BLACK JACK

Get busy living, or get busy dying.

导航

ASP.NET 2.0 Security FAQs

Posted on 2005-12-02 14:34  J. Lin  阅读(5753)  评论(7编辑  收藏  举报
看到园子里好些同学为了一些基础问题(如:如何设置ASPNETDB数据库、如何设置Membership密码规范等)苦苦挣扎,实在是有点遗憾。大家对英文的东西大概都有点排斥,很多问题在MSDN(English)或者达人(Scott GuthrieFredrik Normén等)的Weblog上都能很轻松的找到解答。

Channel9上的MS Security Wiki 还专设了ASP.NET 2.0 Security FAQ s ,常见的ASP.NET 2.0问题都可以找到(这里的Security是很宽泛的,不止是通常意义的安全问题)。翻译了现有FAQ的目录,放在这里。准备陆续翻译其中的一部分(篇幅较长、难啃的)。如果您也有兴趣加入,请给我留言。我会把您的链接和您的大名加进来。当然在翻译中您可以加入您自己的感受和经验等。也欢迎指出我翻译中的不妥之处。

请在您翻译的文章标题前面加上[ASP.NET 2.0 Security FAQs] ,我看到后就会把您的文章链进来,谢谢。


ASP.NET 2.0 Security FAQ s

Welcome to the ASP.NET 2.0 Security FAQ page. This page provides an index to common questions and answers. The questions act as another index into the security guidance.

Authentication 权限验证

  1. What's new in ASP.NET 2.0 in terms of Authentication?
    ASP.NET 2.0 权限验证新特性
  2. How do I decide my Authentication strategy in ASP.NET?
    如何选择ASP.NET中的验证策略?
  3. How do I use Forms Authentication with SQL Server database?
    如何使用基于SQL Server数据库的Form验证?
  4. How do I use Forms Authentication with Active Directory?
    如何使用基于活动目录的Form验证?
  5. How do I enable Forms Authentication to work with multiple Active Directory domains?
    如何使Form验证在多个活动目录域中有效?
  6. How do I protect Forms Authentication?
    如何保护Form验证?
  7. How do I enforce strong passwords using membership feature in ASP.NET 2.0
    如何在membership中强制使用安全性高的密码? 中文
  8. How do I protect passwords in user store?
    如何保护存储介质中的密码?
  9. What are the issues with Forms Authentication in Web Farm Scenario?
    在网站群中使用Form认证
  10. How do I implement single sign on using forms authentication?
    如何在Form验证中实现一次性登陆?
  11. How do I use my custom user / identity store with forms authentication?
    如何自定义Form验证中的用户验证信息存贮介质?
  12. How do I configure account lockout using membership feature in ASP.Net 2.0?
    如何使用membership中的帐号锁定?
  13. When and how do I use windows authentication in ASP.NET 2.0?
    如何使用Windows验证?
  14. When and how do I use Kerberos authentication in ASP.NET 2.0?
    如何使用Kerberos验证?

Authorization 授权

  1. What's new in ASP.NET 2.0 in terms of Authorization?
    ASP.NET 2.0中的授权新特性?
  2. What is the difference between URL authorization, File authorization and Role authorization??
    URL授权、文件授权、和Role授权之间的区别?
  3. How do I use URL Authorization in ASP.NET 2.0?
    如何使用基于URL的授权?
  4. How do I use File Authorization in ASP.NET 2.0?
    如何使用基于文件的授权?
  5. How do I use Role Authorization in ASP.NET 2.0?
    如何使用基于Role的授权?
  6. How is the AuthorizationStoreRoleProvider different from Authorization Manager APIs?
    AuthorizationStoreRoleProvider和Authorization Manager APIs的区别
  7. How do I use Windows Groups for role authorization in ASP.NET 2.0?
    如何使用Windows用户组作为role?
  8. How do I use my custom role store for roles authorization?
    如何使用自定义的role存贮介质?
  9. How do I cache roles in ASP.NET 2.0?
    如何缓存role?
  10. How do I protect authorization cookie when using role caching in ASP.NET 2.0?
    如何在使用role缓存时保护cookie中的授权信息?
  11. How do I lock authorization settings?
    如何锁定授权设定?
  12. How do I use RoleManager in my application?
    如何使用RoleManager ?

Auditing and Logging 审核和日志

  1. What's new in ASP.NET 2.0 in terms of Auditing and Logging?
    ASP.NET 2.0中的审核和日志新特性?
  2. How do I use the Health monitoring feature in ASP.NET 2.0?
    如何使用Health monitoring?
  3. What all security events do health monitoring feature logs by default?
    Health monitoring默认会把所有的安全事件记入日志吗?
  4. How do I instrument my application for security?
    提高程序安全的措施
  5. When writing to a new event source from my ASP.NET application running under the Network service security context, I get registry permission exception. Why is this and how do I correct this
    如何解决在Network Service安全环境下写入新日志源时得到的注册表授权异常?
  6. How do I protect audit and log files?
    如何保护审核文件和日志文件?

Code Access Security 代码访问安全性

  1. What's new in ASP.NET 2.0 in terms of Code Access Security?
    ASP.NET 2.0中的代码访问安全新特性
  2. How do I use code access security with ASP.NET?
    如何使用CAS?
  3. How do I create a custom trust level for ASP.NET?
    如何新建一个自定义的安全级别?
  4. What are the permissions at the various trust levels?
    不同信任级别中的许可有什么区别?
  5. How do I write partial trust applications?
    如何编写部分信任的程序?
  6. When should I put assemblies in GAC, what are security implications?
    何时需要把assembly放入全局assembly缓存?会有什么样的安全问题?

Impersonation / Delegation 模拟和委托

  1. When do I use impersonation in ASP.NET 2.0?
    何时在ASP.NET中使用模拟(impersonation)?
  2. How do I impersonate the original caller?
    如何模拟原始访问者?
  3. How do I temporarily impersonate the original caller?
    如何临时模拟原始访问者?
  4. How do I impersonate a specific (fixed) identity?
    如何模仿一个特殊的认证生分?
  5. When should I use programmatic impersonation?
    何时需要使用可编程的模拟?
  6. How do I use programmatic impersonation?
    如何使用可编程的模拟?
  7. What is protocol transition and when do I care?
    何时已经如何使用protocol transtion?
  8. What is Constrained Delegation?
    什么是Constrained Delegation?
  9. How can I retain impersonation in the new thread created from ASP.NET application?
    如何在新的线程中保持impersonation?
  10. How do I flow the original user identity to different layers?
    如何在不同的层间传递原始用户身份?
  11. Can impersonation be used with Forms authentication?
    impersionation可以和Form验证一起使用吗?
  12. What are the requirements for using Kerberos delegation?
    使用Kerberos委托的条件

Configuration 配置

  1. What does a secure web.config look like?
    怎样才是安全的web.config文件?
  2. How do I encrypt sensitive data in machine.config or web.config file?
    如何加密machine.config和web.config中的敏感数据?
  3. How do I run an ASP.NET application with a particular identity?
    如何用一个单独的实例允许ASP.NET程序?
  4. How do I create a service account for running my ASP.NET applications?
    如何在服务器上配置运行ASP.NET程序的帐号?
  5. Do I need to create a unique user account for each application pool?
    需要为每个应用程序池(IIS)配置独立的帐号吗?
  6. How do I lock configuration settings?
    如何锁定配置文件?

Exception Handling 异常处理

  1. How do I handle exceptions securely?
    如何安全的进行异常处理?
  2. How do I prevent detailed errors from returning to the client?
    如何防止异常信息被发送到客户端?
  3. How do I use structured exception handling?
    如何使用结构话的异常处理(try/catch/finnally)?
  4. How do I setup a global exception handler for my application?
    如何设置全局性的异常处理
  5. How do I enable my ASP.NET application to write to new event source?
    如何把ASP.NET程序的事件日志写入自定义的事件源?

Data Access 数据访问

  1. How do I protect the database connection strings in web.config file?
    如何保护Web.config文件中的数据库连接串?
  2. How do I use windows authentication for connecting to SQL server?
    如何使用Windows验证连接SQL Server?
  3. How do I use SQL authentication for connecting to SQL server?
    如何使用SQL帐号连接SQL Server?
  4. When using Windows authentication, how can I give the default ASP.NET worker process access to a remote database server?
    何时使用Windows验证连接SQL Server,如何连接远程数据库?

Input / Data Validation 输入数据验证

  1. What are the types of input I need to validate in my ASP.NET application?
    什么样的输入需要验证?
  2. How do I validate input in server-side controls?
    如何验证通过服务器控件输入的数据?
  3. How do I validate input in HTML controls, QueryString, cookies, and HTTP headers?
    如何验证通过HTML控件、QueryStirng、cookies和HTTP头输入的数据?
  4. What is SQL injection and how do I protect my application from SQL injection attacks?
    什么是SQL注入,如何防止SQL注入攻击?
  5. What is cross-site scripting and how do I protect my ASP.NET application from it?
    什么是夸站脚本,如何防止夸站脚本攻击?

Sensitive Data 敏感数据

  1. How do I protect my web application's ViewState?
    如何保护我的ViewState?
  2. What care should I take when securing ViewState in a web farm scenario?
    如何在站点群环境下保护ViewState?
  3. How do I protect sensitive data in the database?
    如何保护数据库里的敏感数据?
  4. How do I protect sensitive data in configuration files?
    如何保护配置文件里的敏感数据?
  5. How do I protect sensitive data in memory?
    如何保护内存中的敏感数据?
  6. How do I protect passwords?
    如何保护密码?
  7. How do I secure Session State information?
    如何保护Session数据?

Strong Naming and Signing 强名称和签名

  1. How do I strong-name an ASP.NET application assembly?
    如何强名称化一个ASP.NET assembly?
  2. How do I delay sign an ASP.NET application assembly?
    如何延迟签名一个ASP.NET assembly?
  3. When should I use .pfx files?
    何时需要使用.pfx文件?
  4. When should I pre-compile my ASP.NET application?
    何时需要预编译我的ASP.NET程序?
  5. How do I pre-compile my ASP.NET application?
    如何预编译我的ASP.NET程序?
  6. How do I strong name an ASP.NET application?
    如何强名称化一个ASP.NET程序?
  7. How do I Sign .Net assemblies with Authenticode signature?
    如何和assembliy加上签名?

Obfuscation 混淆

  1. How should I prevent someone from disassembling code?
    如何防止IL代码被反编译?

Others 其他

  1. How do I set up a SQL Server or SQL Express database for Membership, Profiles and Role Management?
    如何设置SQL Server或SQL Express数据库,试其支持Membership、Profiles和Role? 中文