Jan2008_MSDN_Slides

Lynn's slides - Jan 2008 Allup » SlideShare

Original slides and session recordings - http://www.msdnevents.com/resources/2008-winter-resources.aspx

-----------------------------------------------------------------------------------------------------------------------------------------

Session Links

Avoid Common Security Vulnerabilities for ASP.NET applications

HelloSecureWorld - http://www.hellosecureworld.com

'How Do I?' Security on MSDN - http://msdn2.microsoft.com/en-us/security/bb896640.aspx

SDL - Security Development Lifecycle on MSDN - http://msdn.microsoft.com/msdnmag/issues/07/11/SecDefects/default.aspx

Design Guidelines for Secure ASP.NET sites - http://msdn2.microsoft.com/en-us/library/aa302420.aspx

MS Anti X Scripting Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=en

Using RegEx - http://msdn2.microsoft.com/en-us/library/ms998267.aspx

Encrypting Web.Config  - http://msdn2.microsoft.com/en-us/library/53tyfkaw.aspx & http://msdn2.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx

ViewStateUserKey - http://msdn2.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx

Best Developer security book ever - Writing Secure Code 2 - http://www.microsoft.com/mspress/books/5957.aspx

Security horror stories - XSS attack - http://www.davidairey.co.uk/google-gmail-security-hijack/

What is the advantage of using the Anti XSS libraries vs. simply using Server.HtmlEncode.

The following Is an excerpt from .NET Data-bound Web controls & (anti)XSS - Some Considerations:

“A prime example of how Version 1.5 of Microsoft Anti-Cross Site Scripting Library provides greater protection against XSS is illustrated via the availability of its JavaScriptEncode Encoding Method to protect vulnerable application values that are used directly within existing JavaScript blocks. Such values would still be vulnerable to XSS if they were only subjected to encoding via the classic HtmlEncode/UrlEncode utilities.”

Further information such as the following can be found at Microsoft Anti-Cross Site Scripting Library V1.5 is Released!

Great Article with example attacks.

IIS 7.0 for Developers

General site - http://www.iis.net/default.aspx

Virtual labs - http://virtuallabs.iis.net/

Video - http://www.iis.net/default.aspx?tabid=2&subtabid=26&i=1141

Asli Bilgin whiteboard on IIS 7.0 for developers - http://news.zdnet.com/2422-13569_22-153107.html

How to set up WAS - http://www.devx.com/VistaSpecialReport/Article/33831

About svcutil - http://msdn2.microsoft.com/en-us/library/aa347733.aspx

About appcmd.exe http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-the-Command-Line/Getting-Started-with-AppCmd-exe

WCF hosted in IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Hosting-Web-Applications/Windows-Communication-Foundation--WCF-/Writing-a-Web-Service-hosted-in-IIS7

Intro to ApplicationHost.config - http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-XML-Configuration/Introduction-to-ApplicationHost-config

Deep Dive IIS 7.0 configuration - http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-XML-Configuration/Deep-Dive-into-IIS7-Configuration

Security Changes between IIS 6.0 and IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Configuring-Security/Changes-between-IIS6-and-IIS7-Security

Output caching in IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Optimizing-Performance/Using-Output-Cache/IIS7-Output-Caching

Developer Center on IIS.NET - http://www.iis.net/default.aspx?tabid=7&subtabid=711

ASP.NET integration with IIS 7.0 -  http://www.iis.net/articles/view.aspx/IIS7/Hosting-Web-Applications/ASP-NET/ASP-NET-Integration-with-IIS7

About IIS 7.0 Handlers and Modules (recapped from the link below)

A module, similar to the ISAPI filter in previous IIS versions, participates in the request processing of every request in order to change or add to it in some way.  Examples of some in-the-box modules in IIS7 include authentication modules, which manipulate the authentication status of the request, compression modules that compress the outgoing response, and logging modules that log information about the request to the request logs.

The module is a .NET class that implements the ASP.NET System.Web.IHttpModule interface, and uses the APIs in the System.Web namespace to participate in one or more of ASP.NET’s request processing stages.

A handler, similar to the ISAPI extension in previous IIS versions, is responsible for handling the request and producing the response for specific content types.  The main difference between the module and the handler is that the handler is typically mapped to a particular request path or extension, and supports the processing of a specific server resource to which that path or extension corresponds.   Examples of handlers  provided with IIS7 include ASP, which processes ASP scripts, the static file handler, which serves static files, and ASP.NET’s PageHandler which processes ASPX pages.

The handler is a .NET class that implements the ASP.NET System.Web.IHttpHandler or System.Web.IAsyncHttpHandler interface, and uses the APIs in the System.Web namespace to produce an http response for specific content it supports.

When planning to develop an IIS7 feature, the first question you should ask is whether this feature is responsible for serving requests to a specific url/extension, OR applies to all/some requests based on arbitrary rules.  In the former case, your should be a handler, and in the latter, a module.

Developing Custom Handlers or Modules for IIS 7.0 - http://mvolo.com/blogs/serverside/archive/2007/08/15/Developing-IIS7-web-server-features-with-the-.NET-framework.aspx

IIS 7.0 Managed Modules Starter Kit for Developers - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1302