ADO.NET 2.0 Security Guidelines

From Guidance Share

(Difference between revisions)
Jump to: navigation, search
Revision as of 07:43, 30 October 2006 (edit)
Admin (Talk | contribs)

← Previous diff
Current revision (04:43, 6 March 2007) (edit)
Admin (Talk | contribs)

 
Line 1: Line 1:
 +- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe
-== Authentication == 
-* [[If possible, use Windows authentication]] 
-* [[If you use SQL authentication, use strong passwords]] 
-* [[If you use SQL authentication, protect credentials over the network]] 
-* [[If you use SQL authentication, protect credentials in configuration files]] 
-* [[Consider which identity to use to connect to the database]] 
-== Authorization ==+== [[ADO.NET 2.0 Security Guidelines - Authentication | Authentication]] ==
-* [[Restrict unauthorized callers]]+* [[ADO.NET 2.0 Security Guidelines - Authentication | If possible, use Windows authentication]]
-* [[Restrict unauthorized code]]+* [[ADO.NET 2.0 Security Guidelines - Authentication | If you use SQL authentication, use strong passwords]]
-* [[Restrict application access to the database]]+* [[ADO.NET 2.0 Security Guidelines - Authentication | If you use SQL authentication, protect credentials over the network]]
 +* [[ADO.NET 2.0 Security Guidelines - Authentication | If you use SQL authentication, protect credentials in configuration files]]
 +* [[ADO.NET 2.0 Security Guidelines - Authentication | Consider which identity to use to connect to the database]]
-== Code Access Security Considerations == 
-* [[Use a Custom Policy if You Need to Access Non-SQL Server Databases from Partial Trust ASP.NET Applications]] 
-* [[Consider Restricting Database Access on Hosted Servers]] 
-* [[Do Not Rely on StrongNameIdentityPermission to Restrict Full Trust Callers]] 
-== Configuration and Connection Strings ==+== [[ADO.NET 2.0 Security Guidelines - Authorization | Authorization]] ==
-* [[Avoid credentials in connection strings]]+* [[ADO.NET 2.0 Security Guidelines - Authorization | Restrict unauthorized callers]]
-* [[Store encrypted connection strings in configuration files]]+* [[ADO.NET 2.0 Security Guidelines - Authorization | Restrict unauthorized code]]
-* [[Do not use Persist Security Info='True' or 'Yes']]+* [[ADO.NET 2.0 Security Guidelines - Authorization | Restrict application access to the database]]
-* [[Avoid connection strings constructed with user input]]+
-* [[Avoid Universal Data Link (UDL) files where possible]]+
 +== [[ADO.NET 2.0 Security Guidelines - Code Access Security Considerations | Code Access Security Considerations]] ==
 +* [[ADO.NET 2.0 Security Guidelines - Code Access Security Considerations | Use a Custom Policy if You Need to Access Non-SQL Server Databases from Partial Trust ASP.NET Applications]]
 +* [[ADO.NET 2.0 Security Guidelines - Code Access Security Considerations | Consider Restricting Database Access on Hosted Servers]]
 +* [[ADO.NET 2.0 Security Guidelines - Code Access Security Considerations | Do Not Rely on StrongNameIdentityPermission to Restrict Full Trust Callers]]
 +
-== Exception Management == 
-* [[Use finally blocks to make sure that database connections are closed]] 
-* [[Consider employing the Using statement to make sure that database connections are closed]] 
-* [[Avoid propagating ADO.NET exceptions to users]] 
-* [[In ASP.NET, use a generic error page]] 
-* [[Log ADO.NET exception details on the server]] 
-== Input / Data Validation ==+== [[ADO.NET 2.0 Security Guidelines - Configuration and Connection Strings | Configuration and Connection Strings]] ==
-* [[Use regular expressions to validate input by comparing against expected patterns]]+* [[ADO.NET 2.0 Security Guidelines - Configuration and Connection Strings | Avoid credentials in connection strings]]
-* [[If you use ASP.NET, use ASP.NET validator controls]]+* [[ADO.NET 2.0 Security Guidelines - Configuration and Connection Strings | Store encrypted connection strings in configuration files]]
-* [[Do not rely on ASP.NET request validation]]+* [[ADO.NET 2.0 Security Guidelines - Configuration and Connection Strings | Do not use Persist Security Info='True' or 'Yes']]
-* [[Validate untrusted input passed to data access methods]]+* [[ADO.NET 2.0 Security Guidelines - Configuration and Connection Strings | Avoid connection strings constructed with user input]]
 +* [[ADO.NET 2.0 Security Guidelines - Configuration and Connection Strings | Avoid Universal Data Link (UDL) files where possible]]
-== Sensitive Data == 
-* [[If you need to store sensitive data, encrypt it]] 
-* [[Protect sensitive data on the network]] 
-* [[Store hashes with salt instead of passwords]] 
-== SQL Injection ==+== [[ADO.NET 2.0 Security Guidelines - Exception Management | Exception Management]] ==
-* [[Constrain and sanitize input data]]+* [[ADO.NET 2.0 Security Guidelines - Exception Management | Use finally blocks to make sure that database connections are closed]]
-* [[Use type-safe SQL parameters for data access]]+* [[ADO.NET 2.0 Security Guidelines - Exception Management | Consider employing the Using statement to make sure that database connections are closed]]
-* [[Avoid dynamic queries that accept untrusted input]]+* [[ADO.NET 2.0 Security Guidelines - Exception Management | Avoid propagating ADO.NET exceptions to users]]
-* [[With dynamic SQL, use character escaping to handle special input characters]]+* [[ADO.NET 2.0 Security Guidelines - Exception Management | In ASP.NET, use a generic error page]]
-* [[Use an account that has restricted permissions in the database]]+* [[ADO.NET 2.0 Security Guidelines - Exception Management | Log ADO.NET exception details on the server]]
-== Deployment Considerations ==+== [[ADO.NET 2.0 Security Guidelines - Input / Data Validation | Input / Data Validation]] ==
-* [[Apply Firewall Restrictions and Make Sure that Only the Required Ports are Open]]+* [[ADO.NET 2.0 Security Guidelines - Input / Data Validation | Use regular expressions to validate input by comparing against expected patterns]]
-* [[Store Encrypted Connection Strings in the Web.config File]]+* [[ADO.NET 2.0 Security Guidelines - Input / Data Validation | Use regular expressions to validate input by comparing against expected patterns]]
-* [[Use a Least-Privileged Database Login]]+* [[ADO.NET 2.0 Security Guidelines - Input / Data Validation | If you use ASP.NET, use ASP.NET validator controls]]
-* [[Enable Database Auditing, and Log Failed Login Attempts]]+* [[ADO.NET 2.0 Security Guidelines - Input / Data Validation | Do not rely on ASP.NET request validation]]
-* [[Protect Data Privacy and Integrity over the Network]]+* [[ADO.NET 2.0 Security Guidelines - Input / Data Validation | Validate untrusted input passed to data access methods]]
 + 
 + 
 +== [[ADO.NET 2.0 Security Guidelines - Sensitive Data | Sensitive Data]] ==
 +* [[ADO.NET 2.0 Security Guidelines - Sensitive Data | If you need to store sensitive data, encrypt it]]
 +* [[ADO.NET 2.0 Security Guidelines - Sensitive Data | Protect sensitive data on the network]]
 +* [[ADO.NET 2.0 Security Guidelines - Sensitive Data | Store hashes with salt instead of passwords]]
 + 
 + 
 +== [[ADO.NET 2.0 Security Guidelines - SQL Injection | SQL Injection]] ==
 +* [[ADO.NET 2.0 Security Guidelines - SQL Injection | Constrain and sanitize input data]]
 +* [[ADO.NET 2.0 Security Guidelines - SQL Injection | Use type-safe SQL parameters for data access]]
 +* [[ADO.NET 2.0 Security Guidelines - SQL Injection | Avoid dynamic queries that accept untrusted input]]
 +* [[ADO.NET 2.0 Security Guidelines - SQL Injection | With dynamic SQL, use character escaping to handle special input characters]]
 +* [[ADO.NET 2.0 Security Guidelines - SQL Injection | Use an account that has restricted permissions in the database]]
 + 
 + 
 +== [[ADO.NET 2.0 Security Guidelines - Deployment Considerations | Deployment Considerations]] ==
 +* [[ADO.NET 2.0 Security Guidelines - Deployment Considerations | Apply Firewall Restrictions and Make Sure that Only the Required Ports are Open]]
 +* [[ADO.NET 2.0 Security Guidelines - Deployment Considerations | Store Encrypted Connection Strings in the Web.config File]]
 +* [[ADO.NET 2.0 Security Guidelines - Deployment Considerations | Use a Least-Privileged Database Login]]
 +* [[ADO.NET 2.0 Security Guidelines - Deployment Considerations | Enable Database Auditing, and Log Failed Login Attempts]]
 +* [[ADO.NET 2.0 Security Guidelines - Deployment Considerations | Protect Data Privacy and Integrity over the Network]]
 + 
== References == == References ==
Line 63: Line 73:
[[Category: ADO.NET 2.0]] [[Category: ADO.NET 2.0]]
 +[[Category: Guidelines]]

Current revision

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe


Contents

Authentication


Authorization


Code Access Security Considerations


Configuration and Connection Strings


Exception Management


Input / Data Validation


Sensitive Data


SQL Injection


Deployment Considerations


References

Personal tools