Professional ASP.NET 2.0 Security, Membership, and Role Management

PRObooks

Professional ASP.NET 2.0 Security,Membership, and Role Management

There are disappointingly few books available that discussASP.NET security in a holistic way. Many books cover membership and rolemanagement, and maybe a bit about authentication and authorization, but aren treally about securing a Web site. As a result, I think a lot of ASP.NETdevelopers implement membership management and leave it at that, leaving theirsites vulnerable to a vast array of threats.

So I was quite excited to get a copy of Stefan Schackow sbook, Professional ASP.NET 2.0 Security,Membership, and Role Management. Stefan is a program manager on Microsoft sASP.NET product team and is now working on some of the newer securitytechnologies emerging from Microsoft, such as the Windows CommunicationFoundation. He s probably in the perfect position to write an ASP.NET securitybook.

In its 594 pages, the book covers all of the importantsecurity topics that a developer needs to know about, without losing its focusand deteriorating into a discussion of Web security in general. There areplenty of books that go there, and it was definitely better to keep this booktightly focused on ASP.NET topics. The author covers both the hip newauthentication and authorization management features like membership and rolemanagement, as well as things like partially trusted applications and viewstateprotection. Each of these sets of topics protect against very differentthreats.

The book starts out with a look at the anatomy of a Webrequest through IIS and the security implications. This discussion could easilyhave evolved into a discourse on IIS security, but that s not what the book isabout. Schackow covers what you need to know about Web requests so that you canunderstand how IIS and ASP.NET work together, and how you can keep thoserequests secure.

There are chapters about the different authenticationmethods in ASP.NET, securing session state, and using and configuringproviders, as well as the membership and role management features. There s awhole chapter on successfully using Active Directory as a membership provider.An interesting chapter covers integrating ASP.NET security with classic ASP,sometimes called ASP.moldy. You have to jump through some hoops to make the twotechnologies play nicely together, but at least it is possible as a transitionstrategy.

My favorite chapter in the book is Chapter 3, cleverly titled A Matter of Trust . One of the evils of ASP.NET development is that itdefaults to full trust, which essentially turns off code access security (CAS).This means that the CLR does not enforce any code security, making it fareasier for an attacker to take advantage of the Web application to attack aserver. With a little extra work surprisingly little you can create apartially trusted application that has exactly the permissions it needs, but nomore. You can use any of the pre-defined trust levels, such as medium, but the correctway to do it is to define a custom trust level. Chapter 3talks about all these issues and how to implement a custom trust level, as wellas how to work with the PartiallyTrustedCallerAttribute that controls whetherpartially trusted code is able to access a class methods. This chaptershould be required reading for all ASP.NET developers.

The book has a nice selection of topics, written bysomeone with access to the internal workings of ASP.NET. As a result, it isuseful to read it from cover to cover perhaps skipping topics not ofimmediate interest then keeping it handy at your development machine forreference throughout a project.

If I have any complaint about the book at all, it is thatit doesn t discuss how to determine which of the many features covered shouldbe used in a given Web application. In other words, in response to the threatsyou ve identified for the application, which features should I implement, andhow? But this is a minor quibble; the author simply assumes that you know thethreats and can relate the security features to those threats. The book s focusis tight, which is not a bad thing.

I highly recommend this title for ASP.NET developers. Ifyou re interested in other books with a wider range of security topics, see my asp.netNOW column Tome Time: The Best Security Books for Windows and .NETDevelopment.

Don Kiely

Rating:

Title: Professional ASP.NET 2.0 Security,Membership, and Role Management

Author: StefanSchackow

Publisher: WroxPress

ISBN: 0-7645-9698-5

Web Site: http://www.wrox.com/WileyCDA/WroxTitle/productCd-0764596985.html

Price: US$39.99

Page Count: 594