Friday, December 26, 2008

ASP.NET Basic Security

ASP.NET Basic security we will implement in our website.Every one want to know about security issue in ASP.NET web application, here I am showing basic security that you must know before working any website.
I am going to filter this point according to priority basic.
a) Design Issue
  1. Proper validation for numeric, alphanumeric, date time, maximum length and other search filed.
  2. Absolute URLs must be used.
  3. Our all input parameter will be validated.
  4. Query strings with server secrets are hashed.
  5. Required filed required, if field are necessary in database. There must be a proper treatment of null values.
  6. Web control user control
b) Coding part
  1. Documentation of session and view state is necessary for using in near future.
  2. SQL parameters are used in data access code to validate length and type of data and to help prevent SQL injection.
  3. Passwords are not being stored in the session directly
  4. Strong password policies are implemented for authentication.
  5. Connection strings are encrypted by using Aspnet_setreg.exe.
  6. Proper error handling is necessary.
  7. Proper try catch block necessary, not necessary to every where.
  8. View state is protected using message authentication codes (MACs).
c) Data Store
  1. We will not store our sensitive data in cookies, hidden form fields, or query strings.
  2. Session and view state object must be use in proper format, NULL value checking is necessary
d) Before Publish part
  1. Compilation debug=false at sever side.
  2. We need to set a default, page in the IIS.
  3. For IIS Web permissions are configured. Bin directory does not have Read, Write, or Directory browsing permissions. Execute permissions are set to none. Authentication settings are removed (so that all access is denied).
  4. Proper read write permission required according to the users.
  5. Error handling page required, Generic error pages with harmless messages are returned to the client.
If you want to know detail security detail of ASP.NET then please knock MSDN



0 Responses to "ASP.NET Basic Security"

Copyright 2009 All Rights Reserved Shakti Singh Dulawat