看到园子里好些同学为了一些基础问题(如:如何设置ASPNETDB数据库、如何设置Membership密码规范等)苦苦挣扎,实在是有点遗憾。大家对英文的东西大概都有点排斥,很多问题在MSDN(English)或者达人(Scott Guthrie、Fredrik Normén等)的Weblog上都能很轻松的找到解答。
Channel9上的MS Security Wiki 还专设了ASP.NET 2.0 Security FAQ s ,常见的ASP.NET 2.0问题都可以找到(这里的Security是很宽泛的,不止是通常意义的安全问题)。翻译了现有FAQ的目录,放在这里。准备陆续翻译其中的一部分(篇幅较长、难啃的)。如果您也有兴趣加入,请给我留言。我会把您的链接和您的大名加进来。当然在翻译中您可以加入您自己的感受和经验等。也欢迎指出我翻译中的不妥之处。
请在您翻译的文章标题前面加上[ASP.NET 2.0 Security FAQs] ,我看到后就会把您的文章链进来,谢谢。
Authentication 权限验证
Channel9上的MS Security Wiki 还专设了ASP.NET 2.0 Security FAQ s ,常见的ASP.NET 2.0问题都可以找到(这里的Security是很宽泛的,不止是通常意义的安全问题)。翻译了现有FAQ的目录,放在这里。准备陆续翻译其中的一部分(篇幅较长、难啃的)。如果您也有兴趣加入,请给我留言。我会把您的链接和您的大名加进来。当然在翻译中您可以加入您自己的感受和经验等。也欢迎指出我翻译中的不妥之处。
请在您翻译的文章标题前面加上[ASP.NET 2.0 Security FAQs] ,我看到后就会把您的文章链进来,谢谢。
ASP.NET 2.0 Security FAQ s
Welcome to the ASP.NET 2.0 Security FAQ page. This page provides an index to common questions and answers. The questions act as another index into the security guidance.
Authentication 权限验证
- What's new in ASP.NET 2.0 in terms of Authentication?
ASP.NET 2.0 权限验证新特性 - How do I decide my Authentication strategy in ASP.NET?
如何选择ASP.NET中的验证策略? - How do I use Forms Authentication with SQL Server database?
如何使用基于SQL Server数据库的Form验证? - How do I use Forms Authentication with Active Directory?
如何使用基于活动目录的Form验证? - How do I enable Forms Authentication to work with multiple Active Directory domains?
如何使Form验证在多个活动目录域中有效? - How do I protect Forms Authentication?
如何保护Form验证? - How do I enforce strong passwords using membership feature in ASP.NET 2.0
如何在membership中强制使用安全性高的密码? 中文 - How do I protect passwords in user store?
如何保护存储介质中的密码? - What are the issues with Forms Authentication in Web Farm Scenario?
在网站群中使用Form认证 - How do I implement single sign on using forms authentication?
如何在Form验证中实现一次性登陆? - How do I use my custom user / identity store with forms authentication?
如何自定义Form验证中的用户验证信息存贮介质? - How do I configure account lockout using membership feature in ASP.Net 2.0?
如何使用membership中的帐号锁定? - When and how do I use windows authentication in ASP.NET 2.0?
如何使用Windows验证? - When and how do I use Kerberos authentication in ASP.NET 2.0?
如何使用Kerberos验证?
Authorization 授权
- What's new in ASP.NET 2.0 in terms of Authorization?
ASP.NET 2.0中的授权新特性? - What is the difference between URL authorization, File authorization and Role authorization??
URL授权、文件授权、和Role授权之间的区别? - How do I use URL Authorization in ASP.NET 2.0?
如何使用基于URL的授权? - How do I use File Authorization in ASP.NET 2.0?
如何使用基于文件的授权? - How do I use Role Authorization in ASP.NET 2.0?
如何使用基于Role的授权? - How is the AuthorizationStoreRoleProvider different from Authorization Manager APIs?
AuthorizationStoreRoleProvider和Authorization Manager APIs的区别 - How do I use Windows Groups for role authorization in ASP.NET 2.0?
如何使用Windows用户组作为role? - How do I use my custom role store for roles authorization?
如何使用自定义的role存贮介质? - How do I cache roles in ASP.NET 2.0?
如何缓存role? - How do I protect authorization cookie when using role caching in ASP.NET 2.0?
如何在使用role缓存时保护cookie中的授权信息? - How do I lock authorization settings?
如何锁定授权设定? - How do I use RoleManager in my application?
如何使用RoleManager ?
Auditing and Logging 审核和日志
- What's new in ASP.NET 2.0 in terms of Auditing and Logging?
ASP.NET 2.0中的审核和日志新特性? - How do I use the Health monitoring feature in ASP.NET 2.0?
如何使用Health monitoring? - What all security events do health monitoring feature logs by default?
Health monitoring默认会把所有的安全事件记入日志吗? - How do I instrument my application for security?
提高程序安全的措施 - When writing to a new event source from my ASP.NET application running under the Network service security context, I get registry permission exception. Why is this and how do I correct this
如何解决在Network Service安全环境下写入新日志源时得到的注册表授权异常? - How do I protect audit and log files?
如何保护审核文件和日志文件?
Code Access Security 代码访问安全性
- What's new in ASP.NET 2.0 in terms of Code Access Security?
ASP.NET 2.0中的代码访问安全新特性 - How do I use code access security with ASP.NET?
如何使用CAS? - How do I create a custom trust level for ASP.NET?
如何新建一个自定义的安全级别? - What are the permissions at the various trust levels?
不同信任级别中的许可有什么区别? - How do I write partial trust applications?
如何编写部分信任的程序? - When should I put assemblies in GAC, what are security implications?
何时需要把assembly放入全局assembly缓存?会有什么样的安全问题?
Impersonation / Delegation 模拟和委托
- When do I use impersonation in ASP.NET 2.0?
何时在ASP.NET中使用模拟(impersonation)? - How do I impersonate the original caller?
如何模拟原始访问者? - How do I temporarily impersonate the original caller?
如何临时模拟原始访问者? - How do I impersonate a specific (fixed) identity?
如何模仿一个特殊的认证生分? - When should I use programmatic impersonation?
何时需要使用可编程的模拟? - How do I use programmatic impersonation?
如何使用可编程的模拟? - What is protocol transition and when do I care?
何时已经如何使用protocol transtion? - What is Constrained Delegation?
什么是Constrained Delegation? - How can I retain impersonation in the new thread created from ASP.NET application?
如何在新的线程中保持impersonation? - How do I flow the original user identity to different layers?
如何在不同的层间传递原始用户身份? - Can impersonation be used with Forms authentication?
impersionation可以和Form验证一起使用吗? - What are the requirements for using Kerberos delegation?
使用Kerberos委托的条件
Configuration 配置
- What does a secure web.config look like?
怎样才是安全的web.config文件? - How do I encrypt sensitive data in machine.config or web.config file?
如何加密machine.config和web.config中的敏感数据? - How do I run an ASP.NET application with a particular identity?
如何用一个单独的实例允许ASP.NET程序? - How do I create a service account for running my ASP.NET applications?
如何在服务器上配置运行ASP.NET程序的帐号? - Do I need to create a unique user account for each application pool?
需要为每个应用程序池(IIS)配置独立的帐号吗? - How do I lock configuration settings?
如何锁定配置文件?
Exception Handling 异常处理
- How do I handle exceptions securely?
如何安全的进行异常处理? - How do I prevent detailed errors from returning to the client?
如何防止异常信息被发送到客户端? - How do I use structured exception handling?
如何使用结构话的异常处理(try/catch/finnally)? - How do I setup a global exception handler for my application?
如何设置全局性的异常处理 - How do I enable my ASP.NET application to write to new event source?
如何把ASP.NET程序的事件日志写入自定义的事件源?
Data Access 数据访问
- How do I protect the database connection strings in web.config file?
如何保护Web.config文件中的数据库连接串? - How do I use windows authentication for connecting to SQL server?
如何使用Windows验证连接SQL Server? - How do I use SQL authentication for connecting to SQL server?
如何使用SQL帐号连接SQL Server? - When using Windows authentication, how can I give the default ASP.NET worker process access to a remote database server?
何时使用Windows验证连接SQL Server,如何连接远程数据库?
Input / Data Validation 输入数据验证
- What are the types of input I need to validate in my ASP.NET application?
什么样的输入需要验证? - How do I validate input in server-side controls?
如何验证通过服务器控件输入的数据? - How do I validate input in HTML controls, QueryString, cookies, and HTTP headers?
如何验证通过HTML控件、QueryStirng、cookies和HTTP头输入的数据? - What is SQL injection and how do I protect my application from SQL injection attacks?
什么是SQL注入,如何防止SQL注入攻击? - What is cross-site scripting and how do I protect my ASP.NET application from it?
什么是夸站脚本,如何防止夸站脚本攻击?
Sensitive Data 敏感数据
- How do I protect my web application's ViewState?
如何保护我的ViewState? - What care should I take when securing ViewState in a web farm scenario?
如何在站点群环境下保护ViewState? - How do I protect sensitive data in the database?
如何保护数据库里的敏感数据? - How do I protect sensitive data in configuration files?
如何保护配置文件里的敏感数据? - How do I protect sensitive data in memory?
如何保护内存中的敏感数据? - How do I protect passwords?
如何保护密码? - How do I secure Session State information?
如何保护Session数据?
Strong Naming and Signing 强名称和签名
- How do I strong-name an ASP.NET application assembly?
如何强名称化一个ASP.NET assembly? - How do I delay sign an ASP.NET application assembly?
如何延迟签名一个ASP.NET assembly? - When should I use .pfx files?
何时需要使用.pfx文件? - When should I pre-compile my ASP.NET application?
何时需要预编译我的ASP.NET程序? - How do I pre-compile my ASP.NET application?
如何预编译我的ASP.NET程序? - How do I strong name an ASP.NET application?
如何强名称化一个ASP.NET程序? - How do I Sign .Net assemblies with Authenticode signature?
如何和assembliy加上签名?
Obfuscation 混淆
- How should I prevent someone from disassembling code?
如何防止IL代码被反编译?
Others 其他
- How do I set up a SQL Server or SQL Express database for Membership, Profiles and Role Management?
如何设置SQL Server或SQL Express数据库,试其支持Membership、Profiles和Role? 中文