ADO.NET 1.1 Security Guidelines
From Guidance Share
- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Contents |
[edit]
Design Guidelines
- Use Windows authentication.
- Use least privileged accounts.
- Use stored procedures.
- Protect sensitive data in storage.
- Use separate data access assemblies.
[edit]
Authentication
- Use Windows authentication.
- Protect the credentials for SQL authentication.
- Connect using a least privileged account.
[edit]
Authorization
- Restrict unauthorized callers.
- Restrict unauthorized code.
- Restrict the application in the database.
[edit]
Configuration Management
[edit]
Exception Management
- Trap and log ADO.NET exceptions.
- Ensure database connections are always closed.
- Use a generic error page in your ASP.NET applications.
[edit]
Input Validation
[edit]
Sensitive Data
- Encrypt sensitive data if you need to store it.
- Secure sensitive data over the network.
- Store password hashes with salt.
[edit]
Deployment Considerations
- Firewall restrictions.
- Connection string management.
- Login account configuration.
- Logon auditing.
- Data privacy and integrity on the network.
[edit]
References
- See Building Secure Data Access at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh14.asp