ADO.NET 2.0 Security Checklists

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe


Contents

Input / Data Validation

  • Regular expressions are used to validate input against expected patterns.
  • In ASP .NET applications, ASP.NET validator controls are used to constrain and validate input.
  • The application does not rely only on ASP.NET request validation.
  • All untrusted input is validated inside data access methods.


SQL Injection

  • Input data is constrained and sanitized. Data is checked for type, length, format, and range.
  • Type-safe SQL parameters are used for data access.
  • Where possible, dynamic queries that accept untrusted input are avoided.
  • With dynamic SQL, character escaping is used to handle special input characters.
  • The application login is restricted and has limited database permissions.


Configuration and Connection Strings

  • Where possible, Windows authentication is used to avoid placing credentials in connection strings.
  • Aspnet_regiis is used to encrypt credentials stored in connection strings in configuration files.
  • RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
  • In the connection string, the PersistSecurityInfo attribute is not specified or is set to false or no.
  • Where possible, connection strings are not constructed with user input.
  • If user input must be used to build connection strings, the input is validated and ConnectionStringBuilder is used.
  • Where possible, Universal Data Link (UDL) files for OLE DB data sources are avoided.


Authentication

  • Where possible, Windows authentication is used to connect to the database.
  • If SQL authentication is used, then strong passwords are used and enforced.
  • If SQL authentication is used, then IPSec or SSL is used to protect credentials on the network.
  • If SQL authentication is used, then Aspnet_regiis is used to encrypt connection strings in configuration files.
  • RSA encryption is used to protect credentials stored in connection strings on Web farm servers.
  • The account used to connect to the database has restricted database permissions.


Authorization

  • Role checks or declarative or imperative principal permission checks are used to restrict calling users..
  • Where appropriate, the data access library code is designed to restrict the access of calling code.
  • The data access library code uses strong names to constrain partial trust callers.
  • Application-specific data access code is placed in the application's bin directory.
  • The application's database login is restricted in the database and can execute selected stored procedures only. The application login has no direct table access.


Exception Management

  • Database connections are closed with using statements or in finally blocks.
  • ADO.NET exceptions are not propagated to users. Only generic exception information is displayed.
  • In ASP.NET applications, a generic error page is used to avoid accidentally returning detailed error information to the client.
  • ADO.NET exception details are logged on the server.


Sensitive Data

  • If sensitive data must be stored, then a strong symmetric encryption algorithm such as AES is used to encrypt it. DPAPI is used to protect symmetric encryption keys.
  • Sensitive data is protected with IPSec or SSL on the network.
  • Passwords are stored as irreversible hash values with added salt. Passwords are not stored in clear text or in encrypted format.


Code Access Security

  • A custom ASP.NET policy is used to access non-SQL Server databases from partial trust ASP.NET applications.
  • Extended OleDbPermission syntax is used to restrict database access on hosted servers.
  • StrongNameIdentityPermission is not the only means used to restrict full trust callers.


Deployment Considerations

  • Only required ports are opened and firewall restrictions are applied for the application.
  • If credentials are stored in configuration files, they are encrypted. RSA encryption is used on Web farm servers.
  • Database auditing is enabled and failed login attempts are logged.
Personal tools