Vista Point

SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: 2.0

Vista Point

Looking Forward to 2.0

By Don Kiely

It s September 8, 2005, some 60 days and counting to thefinal release of Visual Studio 2005, SQL Server 2005, and version 2.0 of the.NET Framework and ASP.NET, all scheduled for release the week of November 7.Up to now in this column I ve stuck to writing about security issues inproduction versions of ASP.NET, meaning versions 1.0 and 1.1, so that we canall get real work done without being too distracted by the future. But sinceMicrosoft has issued Go Live licenses for testing and partial deployment of Websites using the new technologies, and since the final feature set has settleddown, I think it is time to start looking forward to ASP.NET 2.0 and how we llhandle the new world of security therein. And it is a very different world, asMicrosoft has finally taken security very seriously and is providing the toolswe need to build secure sites that can withstand the latest attacks.

That last statement requires comment. Security is amoving target, and with the current state of our understanding of what securitymeans on the Web, the best we can do is protect against the attacks we seetoday and the attacks we can envision might appear tomorrow. After all,Microsoft is powered by mere humans (comparisons to the Borg notwithstanding)and, although many of those humans are incredibly smart, they are using thesame clouded crystal ball as the rest of us. So while the security enhancementsin all the new 2005 and 2.0 tools are impressive, the best we can hope for isthat they will repel today s attacks and provide some level of resilience tothe next round of attacks that clever hackers will dream up. The moral of thestory: Security is a moving target and you can t let your guard down, even fora moment. And patch, patch, patch!

On to ASP.NET 2.0 security enhancements, starting with theusual caveat: Until the final release ofASP.NET 2.0 and the other tools, things can change. I think that they are settlingdown into what they ll actually look like at release, but things could stillchange. I ll start covering the release version once it s out, of course, butfor the next couple of months what I think and say is based on the latest beta,CTP, or RC versions.

I see the enhancements as falling into two broadcategories: what I call application infrastructure and core security. Theapplication infrastructure features are those that ASP.NET provides out of thebox; what we used to have to implement for each application, common servicessuch as membership management, role management, and forms authentication. Forexample, many sites need to control access to all or parts of the site based ona user s identity and assigned role, with supporting information typicallystored in some kind of a data store such as SQL Server. ASP.NET 2.0 provides all the infrastructure you need to use and extend suchmembership management to secure your site against unauthorized users.

The other category of features forms core security. Theseare the lower-level enhancements that provide the security plumbing for all Webapplications that keep them safe from clever attacks that try to overrunbuffers, con highly privileged code into doing bad things, and get access tosensitive information. I include ASP.NET 2.0 s health monitoring features aspart of core security, because they really aren t part of the application thatthe user cares about but protects the site by alerting you to problems asquickly as possible. I personally find the core security features moreinteresting, but core security and application infrastructure are deeplyintegrated and both are necessary for secure applications.

In the months to come, I ll talk about many features ofboth application infrastructure and core security. In this column, however, I dlike to revisit a topic that I wrote a series of columns about in late 2004: partiallytrusted Web applications (see SecurityAlert, PlayIt Safe, Permissionto Trust, and ComparableConsent). In those columns I argued three things:

The Medium Trust Level was, is, and will be a reasonablestarting place for developing your own custom trust level. Comparing thedefault web_mediumtrust.config file in .NET 1.1 and 2.0 shows that the mediumtrust level in 2.0 has a slightly different set of permissions that Code AccessSecurity (CAS) in the Common Language Runtime (CLR) assigns to a medium trustapplication:

These are pretty minor tweaks, mostly to acknowledge therealities of the environment of most ASP.NET applications. But it is still aninappropriate trust level for any particular ASP.NET application. Why? Because it grants permissions that are unnecessary for mostapplications, and most non-trivial applications will need an additionalpermission or two. For example, I haven t seen many applications thatneed the PrintingPermission, which controls access to printers. It is arestricted permission, set to the DefaultPrinting level, which allows the applicationto print to the default printer only and safe printing through asemi-restricted dialog box.

The good news is that creating a custom trust level inASP.NET 2.0 is pretty much the same process as in ASP.NET 1.1. The bad news isthat it is still going to require that you carefully think through thepermissions your application requires and grant exactly those permissions, nomore and no less.

DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET,and Microsoft Office. He writes regularly for several trade journals, andtrains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.