Developing Secure Web Applications Delivery Guide Course Number: 2300A Part Number: X08-91681 Released: 06/2002 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2002 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Course Number: 2300A Part Number: X08-91681 Released: 06/2002 Developing Secure Web Applications iii Contents Introduction Course Materials Prerequisites Course Outline Setup Lab Scenario Microsoft Official Curriculum .11 Microsoft Certified Professional Program .12 Facilities .15 Module 1: Introduction to Web Security Overview Lesson: Why Build Secure Web Applications? .2 Lesson: Using the STRIDE Model to Determine Threats 17 Lesson: Implementing Security: An Overview 26 Review 38 Module 2: Planning for Web Application Security Overview Lesson: A Design Process for Building Secure Web Applications Review 22 Module 3: Validating User Input Overview Lesson: User Input Lesson: Types of User Input Attacks .8 Lesson: Performing Validation 23 Lesson: Revealing As Little Information As Possible to Users .38 Review 46 Lab 3: Verifying User Input 48 Module 4: Internet Information Services Authentication Overview Lesson: Introduction to Web Client Authentication Lesson: Configuring Access Permissions for a Web Server 16 Lesson: Selecting a Secure Client Authentication Method 25 Lesson: Running Services As an Authenticated User 45 Review 54 Lab 4: Authentication and Access Control 56 Module 5: Securing Web Pages Overview Lesson: ASP Forms-Based Authentication Lesson: NET Code Access and Role-Based Security .9 Lesson: Overview of ASP.NET Authentication Methods .16 Lesson: Working with Windows-Based Authentication in ASP.NET 30 Lesson: Working with ASP.NET Forms-Based Authentication 37 Review 55 Lab 5: Securing Web Pages 57 iv Developing Secure Web Applications Module 6: Securing File System Data Overview Lesson: Overview of Securing Files Lesson: Windows Access Control Lesson: Creating ACLs Programmatically 19 Lesson: Protecting ASP.NET Web Application Files 27 Review 38 Lab 6: Securing Files with ACLs 39 Module 7: Securing Microsoft SQL Server Overview Lesson: SQL Server Connections and Security Lesson: SQL Server Role-Based Security 15 Lesson: Securing SQL Server Communication 32 Lesson: Preventing SQL Injection Attacks 36 Review 46 Lab 7: Securing Microsoft SQL Server Data 48 Module 8: Protecting Communication Privacy and Data Integrity Overview Lesson: Introduction to Cryptography Lesson: Working with Digital Certificates 15 Lab 8.1: Obtaining a Server Certificate 35 Lesson: Using the Secure Sockets Layer/Transport Layer Security Protocols 39 Lesson: Using Internet Protocol Security 58 Review 63 Lab 8.2: Protecting Communication Privacy and Data Integrity 65 Course Evaluation 76 Module 9: Encrypting, Hashing, and Signing Data Overview Lesson: Encryption and Digital Signing Libraries Lesson: Using CAPICOM Lesson: Using the System.Security.Cryptography Namespace to Hash Data 21 Lab 9: Hashing Data 26 Lesson: Using the System.Security.Cryptography Namespace to Encrypt and Sign Data 42 Review 62 Module 10: Testing Web Applications for Security Overview Lesson: Testing Security in a Web Application Lesson: Creating a Security Test Plan Lesson: Performing Security Testing 17 Review 20 Lab 10: Test Cases for Security Testing 22 Course Evaluation 31 Appendix: Isolated Storage Developing Secure Web Applications v About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives Description This course teaches developers the knowledge and skills that are required to build Web applications by using secure coding techniques and the security mechanisms that are provided in Microsoft® Windows® 2000, Internet Information Services (IIS), and Microsoft SQL Server™ 2000 Students will learn how to identify Web application security vulnerabilities and choose the appropriate security methods to protect against these vulnerabilities Students will also get hands-on experience in creating secure Web applications by using Active Server Pages (ASP) and Microsoft ASP.NET Audience This course is intended for individuals who are responsible for the design and development of Web applications These individuals typically have three to five years of experience in developing or designing distributed Web applications Actual job roles and titles will vary throughout the technology industry, and may include, but may not be limited to, Web developers and solutions architects Student prerequisites This course requires that students meet the following prerequisites: ! Familiarity with N-tier application architecture ! Experience in developing or designing Web applications ! Experience with one of the following programming languages: ã Microsoft Visual Basicđ ã C# • Microsoft Visual Basic NET ! Experience in writing server-side and client-side scripts by using one or both of the following technologies: • ASP • ASP.NET ! Familiarity with both of the following Microsoft products and technologies is recommended: • SQL Server 2000 • IIS vi Developing Secure Web Applications Course objectives After completing this course, students will be able to: ! Define the basic principals of, and motivations for, Web security ! Perform a threat analysis on Web-accessible assets ! Secure their Web applications by validating user input ! Select the best IIS authentication method for a given set of requirements ! Implement forms-based authentication in both ASP and ASP.NET Web applications ! Protect file system data by using the features that are available in Windows 2000 ! Use the SQL Server security model and Microsoft ADO.NET to protect a Web application against attacks ! Protect the portions of a Web application that require private communications by using Secure Sockets Layer (SSL) security ! Use the CAPICOM cryptographic library and the System.Security.Cryptography namespace to encrypt, hash, and sign data ! Employ a structured approach to testing for Web application security Developing Secure Web Applications Course Timing The following schedule is an estimate of the course timing Your timing may vary Day Start End Module 8:30 9:00 Introduction 9:00 10:15 Module 1: Introduction to Web Security 10:15 10:30 Break 10:30 11:30 Module 2: Planning for Web Application Security 11:30 12:30 Lunch 12:30 2:00 Module 3: Validating User Input 2:00 2:15 Break 2:15 2:45 Lab 3: Verifying User Input 2:45 4:00 Module 4: Internet Information Services Authentication 4:00 4:15 Break 4:15 4:45 Lab 4: Authentication and Access Control Day Start End Module 8:30 8:45 Day review 8:45 10:00 Module 5: Securing Web Pages 10:00 10:30 Lab 5: Securing Web Pages 10:30 10:45 Break 10:45 12:15 Module 6: Securing File System Data 12:15 1:15 Lunch 1:15 1:45 Lab 6: Securing Files with ACLs 1:45 3:00 Module 7: Securing Microsoft SQL Server 3:00 3:15 Break 3:15 3:45 Lab 7: Securing Microsoft SQL Server Data vii viii Developing Secure Web Applications Day Start End Module 8:30 8:45 Day review 8:45 9:45 Module 8: Protecting Communication Privacy and Data Integrity 9:45 10:00 Lab 8.1: Obtaining a Server Certificate 10:00 11:00 Module 8: Protecting Communication Privacy and Data Integrity (continued) 11:00 11:15 Lab 8.2: Protecting Communication Privacy and Data Integrity 11:15 11:30 Break 11:30 12:45 Module 9: Encrypting, Hashing, and Signing Data 12:45 1:45 Lunch 1:45 2:45 Lab 9: Hashing Data 2:45 3:00 Break 3:00 3:45 Module 10: Testing Web Applications for Security 3:45 4:15 Lab 10: Test Cases for Security Testing Developing Secure Web Applications ix Trainer Materials Compact Disc Contents The Trainer Materials compact disc contains the following files and folders: ! Autorun.exe When the compact disc is inserted into the compact disc drive, or when you double-click the Autorun.exe file, this file opens the compact disc and allows you to browse the Student Materials or Trainer Materials compact disc ! Autorun.inf When the compact disc is inserted into the compact disc drive, this file opens Autorun.exe ! Default.htm This file opens the Trainer Materials Web page ! Readme.txt This file explains how to install the software for viewing the Trainer Materials compact disc and its contents and how to open the Trainer Materials Web page ! 2300A_MS.doc This file is the Manual Classroom Setup Guide It contains the steps for manually setting up the classroom computers ! Powerpnt This folder contains the Microsoft PowerPoint® slides that are used in this course ! Pptview This folder contains the Microsoft PowerPoint Viewer 97, which can be used to display the PowerPoint slides if Microsoft PowerPoint 2002 is not available Do not use this version in the classroom ! Setup This folder contains the files that install the course and related software to computers in a classroom setting ! StudentCD This folder contains the Web page that provides students with links to resources pertaining to this course, including additional reading, review and lab answers, lab files, multimedia presentations, and courserelated Web sites ! Tools This folder contains files and utilities used to complete the setup of the instructor computer ! Webfiles This folder contains the files that are required to view the course Web page To open the Web page, open Windows Explorer, and in the root directory of the compact disc, double-click Default.htm or Autorun.exe x Developing Secure Web Applications Student Materials Compact Disc Contents The Student Materials compact disc contains the following files and folders: ! Autorun.exe When the compact disc is inserted into the CD-ROM drive, or when you double-click the Autorun.exe file, this file opens the compact disc and allows you to browse the Student Materials compact disc ! Autorun.inf When the compact disc is inserted into the compact disc drive, this file opens Autorun.exe ! Default.htm This file opens the Student Materials Web page It provides you with resources pertaining to this course, including additional reading, review and lab answers, lab files, multimedia presentations, and courserelated Web sites ! Readme.txt This file explains how to install the software for viewing the Student Materials compact disc and its contents and how to open the Student Materials Web page ! 2300A_MS.doc This file is the Manual Classroom Setup Guide It contains a description of classroom requirements, classroom setup instructions, and the classroom configuration ! Democode This folder contains demonstration code ! Flash This folder contains the installer for the Macromedia Flash 5.0 browser plug-in ! Fonts This folder contains fonts that may be required to view Microsoft Word documents that are included with this course ! Labfiles This folder contains files that are used in the hands-on labs These files may be used to prepare the student computers for the hands-on labs ! Media This folder contains files that are used in multimedia presentations for this course ! Mplayer This folder contains the setup file to install Microsoft Windows Media™ Player ! Practices This folder contains files that are used in the hands-on practices ! Webfiles This folder contains the files that are required to view the course Web page To open the Web page, open Windows Explorer, and in the root directory of the compact disc, double-click Default.htm or Autorun.exe ! Wordview This folder contains the Microsoft Word Viewer that is used to view any Word document (.doc) files that are included on the compact disc Developing Secure Web Applications xi Document Conventions The following conventions are used in course materials to distinguish elements of the text Convention Use Bold Represents commands, command options, and syntax that must be typed exactly as shown It also indicates commands on menus and buttons, dialog box titles and options, and icon and menu names Italic In syntax statements or descriptive text, indicates argument names or placeholders for variable information Italic is also used for introducing new terms, for book titles, and for emphasis in the text Title Capitals Indicate domain names, user names, computer names, directory names, and folder and file names, except when specifically referring to case-sensitive names Unless otherwise indicated, you can use lowercase letters when you type a directory name or file name in a dialog box or at a command prompt ALL CAPITALS Indicate the names of keys, key sequences, and key combinations — for example, ALT+SPACEBAR monospace Represents code samples or examples of screen text [] In syntax statements, enclose optional items For example, [filename] in command syntax indicates that you can choose to type a file name with the command Type only the information within the brackets, not the brackets themselves {} In syntax statements, enclose required items Type only the information within the braces, not the braces themselves | In syntax statements, separates an either/or choice ! Indicates a procedure with sequential steps In syntax statements, specifies that the preceding item may be repeated Represents an omitted portion of a code sample THIS PAGE INTENTIONALLY LEFT BLANK ... 2:45 3:00 Break 3:00 3:45 Module 10: Testing Web Applications for Security 3:45 4:15 Lab 10: Test Cases for Security Testing Developing Secure Web Applications ix Trainer Materials Compact Disc... view the course Web page To open the Web page, open Windows Explorer, and in the root directory of the compact disc, double-click Default.htm or Autorun.exe x Developing Secure Web Applications. .. encrypt, hash, and sign data ! Employ a structured approach to testing for Web application security Developing Secure Web Applications Course Timing The following schedule is an estimate of the