ASP.NET 2.0 Security Questions and Answers

Welcome to the ASP.NET 2.0 Security Questions and Answers page. This page provides an index to questions and answers. The questions act as another index into the security guidance.

Authentication

• What's new in ASP.NET 2.0 in terms of Authentication?
• How do I decide my Authentication strategy in ASP.NET?
• How do I use Forms Authentication with SQL Server database?
• How do I use Forms Authentication with Active Directory?
• How do I enable Forms Authentication to work with multiple Active Directory domains?
• How do I protect Forms Authentication?
• How do I enforce strong passwords using membership feature in ASP.NET 2.0
• How do I protect passwords in user store?
• What are the issues with Forms Authentication in Web Farm Scenario?
• How do I implement single sign on using forms authentication?
• How do I use my custom user / identity store with forms authentication?
• How do I configure account lockout using membership feature in ASP.Net 2.0?
• When and how do I use windows authentication in ASP.NET 2.0?
• When and how do I use Kerberos authentication in ASP.NET 2.0?

Authorization

• What's new in ASP.NET 2.0 in terms of Authorization?
• What is the difference between URL authorization, File authorization and Role authorization??
• How do I use URL Authorization in ASP.NET 2.0?
• How do I use File Authorization in ASP.NET 2.0?
• How do I use Role Authorization in ASP.NET 2.0?
• How is the AuthorizationStoreRoleProvider different from Authorization Manager APIs?
• How do I use Windows Groups for role authorization in ASP.NET 2.0?
• How do I use my custom role store for roles authorization?
• How do I cache roles in ASP.NET 2.0?
• How do I protect authorization cookie when using role caching in ASP.NET 2.0?
• How do I lock authorization settings?
• How do I use RoleManager in my application?

Auditing and Logging

• What's new in ASP.NET 2.0 in terms of Auditing and Logging?
• How do I use the Health monitoring feature in ASP.NET 2.0?
• What security events does health monitoring log by default?
• How do I instrument my application for security?
• When writing to a new event source from my ASP.NET application running under the Network service security context, I get registry permission exception. Why is this and how do I correct this
• How do I protect audit and log files?

Code Access Security

• What's new in ASP.NET 2.0 in terms of Code Access Security?
• How do I use code access security with ASP.NET?
• How do I create a custom trust level for ASP.NET?
• What are the permissions at the various trust levels?
• How do I write partial trust applications?
• When should I put assemblies in GAC, what are security implications?

Impersonation / Delegation

• When do I use impersonation in ASP.NET 2.0?
• How do I impersonate the original caller?
• How do I temporarily impersonate the original caller?
• How do I impersonate a specific (fixed) identity?
• When should I use programmatic impersonation?
• How do I use programmatic impersonation?
• What is protocol transition and when do I care?
• What is Constrained Delegation?
• How can I retain impersonation in the new thread created from ASP.NET application?
• How do I flow the original user identity to different layers?
• Can impersonation be used with Forms authentication?
• What are the requirements for using Kerberos delegation?

Configuration

• What does a secure web.config look like?
• How do I encrypt sensitive data in machine.config or web.config file?
• How do I run an ASP.NET application with a particular identity?
• How do I create a service account for running my ASP.NET applications?
• Do I need to create a unique user account for each application pool?
• How do I lock configuration settings?

Exception Handling

• How do I handle exceptions securely?
• How do I prevent detailed errors from returning to the client?
• How do I use structured exception handling?
• How do I setup a global exception handler for my application?
• How do I enable my ASP.NET application to write to new event source?

Data Access

• How do I protect the database connection strings in web.config file?
• How do I use windows authentication for connecting to SQL server?
• How do I use SQL authentication for connecting to SQL server?
• When using Windows authentication, how can I give the default ASP.NET worker process access to a remote database server?

Input / Data Validation

• What are the types of input I need to validate in my ASP.NET application?
• How do I validate input in server-side controls?
• How do I validate input in HTML controls, QueryString, cookies, and HTTP headers?
• What is SQL injection and how do I protect my application from SQL injection attacks?
• What is cross-site scripting and how do I protect my ASP.NET application from it?

Sensitive Data

• How do I protect my web application's ViewState?
• What care should I take when securing ViewState in a web farm scenario?
• How do I protect sensitive data in the database?
• How do I protect sensitive data in configuration files?
• How do I protect sensitive data in memory?
• How do I protect passwords?
• How do I secure Session State information?

Strong Naming and Signing

• How do I strong-name an ASP.NET application assembly?
• How do I delay sign an ASP.NET application assembly?
• When should I use .pfx files?
• When should I pre-compile my ASP.NET application?
• How do I pre-compile my ASP.NET application?
• How do I strong name an ASP.NET application?
• How do I Sign .Net assemblies with Authenticode signature?

Obfuscation

• How should I prevent someone from disassembling code?

Others

• How do I set up a SQL Server or SQL Express database for Membership, Profiles and Role Management?