You’ve just discovered a single source for the techniques you need to secure any ASP.NET web application. Building Secure Microsoft ASP.NET Applications covers authentication, authorization, and secure communications in every tier, addressing nearly every scenario you’re likely to encounter.
Microsoft’s security specialists begin with fundamental application security principles. Some, you’re already well aware of (use defense in depth). Others may require you to rethink your approach (“Reduce surface area”: Avoid exposing information that users don’t need. “Check at the gate”: Don’t always flow a user’s security context to the back end for authorization.)
After reviewing ASP.NET’s new security model, the authors offer practical guidance for designing effective authentication and authorization systems. Should you use Active Directory for authentication, or a custom data store? How do you handle non-Windows clients and servers? When should you depend on trusted subsystems, and when not?
Next, you’ll learn how to use SSL, IPSec, and RPC Encryption to secure sensitive data across networks and the Internet; and how to protect both intranet and extranet applications against both outsiders and rogue insiders.
You’ll find detailed coverage of securing XML-based web services; systems built with .NET Remoting; and data access connections to SQL Server 2000. There’s also a full chapter on protecting .NET “Enterprise Services”: distributed transactions, object pooling, concurrency management, and other middleware functions.
The book closes with security troubleshooting, and several invaluable “How-to” chapters. Among these: authenticating SQL Server forms; securing database communications; calling web services via SSL; and using the Win32 Data Protection API. Bill Camarda
Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks for Dummies, Second Edition.