Jan 2008 Allup


Published on

Deck from my Jan 2008 MSDN presentations - download presentations at http://www.msdnevents.com/resources/2008-winter-resources.aspx

Published in: Economy & Finance, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Jan 2008 Allup

    1. 1. MSDN Events – January 2008 <ul><li>Lynn Langit SoCal MSDN dev evangelist </li></ul><ul><li>blogs.msdn.com/SoCalDevGal </li></ul><ul><li>blogs.msdn.com/geekSpeak </li></ul>
    2. 2. Today’s Topics <ul><li>IIS 7.0 for developers </li></ul><ul><li>Security Sidebars – fixing common vulnerabilities </li></ul><ul><li>ASP.NET Membership Provider customization </li></ul>
    3. 3. Today’s Schedule – Irvine, CA (am) <ul><li>12 pm to 1:45 pm – IIS 7.0 </li></ul><ul><li>2:00 pm to 3:45 pm – Security Sidebars </li></ul><ul><li>4:00 pm to 5:00 pm – ASP.NET Membership Provider </li></ul>
    4. 4. Some Housekeeping… <ul><li>Please set all cell phones to silent </li></ul><ul><li>Evaluations are important!! </li></ul><ul><ul><li>9 = A </li></ul></ul><ul><ul><li>8 = B </li></ul></ul><ul><ul><li>7 = C </li></ul></ul><ul><ul><li>If < 7 please include comments </li></ul></ul><ul><li>Resource DVD – our way of saying “Thanks!” </li></ul><ul><li>Giveaways!! </li></ul>
    5. 5. BUSINESS AND TECHNICAL EXECUTIVES SMALL BUSINESS IT PROFESSIONALS IT DEVELOPERS PARTNERS <ul><ul><li>Events designed to show business and technical executives how to streamline operations and increase efficiency through technology </li></ul></ul>Information for small business decision makers who want to improve productivity, efficiency, and security in their workplace “ How-To” sessions delivering highly technical content -- direct from a Microsoft technology specialist with real-world experience <ul><ul><li>Sessions designed for developers to get the latest tools and tips, chat with fellow developers and learn how to create rich new applications </li></ul></ul>Designed for technology providers who are seeking to enhance technical knowledge, to improve selling skills and to learn about various programs and offers for partners.
    6. 6. What’s on in West Region <ul><li>SoCal code camp Fullerton – Jan 26/27 </li></ul><ul><li>Sleepless SharePoint Dev Event SoCal – Jan 26/27 </li></ul><ul><li>Office Dev Conf (SanJose) – Feb 11-13 </li></ul><ul><li>Launch LA – Feb 27 </li></ul><ul><li>BarCampLA – Mar 1-2 </li></ul><ul><li>SharePoint Dev Conf (Redmond) – March 3-6 </li></ul><ul><li>Mix08 (Las Vegas) – March 5-7 </li></ul><ul><li>CodeTrip (SoCal) – March 26-31 </li></ul>
    7. 7. HP Compaq dc7800 desktop PC with Intel ® Core ™ 2 Processor with vPro ™ Technology Special Offer: HP Compaq dc7800 Smart Buy*: Price:   $1,059.00 Save $340! www.hp.com/go/smartbuy Intel® Core™2 Duo processor E6550 2.33 GHz 4 MB L2 cache 1333 MHz front side bus Intel Q35 Express Chipset 2 GB 667 MHz DDR2 SDRAM 160 GB 7200 rpm SATA 3 year warranty P/N: RU026UT *HP Smart Buys are the easiest way to get the most popular, expertly pre-configured, ready-to-ship business solutions at discounted prices.
    8. 8. Promotional Offer <ul><li>Visit the New Horizons CLC/Microsoft Learning table today and ask for your 40% discount exam voucher. Please visit us at: www.NewHorizons.com </li></ul><ul><li>or www.microsoft.com/learning </li></ul>
    9. 9. What’s new for developers in IIS7
    10. 10. What Will We cover? <ul><li>The new processing pipeline in IIS7 </li></ul><ul><li>Using technologies such as PHP with IIS7 </li></ul><ul><li>Customizing IIS7 with managed code </li></ul>
    11. 11. Agenda <ul><li>Introducing IIS7 Architecture </li></ul><ul><li>Securing IIS7 </li></ul><ul><li>Extending IIS7 </li></ul>
    12. 12. Architecture Overview HTTP Request HTTP Response Authentication Basic NTLM Anon CGI Static File ISAPI Send Response Compression Log HTTP Request Determine Handler aspnet_isapi.dll Authentication Windows ASPX Trace … Forms Map Handler HTTP Response Basic Anon Static File ISAPI Send Response Compression Log Execute Handler aspnet_isapi.dll Authentication Windows ASPX Trace … Forms Map Handler Authorization ResolveCache UpdateCache Authentication
    13. 13. Windows Activation Service <ul><li>Independent from IIS </li></ul><ul><li>Application pools </li></ul><ul><ul><li>Identity </li></ul></ul><ul><ul><li>Isolates corruption </li></ul></ul><ul><li>Message based activation </li></ul><ul><ul><li>HTTP requests </li></ul></ul><ul><ul><li>Non-HTTP requests </li></ul></ul>
    14. 14. Hosting a WCF Service in WAS Demo
    15. 15. Configuration Files <ul><li>IIS/WAS global settings </li></ul><ul><ul><li>applicationHost.config </li></ul></ul><ul><li>Application specific settings </li></ul><ul><ul><li>web.config </li></ul></ul><ul><li>No metabase </li></ul><ul><li>Remote configuration </li></ul>
    16. 16. Configuring IIS Demo
    17. 17. Agenda <ul><li>Introducing IIS7 Architecture </li></ul><ul><li>Securing IIS7 </li></ul><ul><li>Extending IIS7 </li></ul>
    18. 18. Secure by Default <ul><li>Less surface area </li></ul><ul><li>Request filtering </li></ul><ul><li>Handler permissions </li></ul><ul><li>Hardened listeners </li></ul>
    19. 19. Authentication Modules Method Security Level How Passwords are Sent Crosses Proxy Servers and Firewalls Client Requirements Anonymous authentication None N/A Yes Any Browser ASP.NET Impersonation Medium Obscured Yes .NET Basic authentication Low Base64 encoded clear text Yes Most Browsers Digest authentication Medium Hashed Yes IE 5.0 or later FORMS authentication None Plain text Yes Windows authentication High Hashed or Kerberos ticket No, unless over VPN IE 2.0 for NTLM/ W2K and IE 5.0 for Kerberos Certificate authentication High N/A Yes, using a SSL connection IE and Netscape
    20. 20. Managing modules Demo
    21. 21. Agenda <ul><li>Introducing IIS7 Architecture </li></ul><ul><li>Securing IIS7 </li></ul><ul><li>Extending IIS7 </li></ul>
    22. 22. Type of Extensibility <ul><li>Modules and Handlers </li></ul><ul><li>Extending configuration </li></ul><ul><li>Extending IIS Manager </li></ul><ul><li>Extending Diagnostics </li></ul>
    23. 23. Modules and Handlers <ul><li>Modules </li></ul><ul><ul><li>Similar to ISAPI filters </li></ul></ul><ul><ul><li>Broader scope </li></ul></ul><ul><li>Handlers </li></ul><ul><ul><li>Similar to ISAPI extension </li></ul></ul><ul><ul><li>Narrower scope </li></ul></ul>
    24. 24. Extending IIS with managed code Demo
    25. 25. Session Summary <ul><li>IIS7 has a granular design </li></ul><ul><li>IIS7 has an integrated pipeline for handling requests </li></ul><ul><li>IIS7 is easily extensible with managed code </li></ul><ul><li>Links on Lynn’s blog – http://blogs.msdn.com/SoCalDevGal </li></ul>
    26. 26. Web Security Sidebars MSDN Events
    27. 27. What Will We cover? <ul><li>Creating Secure Web Applications </li></ul><ul><li>Common Threats Faced </li></ul><ul><ul><li>How Does It Work? </li></ul></ul><ul><ul><li>What are the risks? </li></ul></ul><ul><ul><li>Real World Examples </li></ul></ul><ul><ul><li>How do I protect my web site? </li></ul></ul>
    28. 28. Agenda <ul><li>Growing importance of security </li></ul><ul><li>5 Most Common Threats </li></ul><ul><li>Cross Site Scripting </li></ul><ul><li>SQL Injection </li></ul><ul><li>Integer Overflow </li></ul><ul><li>One-Click Attack / Cross Site Request Forgery </li></ul><ul><li>Insecure Direct Object Reference & Securing Sensitive Information </li></ul>
    29. 29. www.HelloSecureWorld.com <ul><li>Security is an increasingly important factor for web applications. </li></ul><ul><ul><li>People place an increasing dependence on technology </li></ul></ul><ul><ul><li>Potential threats also increasing </li></ul></ul><ul><li>ASP.NET integrates a number of built-in defensive barriers which make it easier to create secure web sites. </li></ul>
    30. 30. How To Build Secure Web Apps
    31. 31. Facets Of Web Security Web Security
    32. 32. 5 Most Common Security Risks
    33. 33. Cross Site Scripting <ul><li>What is it Cross Site Scripting? </li></ul><ul><li>Allows hackers to run malicious script in a client’s Web browser </li></ul><ul><li>Any Web page that renders dynamic HTML based on content that users submit is vulnerable </li></ul>
    34. 34. Cross Site Scripting <ul><li>Potential Risks </li></ul><ul><li>Hackers can embed <script>, <object>, <applet>, and <embed> tags </li></ul><ul><li>Hackers can steal Web session information, modify the user’s screen </li></ul>
    35. 35. Cross Site Scripting <ul><li>How To Mitigate </li></ul><ul><li>Validate and constrain input </li></ul><ul><li>Properly encode output </li></ul><ul><li>Microsoft Anti-Cross Site Scripting Library </li></ul><ul><li>What about Server.HTMLEncode? </li></ul><ul><ul><li>Uses blacklist for exclusion </li></ul></ul><ul><ul><li>Less secure </li></ul></ul>
    36. 36. Cross Site Scripting <ul><li>Real World Example </li></ul><ul><li>Attackers redirected PayPal visitors to a page warning users their accounts had been compromised. </li></ul><ul><li>Victims were then redirected to a phishing site and prompted to enter sensitive financial data. Source: http://www.acunetix.com/news/paypal.htm </li></ul>
    37. 37. Cross Site Scripting
    38. 38. SQL Injection <ul><li>What SQL Injection? </li></ul><ul><li>Affects dynamic SQL queries which utilize user input as part of the query </li></ul><ul><li>Attacker submits data containing a command that SQL server executes </li></ul><ul><li>Attack Vectors </li></ul><ul><ul><li>Query strings </li></ul></ul><ul><ul><li>Forms </li></ul></ul><ul><ul><li>Web Services </li></ul></ul>
    39. 39. SQL Injection <ul><li>Potential Risks </li></ul><ul><li>Probe databases </li></ul><ul><li>Bypass authorization </li></ul><ul><li>Execute multiple SQL statements </li></ul><ul><li>Call built-in stored procedures (e.g. xp_cmdshell) </li></ul>
    40. 40. SQL Injection <ul><li>How to Mitigate </li></ul><ul><li>Constrain and sanitize input data. </li></ul><ul><li>Use type-safe SQL parameters </li></ul><ul><li>Restrict permissions for account used to access database </li></ul><ul><li>Do not disclose error information </li></ul><ul><li>Use LINQ to SQL to access and interact with data </li></ul>
    41. 41. SQL Injection <ul><li>Real World Example </li></ul><ul><li>The official government website for the state of Rhode Island (www.ri.gov) was the victim of a SQL Injection attack in January of last year. </li></ul><ul><li>Hackers allegedly stole credit card data from individuals who have done business online with state agencies. </li></ul><ul><li>The hackers claimed to have stolen as many as 53,000 credit card numbers </li></ul><ul><ul><li>Source: http://www.webappsec.org/projects/whid/list_id_2006-3.shtml </li></ul></ul>
    42. 42. SQL Injection
    43. 43. Integer Overflow <ul><li>What is Integer Overflow? </li></ul><ul><li>Occurs when an calculation causes an integer to exceed the max or min value allowed by its data type </li></ul>
    44. 44. Integer Overflow <ul><li>Potential Risks </li></ul><ul><li>Data corruption </li></ul><ul><li>Application crashes, instability </li></ul><ul><li>Execution of arbitrary code </li></ul>
    45. 45. Preventing Integer Overflow <ul><li>How To Mitigate </li></ul><ul><li>Validate user input </li></ul><ul><ul><li>Check for min and max values </li></ul></ul><ul><li>Use the correct data type </li></ul><ul><li>Execute your code in a checked context </li></ul>
    46. 46. Integer Overflow <ul><li>Real World Example </li></ul><ul><li>Apple’s OS X operating system contained a vulnerability which could be exploited remotely by an attacker to compromise a user's system. </li></ul><ul><li>The ffs_mountfs() method was vulnerable to an integer overflow which could potentially allow abritrary code to be executed. Source: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1238554,00.html </li></ul>
    47. 47. Integer Overflow
    48. 48. Cross Site Request Forgery <ul><li>What is Cross Site Request Forgery? </li></ul><ul><li>Forces a logged-on victim’s browser to send a request to a vulnerable web application </li></ul><ul><li>Request is sent by the victim, not the attacker </li></ul><ul><li>Can be difficult to detect </li></ul><ul><li>Also known as “One-Click” vulnerability </li></ul>
    49. 49. Cross Site Request Forgery <ul><li>Potential Risks </li></ul><ul><li>Exposes victims private information to attacker </li></ul><ul><li>Attacker can alter data, make purchases, retrieve account info. </li></ul><ul><li>Victim is usually unaware any changes have taken place </li></ul>
    50. 50. Cross Site Request Forgery <ul><li>How to Mitigate </li></ul><ul><li>Include unique token which the server validates when a request is received </li></ul><ul><ul><li>ASP.NET: ViewStateUserKey </li></ul></ul><ul><ul><ul><li>Ties view state content to a specific user </li></ul></ul></ul><ul><ul><ul><li>Must use unique value for each user </li></ul></ul></ul><ul><ul><ul><li>Recommended: ViewStateUserKey = Session.ID </li></ul></ul></ul><ul><li>Require user confirmation with a shared secret </li></ul>
    51. 51. Cross Site Request Forgery <ul><li>Real World Example </li></ul><ul><li>A security flaw at FTD.com made it possible to access customer data simply by copying a cookie from one computer to another. </li></ul><ul><li>In addition, sequential values were used as identifiers, making it easier to guess the numbers of other valid cookies. Source: http://www.news.com/2100-1017-984585.html </li></ul>
    52. 52. Cross Site Request Forgery
    53. 53. Insecure Direct Object Reference <ul><li>What is Insecure Direct Object Reference? </li></ul><ul><li>Occurs when a direct reference to a file, directory, database record, etc. is exposed to users </li></ul><ul><li>Typically exposed in the URL as a querystring or form parameter </li></ul><ul><li>Hacker can manipulate reference to access other objects </li></ul>
    54. 54. Insecure Direct Object Reference <ul><li>Potential Risks </li></ul><ul><li>Attacker can access other files or resources on the server </li></ul><ul><ul><li>Web.Config – contains database connection and user account info </li></ul></ul><ul><ul><li>SAM file – Holds the user names and password hashes for every account on the local machine </li></ul></ul><ul><ul><li>This data can be used to create additional attacks </li></ul></ul>
    55. 55. Insecure Direct Object Reference <ul><li>Steps To Mitigate </li></ul><ul><li>Avoid directly referencing objects wherever possible </li></ul><ul><li>Use an index to assign a unique id, then reference the id </li></ul><ul><li>If a direct reference must be used employ methods to ensure only authorized objects are shown </li></ul><ul><li>Encrypt sensitive sections in web.config </li></ul>
    56. 56. Insecure Direct Object Reference <ul><li>Real World Example </li></ul><ul><li>Cahoot (www.cahoot.com) a UK based online bank, allowed allowed customers to access other people's account simply by changing the username in the URL </li></ul><ul><li>The website was closed down for 10 hours to repair the vulnerability </li></ul><ul><li>Source: http://news.bbc.co.uk/2/hi/business/3984845.stm </li></ul>
    57. 57. Insecure Direct Object Reference
    58. 58. Session Summary <ul><li>Validate Input / Encode Output (Anti-XSS library) </li></ul><ul><li>Parameterize SQL Queries </li></ul><ul><li>Least privilege Account </li></ul><ul><li>Execute in a checked context </li></ul><ul><li>ViewStateUserKey = Session.ID </li></ul><ul><li>Reference objects Indirectly </li></ul><ul><li>Encrypt Web.Config </li></ul>
    59. 59. For More Information <ul><li>Anti XSS Library </li></ul><ul><ul><li>http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en </li></ul></ul><ul><li>Built-in ASP.NET security features </li></ul><ul><ul><li>http://msdn2.microsoft.com/en-us/library/ms972969.aspx </li></ul></ul><ul><ul><li>HelloSecureWorld.com </li></ul></ul><ul><ul><ul><li>http://www.hellosecureworld.com </li></ul></ul></ul>
    60. 60. Extending ASP.NET Application Services MSDN Events Winter, 2007
    61. 61. What Will We cover? <ul><li>ASP.NET Provider Model </li></ul><ul><li>Application Services </li></ul><ul><li>Rich Clients in .NET 3.5 </li></ul>
    62. 62. Helpful Experience <ul><li>ASP.NET 2.0 Login Controls </li></ul><ul><li>Microsoft Ajax Library </li></ul><ul><li>Silverlight </li></ul><ul><li>Building a WinForms application </li></ul>Level 200
    63. 63. Agenda <ul><li>Understanding ASP.NET providers and the Provider Model </li></ul><ul><li>Using Built-in Providers and Application Services </li></ul><ul><li>Using Application Services in .NET 3.5 </li></ul>
    64. 64. The Provider Model <ul><li>Provider Design Pattern </li></ul>MembershipProvider:ProviderBase MySQLMembershipProvider:MembershipProvider Methods and Properties Overridden Methods and Properties Methods and Properties ProviderBase <ul><li>Built-in Providers </li></ul><ul><li>Custom Providers </li></ul>
    65. 65. Working with Providers <ul><li>Integration with ASP.NET 2.0 controls </li></ul><ul><ul><li>Login Controls </li></ul></ul><ul><ul><li>Other Controls </li></ul></ul><ul><li>Provider Configuration </li></ul><ul><ul><li>ASP.NET Server Setup </li></ul></ul><ul><ul><li>ASP.NET Configuration Tool </li></ul></ul>
    66. 66. Introducing Providers
    67. 67. Agenda <ul><li>Understanding ASP.NET providers and the Provider Model </li></ul><ul><li>Using Built-in Providers and Application Services </li></ul><ul><li>Using Application Services in .NET 3.5 </li></ul>
    68. 68. Application Service Flexibility ASP.NET Silverlight Web Services SOAP Clients Application Services Ajax
    69. 69. Application Services with Ajax <ul><li>Ajax </li></ul><ul><ul><li>ASP.NET 2.0 – 3.5 </li></ul></ul><ul><ul><li>Silverlight 1.0 </li></ul></ul><ul><li>Web Services </li></ul><ul><ul><li>Silverlight 2.0 </li></ul></ul><ul><ul><li>Other SOAP Clients </li></ul></ul>
    70. 70. Sharing Providers with Ajax and Silverlight
    71. 71. Agenda <ul><li>Understanding ASP.NET providers and the Provider Model </li></ul><ul><li>Using Built-in Providers and Application Services </li></ul><ul><li>Using Application Services in .NET 3.5 </li></ul>
    72. 72. Services in Visual Studio 2008 <ul><li>Application Services Integration </li></ul><ul><li>Services Page </li></ul><ul><li>New Libraries </li></ul><ul><ul><li>System.Web.ClientServices </li></ul></ul><ul><li>Offline Support </li></ul><ul><ul><li>SQL/CE </li></ul></ul><ul><ul><li>Customized </li></ul></ul>
    73. 73. Using Application Services from a Rich Client
    74. 74. Session Summary <ul><li>Simplified storage solutions with the Provider Model </li></ul><ul><li>Using Application Services to increase productivity </li></ul><ul><li>Harness Application Services from different clients </li></ul><ul><li>http://www.msdnevents.com/resources </li></ul>
    75. 75. Thanks for attending! Lynn Langit MSDN Developer Evangelist – Southern California http://blogs.msdn.com/SoCalDevGal