|
消息来源于TheServerSide.net.
这个Paper的确是很好的。
Microsoft's Patterns & Practices Group has released a whitepaper outlining the Security features available in ASP.NET 2.0 and how to use them. Topics include how to cache roles in ASP.NET, how to use constrained delegation, and how to protect ViewState.
The .NET Framework version 2.0 and ASP.NET version 2.0 introduce many new security features. The most notable enhancements for ASP.NET Web applications are:
- Forms authentication and membership. You can now use forms authentication with the new membership feature and membership API. The membership feature supports a provider model, with the SqlMembershipProvider for SQL Server databases and ActiveDirectoryMembershipProvider for Active Directory and Active Directory Application Mode (ADAM) stores provided as built-in providers. You can also create custom providers for your custom user stores. You no longer have to create your own custom databases and write your own custom authentication code.
- Role manager. The new role management feature provides secure role storage and an API for managing and checking role membership. The role manager supports a provider model. The supplied providers are:
- The SqlRoleProvider for SQL Server role stores.
- The WindowsTokenRoleProvider used with Windows authentication, which uses Windows groups as roles.
- The AuthorizationStoreRoleProvider, which uses Windows Server 2003 Authorization Manager for managing roles in Active Directory or ADAM.
- DPAPI managed wrapper. The .NET Framework version 2.0 provides a set of managed classes to access the Win32 Data Protection API (DPAPI). Code requires the DpapiPermission to be able to use DPAPI.
- Configuration file changes. Machine-wide configuration settings for all Web applications on a server are now maintained in a machine-level Web.config file instead of Machine.config. The machine-level Web.config file is located in the \Windows\Microsoft.NET\Framework\{version}\CONFIG directory.
- Configuration file encryption. ASP.NET version 2.0 introduces a Protected Configuration feature to enable you to encrypt sections of your Machine.config and Web.config files by using either DPAPI or RSA encryption. This is particularly useful for encrypting connection strings and account credentials.
- Health monitoring. ASP.NET version 2.0 introduces a health monitoring system. It supports many standard events that you can use to monitor the health of your application. Examples of security-related events that are automatically generated include logon failures and successes when using the ASP.NET membership system, attempts to tamper with or reuse forms authentication tickets, and infrastructure events such as disk access failures. You can also create custom events to instrument your application for other security and non-security related notable events.
- Code access security. The SQL Server managed data provider no longer demands Full trust. This means that Medium trust Web applications can now access SQL Server databases by using this provider. Also, in version 2.0, SmtpPermission is available at Full, High, and Medium trust levels. This allows partial trust Web applications to send e-mail.
- Machine key enhancements. The <machineKey> now supports a decryption attribute that specifies the symmetric encryption algorithm used to encrypt and decrypt forms authentication tickets. ASP.NET version 2.0 provides support for AES symmetric encryption, which is used by default, in addition to DES and 3DES.
The paper is written as answers to numerous "How To" questions categorized into the following categories:
- Auditing and Logging
- Authentication
- Authorization
- Code Access Security
- Configuration
- Data Access
- Impersonation and Delegation
- Input and Data Validation
- Secure Communication
- Sensitive Data
Read Security Practices: ASP.NET 2.0 Security Practices at a Glance
|