ADO.NET 2.0 Security Guidelines

From Guidance Share

(Difference between revisions)
Jump to: navigation, search
Revision as of 06:06, 30 October 2006 (edit)
Admin (Talk | contribs)

← Previous diff
Revision as of 07:43, 30 October 2006 (edit)
Admin (Talk | contribs)

Next diff →
Line 1: Line 1:
 +
 +== Authentication ==
 +* [[If possible, use Windows authentication]]
 +* [[If you use SQL authentication, use strong passwords]]
 +* [[If you use SQL authentication, protect credentials over the network]]
 +* [[If you use SQL authentication, protect credentials in configuration files]]
 +* [[Consider which identity to use to connect to the database]]
 +
 +== Authorization ==
 +* [[Restrict unauthorized callers]]
 +* [[Restrict unauthorized code]]
 +* [[Restrict application access to the database]]
 +
 +== Code Access Security Considerations ==
 +* [[Use a Custom Policy if You Need to Access Non-SQL Server Databases from Partial Trust ASP.NET Applications]]
 +* [[Consider Restricting Database Access on Hosted Servers]]
 +* [[Do Not Rely on StrongNameIdentityPermission to Restrict Full Trust Callers]]
 +
 +== Configuration and Connection Strings ==
 +* [[Avoid credentials in connection strings]]
 +* [[Store encrypted connection strings in configuration files]]
 +* [[Do not use Persist Security Info='True' or 'Yes']]
 +* [[Avoid connection strings constructed with user input]]
 +* [[Avoid Universal Data Link (UDL) files where possible]]
 +
 +
 +
 +== Exception Management ==
 +* [[Use finally blocks to make sure that database connections are closed]]
 +* [[Consider employing the Using statement to make sure that database connections are closed]]
 +* [[Avoid propagating ADO.NET exceptions to users]]
 +* [[In ASP.NET, use a generic error page]]
 +* [[Log ADO.NET exception details on the server]]
 +
 +== Input / Data Validation ==
 +* [[Use regular expressions to validate input by comparing against expected patterns]]
 +* [[If you use ASP.NET, use ASP.NET validator controls]]
 +* [[Do not rely on ASP.NET request validation]]
 +* [[Validate untrusted input passed to data access methods]]
 +
 +== Sensitive Data ==
 +* [[If you need to store sensitive data, encrypt it]]
 +* [[Protect sensitive data on the network]]
 +* [[Store hashes with salt instead of passwords]]
 +
 +== SQL Injection ==
 +* [[Constrain and sanitize input data]]
 +* [[Use type-safe SQL parameters for data access]]
 +* [[Avoid dynamic queries that accept untrusted input]]
 +* [[With dynamic SQL, use character escaping to handle special input characters]]
 +* [[Use an account that has restricted permissions in the database]]
 +
 +
 +== Deployment Considerations ==
 +* [[Apply Firewall Restrictions and Make Sure that Only the Required Ports are Open]]
 +* [[Store Encrypted Connection Strings in the Web.config File]]
 +* [[Use a Least-Privileged Database Login]]
 +* [[Enable Database Auditing, and Log Failed Login Attempts]]
 +* [[Protect Data Privacy and Integrity over the Network]]
 +
 +== References ==
 +* See Security Guidelines: ADO.NET 2.0 at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGGuidelines0002.asp
[[Category: ADO.NET 2.0]] [[Category: ADO.NET 2.0]]

Revision as of 07:43, 30 October 2006

Contents

Authentication

Authorization

Code Access Security Considerations

Configuration and Connection Strings


Exception Management

Input / Data Validation

Sensitive Data

SQL Injection


Deployment Considerations

References

Personal tools