ADO.NET 2.0 Security Checklists
From Guidance Share
Revision as of 04:00, 6 March 2007; Admin (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe
Contents |
Input / Data Validation
- Regular expressions are used to validate input against expected patterns.
- In ASP .NET applications, ASP.NET validator controls are used to constrain and validate input.
- The application does not rely only on ASP.NET request validation.
- All untrusted input is validated inside data access methods.
SQL Injection
- Input data is constrained and sanitized. Data is checked for type, length, format, and range.
- Type-safe SQL parameters are used for data access.
- Where possible, dynamic queries that accept untrusted input are avoided.
- With dynamic SQL, character escaping is used to handle special input characters.
- The application login is restricted and has limited database permissions.
Configuration and Connection Strings
- Where possible, Windows authentication is used to avoid placing credentials in connection strings.
- Aspnet_regiis is used to encrypt credentials stored in connection strings in configuration files.
- RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
- In the connection string, the PersistSecurityInfo attribute is not specified or is set to false or no.
- Where possible, connection strings are not constructed with user input.
- If user input must be used to build connection strings, the input is validated and ConnectionStringBuilder is used.
- Where possible, Universal Data Link (UDL) files for OLE DB data sources are avoided.
Authentication
- Where possible, Windows authentication is used to connect to the database.
- If SQL authentication is used, then strong passwords are used and enforced.
- If SQL authentication is used, then IPSec or SSL is used to protect credentials on the network.
- If SQL authentication is used, then Aspnet_regiis is used to encrypt connection strings in configuration files.
- RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
- The account used to connect to the database has restricted database permissions.
Authorization
- Role checks or declarative or imperative principal permission checks are used to restrict calling users..
- Where appropriate, the data access library code is designed to restrict the access of calling code.
- The data access library code uses strong names to constrain partial trust callers.
- Application-specific data access code is placed in the application's bin directory.
- The application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access.
Exception Management
- Database connections are closed with using statements or in finally blocks.
- ADO.NET exceptions are not propagated to users. Only generic exception information is displayed.
- In ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client.
- ADO.NET exception details are logged on the server.
Sensitive Data
- If sensitive data must be stored, then a strong symmetric encryption algorithm such as AES is used to encrypt it. DPAPI is used to protect symmetric encryption keys.
- Sensitive data is protected with IPSec or SSL on the network.
- Passwords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format.
Code Access Security
- A custom ASP.NET policy is used to access non-SQL Server databases from partial trust ASP.NET applications.
- Extended OleDbPermission syntax is used to restrict database access on hosted servers.
- StrongNameIdentityPermission is not the only means used to restrict full trust callers.
Deployment Considerations
- Only required ports are opened and firewall restrictions are applied for the application.
- If credentials are stored in configuration files, they are encrypted. RSA encryption is used on Web farm servers.
- Database auditing is enabled and failed login attempts are logged.