ADO.NET 2.0 Security Checklists

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe

Input / Data Validation

Regular expressions are used to validate input against expected patterns.
In ASP .NET applications, ASP.NET validator controls are used to constrain and validate input.
The application does not rely only on ASP.NET request validation.
All untrusted input is validated inside data access methods.

Input data is constrained and sanitized. Data is checked for type, length, format, and range.
Type-safe SQL parameters are used for data access.
Where possible, dynamic queries that accept untrusted input are avoided.
With dynamic SQL, character escaping is used to handle special input characters.
The application login is restricted and has limited database permissions.

Where possible, Windows authentication is used to avoid placing credentials in connection strings.
Aspnet_regiis is used to encrypt credentials stored in connection strings in configuration files.
RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
In the connection string, the PersistSecurityInfo attribute is not specified or is set to false or no.
Where possible, connection strings are not constructed with user input.
If user input must be used to build connection strings, the input is validated and ConnectionStringBuilder is used.
Where possible, Universal Data Link (UDL) files for OLE DB data sources are avoided.

Where possible, Windows authentication is used to connect to the database.
If SQL authentication is used, then strong passwords are used and enforced.
If SQL authentication is used, then IPSec or SSL is used to protect credentials on the network.
If SQL authentication is used, then Aspnet_regiis is used to encrypt connection strings in configuration files.
RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
The account used to connect to the database has restricted database permissions.

Role checks or declarative or imperative principal permission checks are used to restrict calling users..
Where appropriate, the data access library code is designed to restrict the access of calling code.
The data access library code uses strong names to constrain partial trust callers.
Application-specific data access code is placed in the application's bin directory.
The application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access.

Database connections are closed with using statements or in finally blocks.
ADO.NET exceptions are not propagated to users. Only generic exception information is displayed.
In ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client.
ADO.NET exception details are logged on the server.

If sensitive data must be stored, then a strong symmetric encryption algorithm such as AES is used to encrypt it. DPAPI is used to protect symmetric encryption keys.
Sensitive data is protected with IPSec or SSL on the network.
Passwords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format.

A custom ASP.NET policy is used to access non-SQL Server databases from partial trust ASP.NET applications.
Extended OleDbPermission syntax is used to restrict database access on hosted servers.
StrongNameIdentityPermission is not the only means used to restrict full trust callers.

Only required ports are opened and firewall restrictions are applied for the application.
If credentials are stored in configuration files, they are encrypted. RSA encryption is used on Web farm servers.
Database auditing is enabled and failed login attempts are logged.