tags:

views:

120

answers:

3
+3  Q: 

What measures should I take to secure my multi-tier ASP.NET application?

I'm in a process of designing a multi-tier ASP.NET web application that is supposed to deal with sensitive information (say financial data).

I would like to identify all potential threats the application will face in real life and plan the countermeasures accordingly.

Some details:

  • The application will be hosted in customer's data center for both internal and external users
  • Target platform is Windows Server 2008 + IIS7 or Windows Server 2003 + IIS6
  • Target DB is MS SQL Server 2008
+2  A: 

http://msdn.microsoft.com/en-us/library/aa302415.aspx

for multi layer security. http://msdn.microsoft.com/en-us/library/aa302415.aspx#secnetlp_part3

Syed Tayyab Ali  2009-05-28 21:03:20
+4  A: 

Phew! Where to start... Depends on how "secure" you need it to be. i.e. Difference between a personal blog and a large project for a large company/government dept. etc...

In no particular order

  • Secure your configuration files by encrypting them.
  • Ensure that your Database is behind some sort of DMZ and not on a publically accessible IP
  • Get a security company to give your site an overhaul for potential vulneribilities (Cross Site Scripting / Sql Injection)
  • Use SSL
  • Lock down everything port-wise on the server except for 80 HTTP & 443 HTTPS unless absolutely necessary
  • Make sure your Remote Desktop/VNC connections to the box are secure
  • If your storing passwords in the DB, hash & salt them and don't store plain text
  • Publish your code, and don't leave source code on the server
  • Build your code based on known standards, i.e. don't write your own Crypto Algorithms
  • If secure connections between the Site->DB or Site-MSMQs are available, use them

Microsoft have a good article on securing ASP.NET apps that i'll dig out.

Edit

And as Syed just posted in his reply, (+1 a credit to him)

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Eoin Campbell  2009-05-28 21:03:22
@Eoin Campbell: +1
Syed Tayyab Ali  2009-05-28 21:06:59
You can copy those link into your reply. So, information become more consolidate in one post.
Syed Tayyab Ali  2009-05-28 21:09:11
Cheers Syed +1 .
Eoin Campbell  2009-05-28 21:10:54
A: 

that is a very large (broad) question, there are complete books on security that can not answer that. Go to Borders and get a few security books and start reading.

KM  2009-05-28 21:03:57
down vote all you like, but it is true! I'd like to know everything about XYZ and you can type it all in this little text area, yea right!
KM  2009-05-28 21:21:52

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps