INFO: Improving Web Application Security Guide (823195)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework) 1.0

SUMMARY

As part of the Microsoft commitment to trustworthy computing, the Microsoft Patterns and Practices group created a guide to provide developers with a solid foundation to design, to build, and then to configure more secure features and more hack-resilient ASP.NET Web applications. The guide is titled Improving Web Application Security. It describes how to implement fundamental security principles on your Web applications to make your applications safer. The architectural and design guide focuses on the following three topics:
  • Increasing Security on the Network
  • Increasing Security on the Host
  • Increasing Security of the Application

The guide is divided in the following five parts:
  • Introduction to Threats and Countermeasures
  • Designing Secure Web Applications
  • Building Secure Web Applications
  • Securing Your Network, Host, and Application
  • Assessing Your Security

The "References" section of the guide contains tips, How Tos, and checklists to complement the content that is in the chapters. The guide also includes step-by-step descriptions of how to perform common tasks. The guide contains more than 900 pages of task-based, modular content about Web application security fundamentals, threats and countermeasures, threat modeling, authentication, authorization, cryptography, code access security, secure data access, code review, deployment review, and related content. The following How Tos are included:
  • How To: Implement Patch Management
  • How To: Harden the TCP/IP Stack
  • How To: Secure Your Developer Workstation
  • How To: Use IPSec for Filtering Ports and Authentication
  • How To: Use the Microsoft Baseline Security Analyzer
  • How To: Use IISLockdown.exe
  • How To: Use URLScan
  • How To: Create a Custom Encryption Permission
  • How To: Use Code Access Security Policy to Constrain an Assembly

The Improving Web Application Security guide also provides a series of checklists that help you turn the information and the details that you learn in the individual chapters into action. The following checklists are included:

Designing Checklist

  • Checklist: Architecture and Design Review

Building Checklists

  • Checklist: Securing ASP.NET
  • Checklist: Securing Enterprise Services
  • Checklist: Securing Web Services
  • Checklist: Securing Remoting
  • Checklist: Securing Data Access

Networking Checklist

  • Checklist: Securing Your Network

Securing Checklists

  • Checklist: Securing Your Web Server
  • Checklist: Securing Your Database Server

Assessing Checklist

  • Checklist: Security Review for Managed Code

REFERENCES

For more information about this guide, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbPAG kbWebServer kbWebServices kbArchitecture kbDeployment kbSecurity kbinfo KB823195 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.