ADO.NET 2.0 Security Checklists

From Guidance Share

(Difference between revisions)
Jump to: navigation, search
Revision as of 08:01, 13 October 2006 (edit)
Admin (Talk | contribs)

← Previous diff
Current revision (03:53, 13 December 2007) (edit)
JD (Talk | contribs)

 
Line 1: Line 1:
- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe - J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe
 +
== Input / Data Validation == == Input / Data Validation ==
Line 6: Line 7:
* The application does not rely only on ASP.NET request validation. * The application does not rely only on ASP.NET request validation.
* All untrusted input is validated inside data access methods. * All untrusted input is validated inside data access methods.
 +
== SQL Injection == == SQL Injection ==
Line 13: Line 15:
* With dynamic SQL, character escaping is used to handle special input characters. * With dynamic SQL, character escaping is used to handle special input characters.
* The application login is restricted and has limited database permissions. * The application login is restricted and has limited database permissions.
 +
== Configuration and Connection Strings == == Configuration and Connection Strings ==
Line 22: Line 25:
* If user input must be used to build connection strings, the input is validated and ConnectionStringBuilder is used. * If user input must be used to build connection strings, the input is validated and ConnectionStringBuilder is used.
* Where possible, Universal Data Link (UDL) files for OLE DB data sources are avoided. * Where possible, Universal Data Link (UDL) files for OLE DB data sources are avoided.
 +
== Authentication == == Authentication ==
Line 30: Line 34:
* RSA encryption is used to protect credentials stored in connection strings on Web farm servers. * RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
* The account used to connect to the database has restricted database permissions. * The account used to connect to the database has restricted database permissions.
 +
== Authorization == == Authorization ==
Line 37: Line 42:
* Application-specific data access code is placed in the application's bin directory. * Application-specific data access code is placed in the application's bin directory.
* The application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access. * The application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access.
 +
== Exception Management == == Exception Management ==
Line 43: Line 49:
* In ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client. * In ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client.
* ADO.NET exception details are logged on the server. * ADO.NET exception details are logged on the server.
 +
== Sensitive Data == == Sensitive Data ==
Line 48: Line 55:
* Sensitive data is protected with IPSec or SSL on the network. * Sensitive data is protected with IPSec or SSL on the network.
* Passwords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format. * Passwords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format.
 +
== Code Access Security == == Code Access Security ==
Line 53: Line 61:
* Extended OleDbPermission syntax is used to restrict database access on hosted servers. * Extended OleDbPermission syntax is used to restrict database access on hosted servers.
* StrongNameIdentityPermission is not the only means used to restrict full trust callers. * StrongNameIdentityPermission is not the only means used to restrict full trust callers.
 +
== Deployment Considerations == == Deployment Considerations ==
Line 59: Line 68:
* Database auditing is enabled and failed login attempts are logged. * Database auditing is enabled and failed login attempts are logged.
-== Resources ==+ 
-* See online at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGCK0002.asp+ 
 +[[Category: ADO.NET 2.0]]
 +[[Category: Checklist]]

Current revision

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe


Contents

Input / Data Validation

  • Regular expressions are used to validate input against expected patterns.
  • In ASP .NET applications, ASP.NET validator controls are used to constrain and validate input.
  • The application does not rely only on ASP.NET request validation.
  • All untrusted input is validated inside data access methods.


SQL Injection

  • Input data is constrained and sanitized. Data is checked for type, length, format, and range.
  • Type-safe SQL parameters are used for data access.
  • Where possible, dynamic queries that accept untrusted input are avoided.
  • With dynamic SQL, character escaping is used to handle special input characters.
  • The application login is restricted and has limited database permissions.


Configuration and Connection Strings

  • Where possible, Windows authentication is used to avoid placing credentials in connection strings.
  • Aspnet_regiis is used to encrypt credentials stored in connection strings in configuration files.
  • RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
  • In the connection string, the PersistSecurityInfo attribute is not specified or is set to false or no.
  • Where possible, connection strings are not constructed with user input.
  • If user input must be used to build connection strings, the input is validated and ConnectionStringBuilder is used.
  • Where possible, Universal Data Link (UDL) files for OLE DB data sources are avoided.


Authentication

  • Where possible, Windows authentication is used to connect to the database.
  • If SQL authentication is used, then strong passwords are used and enforced.
  • If SQL authentication is used, then IPSec or SSL is used to protect credentials on the network.
  • If SQL authentication is used, then Aspnet_regiis is used to encrypt connection strings in configuration files.
  • RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
  • The account used to connect to the database has restricted database permissions.


Authorization

  • Role checks or declarative or imperative principal permission checks are used to restrict calling users..
  • Where appropriate, the data access library code is designed to restrict the access of calling code.
  • The data access library code uses strong names to constrain partial trust callers.
  • Application-specific data access code is placed in the application's bin directory.
  • The application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access.


Exception Management

  • Database connections are closed with using statements or in finally blocks.
  • ADO.NET exceptions are not propagated to users. Only generic exception information is displayed.
  • In ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client.
  • ADO.NET exception details are logged on the server.


Sensitive Data

  • If sensitive data must be stored, then a strong symmetric encryption algorithm such as AES is used to encrypt it. DPAPI is used to protect symmetric encryption keys.
  • Sensitive data is protected with IPSec or SSL on the network.
  • Passwords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format.


Code Access Security

  • A custom ASP.NET policy is used to access non-SQL Server databases from partial trust ASP.NET applications.
  • Extended OleDbPermission syntax is used to restrict database access on hosted servers.
  • StrongNameIdentityPermission is not the only means used to restrict full trust callers.


Deployment Considerations

  • Only required ports are opened and firewall restrictions are applied for the application.
  • If credentials are stored in configuration files, they are encrypted. RSA encryption is used on Web farm servers.
  • Database auditing is enabled and failed login attempts are logged.
Personal tools