
* How do I flow the original user identity to different layers?
* Can impersonation be used with Forms authentication?
* What are the requirements for using Kerberos delegation?

Configuration

* What does a secure web.config look like?
* How do I encrypt sensitive data in machine.config or web.config file?
* How do I run an ASP.NET application with a particular identity?
* How do I create a service account for running my ASP.NET applications?
* Do I need to create a unique user account for each application pool?
* How do I lock configuration settings?

Exception Handling

* How do I handle exceptions securely?
* How do I prevent detailed errors from returning to the client?
* How do I use structured exception handling?
* How do I setup a global exception handler for my application?
* How do I enable my ASP.NET application to write to new event source?

Data Access

* How do I protect the database connection strings in web.config file?
* How do I use windows authentication for connecting to SQL server?
* How do I use SQL authentication for connecting to SQL server?
* When using Windows authentication, how can I give the default ASP.NET worker process access to a remote database server?

Input / Data Validation

* What are the types of input I need to validate in my ASP.NET application?
* How do I validate input in server-side controls?
* How do I validate input in HTML controls, cookies, and HTTP headers?
* What is SQL injection and how do I protect my application from SQL injection attacks?
* What is cross-site scripting and how do I protect my ASP.NET application from it?

Sensitive Data

* How do I protect my web application's ViewState?
* What care should I take when securing in a web farm scenario?
* How do I protect sensitive data in the database?
* How do I protect sensitive data in configuration files?
* How do I protect sensitive data in memory?
* How do I protect passwords?
* How do I secure Session State information?

Strong Naming and Signing

* How do I strong-name an ASP.NET application assembly?
* How do I delay sign an ASP.NET application assembly?
* When should I use .pfx files?
* When should I pre-compile my ASP.NET application?
* How do I pre-compile my ASP.NET application?
* How do I strong name an ASP.NET application?
* How do I Sign .Net assemblies with Authenticode signature?

Obfuscation

* How should I prevent someone from disassembling code?

Others

* How do I set up a SQL Server or SQL Express database for Membership, Profiles and Role Management?

---

Return to HomePage