Improving Web
Application Security
Threats and Countermeasures















Forewords by Mark Curphey, Joel Scambray,
and Erik Olson




Improving Web
Application Security
Threats and Countermeasures

patterns & practices






J.D. Meier, Microsoft Corporation
Alex Mackman, Content Master
Srinath Vasireddy, Microsoft Corporation
Michael Dunner, Microsoft Corporation
Ray Escamilla, Microsoft Corporation
Anandha Murukan, Satyam Computer Services


Information in this document, including URL and other Internet Web site references,
is subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BizTalk, IntelliSense,
MSDN, Visual Basic, Visual C#, Visual C++, and Visual Studio are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
© 2003 Microsoft Corporation. All rights reserved.
Version 1.0
6/30/2003
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.




Contents
Forewords xliii
Foreword by Mark Curphey xliii
Foreword by Joel Scambray xlv
Foreword by Erik Olson xlvi
Introduction xlix
Why We Wrote This Guide xlix
What Is a Hack-Resilient Application? l
Scope of This Guide li
Securing the Network, Host, and Application li
Technologies in Scope lii
Who Should Read This Guide lii
How to Use This Guide liii
Applying the Guidance to Your Role liii
Applying the Guidance to Your Product Life Cycle liv
Microsoft Solutions Framework lv
Organization of This Guide lv

Solutions at a Glance lv
Fast Track lv
Parts lvi
Checklists lvii
“How To” Articles lviii
Approach Used in This Guide lviii
Secure Your Network, Host, and Application lviii
Focus on Threats lix
Follow a Principle-Based Approach lx
Positioning of This Guide lx
Volume I, Building Secure ASP.NET Applications lx
Volume II, Improving Web Application Security lxi
Feedback and Support lxii
Feedback on the Guide lxii
Technical Support lxii
Community and Newsgroup Support lxii
The Team Who Brought You This Guide lxiii
Contributors and Reviewers lxiii
Tell Us About Your Success lxiv
Summary lxiv
vi Improving Web Application Security: Threats and Countermeasures



Solutions at a Glance lxv
Architecture and Design Solutions lxv
Development Solutions lxvi
Administration Solutions lxx
Fast Track


—

How To Implement the Guidance lxxv
Goal and Scope lxxv
The Holistic Approach lxxvi
Securing Your Network lxxvii
Securing Your Host lxxvii
Securing Your Application lxxviii
Identify Threats lxxix
Applying the Guidance to Your Product Life Cycle lxxxi
Implementing the Guidance lxxxii
Who Does What? lxxxiii
RACI Chart lxxxiii
Summary lxxxiv
Part I
Introduction to Threats and Countermeasures 1
Chapter 1
Web Application Security Fundamentals 3
We Are Secure

—

We Have a Firewall 3
What Do We Mean By Security? 4
The Foundations of Security 4
Threats, Vulnerabilities, and Attacks Defined 5
How Do You Build a Secure Web Application? 5
Secure Your Network, Host, and Application 6
Securing Your Network 7
Network Component Categories 7

Securing Your Host 7
Host Configuration Categories 8
Securing Your Application 9
Application Vulnerability Categories 9
Security Principles 11
Summary 12
Additional Resources 12
Chapter 2
Threats and Countermeasures 13
In This Chapter 13
Overview 13
Contents vii



How to Use This Chapter 14
Anatomy of an Attack 14
Survey and Assess 15
Exploit and Penetrate 15
Escalate Privileges 15
Maintain Access 16
Deny Service 16
Understanding Threat Categories 16
STRIDE 16
STRIDE Threats and Countermeasures 17
Network Threats and Countermeasures 18
Information Gathering 18
Sniffing 19
Spoofing 19
Session Hijacking 19

Denial of Service 20
Host Threats and Countermeasures 20
Viruses, Trojan Horses, and Worms 21
Footprinting 21
Password Cracking 22
Denial of Service 22
Arbitrary Code Execution 23
Unauthorized Access 23
Application Threats and Countermeasures 23
Input Validation 24
Buffer Overflows 25
Cross-Site Scripting 26
SQL Injection 27
Canonicalization 28
Authentication 29
Network Eavesdropping 29
Brute Force Attacks 30
Dictionary Attacks 30
Cookie Replay Attacks 31
Credential Theft 31
Authorization 31
Elevation of Privilege 32
Disclosure of Confidential Data 32
Data Tampering 32
Luring Attacks 33
Configuration Management 33
Unauthorized Access to Administration Interfaces 33
Unauthorized Access to Configuration Stores 34
Retrieval of Plaintext Configuration Secrets 34
Lack of Individual Accountability 34

Over-privileged Application and Service Accounts 34
viii Improving Web Application Security: Threats and Countermeasures



Sensitive Data 35
Access to Sensitive Data in Storage 35
Network Eavesdropping 35
Data Tampering 35
Session Management 36
Session Hijacking 36
Session Replay 36
Man in the Middle Attacks 37
Cryptography 37
Poor Key Generation or Key Management 38
Weak or Custom Encryption 38
Checksum Spoofing 38
Parameter Manipulation 39
Query String Manipulation 39
Form Field Manipulation 40
Cookie Manipulation 40
HTTP Header Manipulation 40
Exception Management 40
Attacker Reveals Implementation Details 41
Denial of Service 41
Auditing and Logging 41
User Denies Performing an Operation 42
Attackers Exploit an Application Without Leaving a Trace 42
Attackers Cover Their Tracks 42
Summary 42

Additional Resources 43
Chapter 3
Threat Modeling 45
In This Chapter 45
Overview 45
Before You Begin 45
How to Use This Chapter 46
Threat Modeling Principles 47
The Process 47
The Output 48
Step 1. Identify Assets 49
Step 2. Create an Architecture Overview 49
Identify What the Application Does 50
Create an Architecture Diagram 50
Identify the Technologies 51
Contents ix



Step 3. Decompose the Application 52
Identify Trust Boundaries 53
Identify Data Flow 53
Identify Entry Points 54
Identify Privileged Code 54
Document the Security Profile 55
Step 4. Identify the Threats 56
Identify Network Threats 57
Identify Host Threats 58
Identify Application Threats 58
Using Attack Trees and Attack Patterns 59

Step 5. Document the Threats 62
Step 6. Rate the Threats 62
Risk = Probability * Damage Potential 63
High, Medium, and Low Ratings 63
DREAD 63
What Comes After Threat Modeling? 65
Generating a Work Item Report 66
Summary 66
Additional Resources 66
Part II
Designing Secure Web Applications 67
Chapter 4
Design Guidelines for Secure Web Applications 69
In This Chapter 69
Overview 69
How to Use This Chapter 70
Architecture and Design Issues for Web Applications 70
Deployment Considerations 72
Security Policies and Procedures 73
Network Infrastructure Components 73
Deployment Topologies 73
Intranet, Extranet, and Internet 74
Input Validation 74
Assume All Input Is Malicious 75
Centralize Your Approach 75
Do Not Rely on Client-Side Validation 76
Be Careful with Canonicalization Issues 76
Constrain, Reject, and Sanitize Your Input 77
In Practice 79
x Improving Web Application Security: Threats and Countermeasures




Authentication 80
Separate Public and Restricted Areas 81
Use Account Lockout Policies for End-User Accounts 81
Support Password Expiration Periods 81
Be Able to Disable Accounts 82
Do Not Store Passwords in User Stores 82
Require Strong Passwords 82
Do Not Send Passwords Over the Wire in Plaintext 82
Protect Authentication Cookies 82
Authorization 83
Use Multiple Gatekeepers 83
Restrict User Access to System Level Resources 83
Consider Authorization Granularity 83
Configuration Management 86
Secure Your Administration Interfaces 86
Secure Your Configuration Stores 86
Separate Administration Privileges 87
Use Least Privileged Process and Service Accounts 87
Sensitive Data 87
Secrets 87
Sensitive Per User Data 89
Session Management 90
Use SSL to Protect Session Authentication Cookies 90
Encrypt the Contents of the Authentication Cookies 90
Limit Session Lifetime 91
Protect Session State from Unauthorized Access 91
Cryptography 91

Do Not Develop Your Own Cryptography 92
Keep Unencrypted Data Close to the Algorithm 92
Use the Correct Algorithm and Correct Key Size 92
Secure Your Encryption Keys 92
Parameter Manipulation 93
Encrypt Sensitive Cookie State 93
Make Sure that Users Do Not Bypass Your Checks 93
Validate All Values Sent from the Client 94
Do Not Trust HTTP Header Information 94
Exception Management 94
Do Not Leak Information to the Client 94
Log Detailed Error Messages 95
Catch Exceptions 95
Auditing and Logging 95
Audit and Log Access Across Application Tiers 95
Consider Identity Flow 96
Log Key Events 96
Secure Log Files 96
Back Up and Analyze Log Files Regularly 96
Contents xi



Design Guidelines Summary 97
Summary 98
Additional Resources 98
Chapter 5
Architecture and Design Review for Security 99
In This Chapter 99
Overview 99

How to Use This Chapter 100
Architecture and Design Review Process 100
Deployment and Infrastructure Considerations 101
Does the Network Provide Secure Communication? 102
Does Your Deployment Topology Include an Internal Firewall? 102
Does Your Deployment Topology Include a Remote Application Server? 102
What Restrictions Does Infrastructure Security Impose? 103
Have You Considered Web Farm Issues? 104
What Trust Levels Does the Target Environment Support? 104
Input Validation 105
How Do You Validate Input? 106
What Do You Do with the Input? 107
Authentication 107
Do You Separate Public and Restricted Access? 108
Have You Identified Service Account Requirements? 108
How Do You Authenticate the Caller? 109
How Do You Authenticate with the Database? 109
Do You Enforce Strong Account Management Practices? 111
Authorization 111
How Do You Authorize End Users? 112
How Do You Authorize the Application in the Database? 113
How Do You Restrict Access to System-Level Resources? 113
Configuration Management 114
Do You Support Remote Administration? 114
Do You Secure Configuration Stores? 115
Do You Separate Administrator Privileges? 115
Sensitive Data 115
Do You Store Secrets? 116
How Do You Store Sensitive Data? 117
Do You Pass Sensitive Data Over the Network? 117

Do You Log Sensitive Data? 117
Session Management 117
How Are Session Identifiers Exchanged? 118
Do You Restrict Session Lifetime? 118
How Is the Session State Store Secured? 118
xii Improving Web Application Security: Threats and Countermeasures



Cryptography 119
Why Do You Use Particular Algorithms? 119
How Do You Secure Encryption Keys? 120
Parameter Manipulation 120
Do You Validate All Input Parameters? 121
Do You Pass Sensitive Data in Parameters? 121
Do You Use HTTP Header Data for Security? 121
Exception Management 122
Do You Use Structured Exception Handling? 122
Do You Reveal Too Much Information to the Client? 122
Auditing and Logging 123
Have You Identified Key Activities to Audit? 123
Have You Considered How to Flow Original Caller Identity? 124
Have You Considered Secure Log File Management Policies? 124
Summary 124
Additional Resources 125
Part III
Building Secure Web Applications 127
Chapter 6
.NET Security Overview 129
In This Chapter 129

Overview 129
How to Use This Chapter 130
Managed Code Benefits 130
User vs. Code Security 131
Role-Based Security 131
Code Access Security 132
.NET Framework Role-Based Security 133
Principals and Identities 134
PrincipalPermission Objects 134
Role-Based Security Checks 137
URL Authorization 138
.NET Framework Security Namespaces 139
System.Security 140
System.Web.Security 141
System.Security.Cryptography 141
System.Security.Principal 141
System.Security.Policy 142
System.Security.Permissions 142
Summary 144
Additional Resources 144
Contents xiii



Chapter 7
Building Secure Assemblies 145
In This Chapter 145
Overview 145
How to Use This Chapter 146
Threats and Countermeasures 146

Unauthorized Access or Privilege Elevation, or both 147
Code Injection 147
Information Disclosure 148
Tampering 149
Privileged Code 149
Privileged Resources 150
Privileged Operations 150
Assembly Design Considerations 150
Identify Privileged Code 150
Identify the Trust Level of Your Target Environment 151
Sandbox Highly Privileged Code 152
Design Your Public Interface 153
Class Design Considerations 153
Restrict Class and Member Visibility 153
Seal Non-Base Classes 153
Restrict Which Users Can Call Your Code 154
Expose Fields Using Properties 154
Strong Names 155
Security Benefits of Strong Names 156
Using Strong Names 156
Delay Signing 157
ASP.NET and Strong Names 158
Authenticode vs. Strong Names 159
Authorization 160
Exception Management 161
Use Structured Exception Handling 161
Do Not Log Sensitive Data 162
Do Not Reveal Sensitive System or Application Information 162
Consider Exception Filter Issues 162
Consider an Exception Management Framework 163

File I/O 164
Avoid Untrusted Input for File Names 164
Do Not Trust Environment Variables 164
Validate Input File Names 164
Constrain File I/O Within Your Application’s Context 165
Event Log 165
xiv Improving Web Application Security: Threats and Countermeasures



Registry 166
HKEY_LOCAL_MACHINE 166
HKEY_CURRENT_USER 166
Reading from the Registry 167
Data Access 167
Unmanaged Code 168
Validate Input and Output String Parameters 168
Validate Array Bounds 169
Check File Path Lengths 169
Compile Unmanaged Code With the /GS Switch 169
Inspect Unmanaged Code for Dangerous APIs 169
Delegates 169
Do Not Accept Delegates from Untrusted Sources 169
Serialization 170
Do Not Serialize Sensitive Data 170
Validate Serialized Data Streams 170
Partial Trust Considerations 171
Threading 171
Do Not Cache the Results of Security Checks 171
Consider Impersonation Tokens 172

Synchronize Static Class Constructors 172
Synchronize Dispose Methods 172
Reflection 172
Obfuscation 173
Cryptography 174
Use Platform-provided Cryptographic Services 174
Key Generation 174
Key Storage 176
Key Exchange 178
Key Maintenance 178
Summary 179
Additional Resources 179
Chapter 8
Code Access Security in Practice 181
In This Chapter 181
Overview 181
How to Use This Chapter 182
Code Access Security Explained 182
Code 183
Evidence 183
Permissions 184
Assert, Deny, and PermitOnly Methods 185
Policy 185
Code Groups 186
Contents xv



Code Access Security Explained (continued)
How Does It Work? 186


How Is Policy Evaluated? 187
APTCA 191
Avoid Using APTCA 191
Diagnosing APTCA Issues 192
Privileged Code 193
Privileged Resources 193
Privileged Operations 194
Requesting Permissions 194
RequestMinimum 195
RequestOptional 195
RequestRefused 195
Implications of Using RequestOptional or RequestRefuse 196
Authorizing Code 196
Restrict Which Code Can Call Your Code 197
Restrict Inheritance 198
Consider Protecting Cached Data 199
Protect Custom Resources with Custom Permissions 199
Link Demands 199
Luring Attacks 200
Performance and Link Demands 201
Calling Methods with Link Demands 201
Mixing Class and Method Level Link Demands 201
Interfaces and Link Demands 202
Structures and Link Demands 202
Virtual Methods and Link Demands 203
Assert and RevertAssert 203
Use the Demand / Assert Pattern 204
Reduce the Assert Duration 204
Constraining Code 204

Using Policy Permission Grants 205
Using Stack Walk Modifiers 205
File I/O 205
Constraining File I/O within your Application’s Context 205
Requesting FileIOPermission 207
Event Log 207
Constraining Event Logging Code 208
Requesting EventLogPermission 208
Registry 208
Constraining Registry Access 209
Requesting RegistryPermission 209
Data Access 209
Directory Services 210
Constraining Directory Service Access 210
Requesting DirectoryServicesPermission 211
xvi Improving Web Application Security: Threats and Countermeasures



Environment Variables 211
Constraining Environment Variable Access 211
Requesting EnvironmentPermission 211
Web Services 212
Constraining Web Service Connections 212
Sockets and DNS 213
Constraining Socket Access 213
Requesting SocketPermission and DnsPermission 214
Unmanaged Code 214
Use Naming Conventions to Indicate Risk 214
Request the Unmanaged Code Permission 215

Sandbox Unmanaged API Calls 215
Use SuppressUnmanagedCodeSecurity with Caution 216
Delegates 217
Serialization 218
Restricting Serialization 218
Summary 219
Additional Resources 219
Chapter 9
Using Code Access Security with ASP.NET 221
In This Chapter 221
Overview 221
How to Use This Chapter 223
Resource Access 223
Full Trust and Partial Trust 224
Configuring Code Access Security in ASP.NET 225
Configuring Trust Levels 225
Locking the Trust Level 226
ASP.NET Policy Files 227
ASP.NET Policy 227
Inside an ASP.NET Policy File 228
Permission State and Unrestricted Permissions 229
The ASP.NET Named Permission Set 229
Substitution Parameters 230
Developing Partial Trust Web Applications 231
Why Partial Trust? 231
Problems You Might Encounter 231
Trust Levels 232
Approaches for Partial Trust Web Applications 234
Customize Policy 235
Sandbox Privileged Code 236

A Sandboxing Pattern 236
Contents xvii



Deciding Which Approach to Take 238
Customizing Policy 238
Sandboxing 238
Medium Trust 239
Reduced Attack Surface 239
Application Isolation 239
Medium Trust Restrictions 240
OLE DB 240
Event Log 244
Web Services 248
Registry 250
Summary 252
Additional Resources 252
Chapter 10
Building Secure ASP.NET Pages and Controls 253
In This Chapter 253
Overview 253
How to Use This Chapter 254
Threats and Countermeasures 254
Code Injection 255
Session Hijacking 256
Identity Spoofing 257
Parameter Manipulation 258
Network Eavesdropping 259
Information Disclosure 259

Design Considerations 260
Use Server-Side Input Validation 260
Partition Your Web Site 261
Consider the Identity That Is Used for Resource Access 262
Protect Credentials and Authentication Tickets 262
Fail Securely 262
Consider Authorization Granularity 263
Place Web Controls and User Controls in Separate Assemblies 263
Place Resource Access Code in a Separate Assembly 263
Input Validation 263
Constrain, Then Sanitize 264
Regular Expressions 264
String Fields 265
Date Fields 267
Numeric Fields 267
Sanitizing Input 269
Validating HTML Controls 269
Validating Input Used for Data Access 270
Validating Input Used For File I/O 270
Common Regular Expressions 271
xviii Improving Web Application Security: Threats and Countermeasures



Cross-Site Scripting 272
Validate Input 273
Encode Output 273
Defense in Depth Countermeasures 274
Authentication 277
Forms Authentication 277

Partition Your Web Site 278
Secure Restricted Pages with SSL 279
Use URL Authorization 279
Secure the Authentication Cookie 280
Use Absolute URLs for Navigation 282
Use Secure Credential Management 283
Authorization 284
Use URL Authorization for Page and Directory Access Control 284
Use File Authorization with Windows Authentication 284
Use Principal Demands on Classes and Methods 284
Use Explicit Role Checks for Fine-Grained Authorization 285
Impersonation 286
Using Programmatic Impersonation 286
Sensitive Data 288
Do not Pass Sensitive Data from Page to Page 288
Avoid Plaintext Passwords in Configuration Files 288
Use DPAPI to Avoid Key Management 288
Do Not Cache Sensitive Data 288
Session Management 289
Require Authentication for Sensitive Pages 289
Do Not Rely on Client-Side State Management Options 289
Do Not Mix Session Tokens and Authentication Tokens 290
Use SSL Effectively 290
Secure the Session Data 290
Parameter Manipulation 291
Protect View State with MACs 291
Use Page.ViewStateUserKey to Counter One-Click Attacks 292
Maintain Sensitive Data on the Server 292
Validate Input Parameters 293
Exception Management 293

Return Generic Error Pages to the Client 293
Implement Page-Level or Application-Level Error Handlers 294
Auditing and Logging 295
EventLogPermission 296
Summary 296
Additional Resources 297
Contents xix



Chapter 11
Building Secure Serviced Components 299
In This Chapter 299
Overview 299
How to Use This Chapter 300
Threats and Countermeasures 300
Network Eavesdropping 301
Unauthorized Access 301
Unconstrained Delegation 301
Disclosure of Configuration Data 302
Repudiation 302
Design Considerations 302
Role-Based Authorization 302
Sensitive Data Protection 302
Audit Requirements 303
Application Activation Type 303
Transactions 303
Code Access Security 303
Authentication 304
Use (At Least) Call Level Authentication 304

Authorization 304
Enable Role-Based Security 304
Enable Component Level Access Checks 305
Enforce Component Level Access Checks 305
Configuration Management 305
Use Least Privileged Run-As Accounts 306
Avoid Storing Secrets in Object Constructor Strings 306
Avoid Unconstrained Delegation 306
Sensitive Data 307
Auditing and Logging 308
Audit User Transactions 308
Building a Secure Serviced Component 309
Assembly Implementation 310
Serviced Component Class Implementation 311
Code Access Security Considerations 313
Deployment Considerations 314
Firewall Restrictions 314
Summary 316
Additional Resources 317
Chapter 12
Building Secure Web Services 319
In This Chapter 319
Overview 319
How to Use This Chapter 320
xx Improving Web Application Security: Threats and Countermeasures



Threats and Countermeasures 320
Unauthorized Access 321

Parameter Manipulation 322
Network Eavesdropping 322
Disclosure of Configuration Data 323
Message Replay 323
Design Considerations 325
Authentication Requirements 325
Privacy and Integrity Requirements 325
Resource Access Identities 325
Code Access Security 326
Input Validation 326
Strongly Typed Parameters 326
Loosely Typed Parameters 328
XML Data 328
SQL Injection 331
Cross-Site Scripting 331
Authentication 332
Platform Level Authentication 332
Message Level Authentication 333
Application Level Authentication 335
Authorization 335
Web Service Endpoint Authorization 336
Web Method Authorization 336
Programmatic Authorization 336
Sensitive Data 337
XML Encryption 337
Encrypting Parts of a Message 338
Parameter Manipulation 339
Exception Management 339
Using SoapExceptions 340
Application Level Error Handling in Global.asax 341

Auditing and Logging 341
Proxy Considerations 341
Code Access Security Considerations 342
Deployment Considerations 343
Intranet Deployment 343
Extranet Deployment 343
Internet Deployment 344
Summary 345
Additional Resources 345
Contents xxi



Chapter 13
Building Secure Remoted Components 347
In This Chapter 347
Overview 347
How to Use This Chapter 348
Threats and Countermeasures 349
Unauthorized Access 349
Network Eavesdropping 350
Parameter Manipulation 351
Serialization 351
Design Considerations 352
Do Not Expose Remoted Objects to the Internet 352
Use the HttpChannel to Take Advantage of ASP.NET Security 352
Use the TcpChannel Only in Trusted Server Scenarios 352
Input Validation 354
Serialization Attacks 354
MarshalByRefObject Attacks 354

Authentication 355
ASP.NET Hosting 355
Custom Process Hosting 358
Authorization 359
Use IPSec for Machine Level Access Control 359
Enable File Authorization for User Access Control 359
Authorize Users with Principal-Based Role Checks 360
Consider Limiting Remote Access 360
Sensitive Data 361
Using IPSec 361
Using SSL 361
Using a Custom Encryption Sink 361
Denial of Service 364
Exception Management 364
Using a Custom Channel Sink 365
Auditing and Logging 365
Using a Custom Channel Sink 365
Code Access Security (CAS) Considerations 365
Summary 365
Additional Resources 366
Chapter 14
Building Secure Data Access 367
In this Chapter 367
Overview 367
How to Use This Chapter 368
xxii Improving Web Application Security: Threats and Countermeasures



Threats and Countermeasures 368

SQL Injection 369
Disclosure of Configuration Data 370
Disclosure of Sensitive Application Data 370
Disclosure of Database Schema and Connection Details 371
Unauthorized Access 371
Network Eavesdropping 372
Design Considerations 372
Use Windows Authentication 373
Use Least Privileged Accounts 373
Use Stored Procedures 373
Protect Sensitive Data in Storage 374
Use Separate Data Access Assemblies 375
Input Validation 376
SQL Injection 376
Preventing SQL Injection 376
Constrain Input 376
Use Type Safe SQL Parameters 377
Using Parameter Batching 378
Using Filter Routines 378
Using LIKE Clauses 378
Authentication 379
Use Windows Authentication 379
Protect the Credentials for SQL Authentication 380
Connect Using a Least Privileged Account 380
Authorization 380
Restrict Unauthorized Callers 382
Restrict Unauthorized Code 383
Restrict the Application in the Database 383
Configuration Management 384
Use Window Authentication 384

Secure Your Connection Strings 384
Secure UDL Files with Restricted ACLs 386
Sensitive Data 386
Encrypt Sensitive Data if You Need to Store It 386
Secure Sensitive Data Over the Network 387
Store Password Hashes with Salt 388
Exception Management 389
Trap and Log ADO.NET Exceptions 389
Ensure Database Connections Are Closed 391
Use a Generic Error Page in Your ASP.NET Applications 392
Building a Secure Data Access Component 393
Code Access Security Considerations 396
Contents xxiii



Deployment Considerations 397
Firewall Restrictions 397
Connection String Management 398
Login Account Configuration 398
Logon Auditing 398
Data Privacy and Integrity on the Network 399
Summary 399
Additional Resources 399
Part IV
Securing Your Network, Host, and Application 401
Chapter 15
Securing Your Network 403
In This Chapter 403
Overview 403

How to Use This Chapter 404
Threats and Countermeasures 405
Information Gathering 405
Sniffing 406
Spoofing 406
Session Hijacking 407
Denial of Service 407
Methodology 408
Router 408
Firewall 409
Switch 409
Router Considerations 409
Patches and Updates 409
Protocols 410
Administrative Access 412
Services 412
Auditing and Logging 413
Intrusion Detection 413
Firewall Considerations 413
Patches and Updates 413
Filters 414
Logging and Auditing 415
Perimeter Networks 415
Switch Considerations 416
Patches and Updates 416
VLANs 417
Insecure Defaults 417
Services 417
Encryption 417
xxiv Improving Web Application Security: Threats and Countermeasures




Additional Considerations 417
Snapshot of a Secure Network 418
Summary 419
Additional Resources 420
Chapter 16
Securing Your Web Server 421
In This Chapter 421
Overview 421
How to Use This Chapter 422
Threats and Countermeasures 422
Profiling 423
Denial of Service 424
Unauthorized Access 424
Arbitrary Code Execution 425
Elevation of Privileges 425
Viruses, Worms, and Trojan Horses 426
Methodology for Securing Your Web Server 426
Configuration Categories 427
IIS and .NET Framework Installation Considerations 430
What Does IIS Install? 430
What Does the .NET Framework Install? 431
Installation Recommendations 432
IIS Installation Recommendations 432
.NET Framework Installation Recommendations 432
Including Service Packs with a Base Installation 433
Steps for Securing Your Web Server 433
Step 1. Patches and Updates 434

Detect and Install Patches and Updates 434
Update the .NET Framework 435
Step 2. IISLockdown 435
Install and Run IISLockdown 435
Install and Configure URLScan 437
Step 3. Services 438
Disable Unnecessary Services 439
Disable FTP, SMTP, and NNTP Unless You Require Them 439
Disable the ASP.NET State Service Unless You Require It 440
Step 4. Protocols 440
Disable or Secure WebDAV 440
Harden the TCP/IP Stack 440
Disable NetBIOS and SMB 441
Contents xxv



Step 5. Accounts 442
Delete or Disable Unused Accounts 442
Disable the Guest Account 443
Rename the Administrator Account 443
Disable the IUSR Account 443
Create a Custom Anonymous Web Account 443
Enforce Strong Password Policies 444
Restrict Remote Logons 444
Disable Null Sessions (Anonymous Logons) 445
Step 6. Files and Directories 446
Restrict the Everyone Group 446
Restrict Access to the IIS Anonymous Account 446
Secure or Remove Tools, Utilities and SDKs 447

Remove Sample Files 447
Additional Considerations 447
Step 7. Shares 448
Remove Unnecessary Shares 448
Restrict Access to Required Shares 448
Additional Considerations 448
Step 8. Ports 449
Restrict Internet-Facing Ports to TCP 80 and 443 449
Encrypt or Restrict Intranet Traffic 449
Step 9. Registry 449
Restrict Remote Administration of the Registry 450
Secure the SAM (Stand-alone Servers Only) 450
Step 10. Auditing and Logging 451
Log All Failed Logon Attempts 451
Log All Failed Actions Across the File System 451
Relocate and Secure the IIS Log Files 452
Archive Log Files for Offline Analysis 452
Audit Access to the Metabase.bin File 452
Additional Considerations 453
Step 11. Sites and Virtual Directories 453
Move Your Web site to a Non-System Volume 453
Disable the Parent Paths Setting 453
Remove Potentially Dangerous Virtual Directories 454
Remove or Secure RDS 454
Set Web Permissions 455
Remove or Secure FrontPage Server Extensions 456
Step 12. Script Mappings 456
Map IIS File Extensions 457
Map .NET Framework File Extensions 458
Step 13. ISAPI Filters 459

Remove Unused ISAPI Filters 459