Web Studyaspnet.blogspot.com Babyneed.blogspot.com

ASP.Net Web Developer Guide

Power By: eXTReMe Tracker Powered by Blogger  
 
 
 
 

 

 
Important Links
 
   
     
 
Sitemap
 
   
   
 
Reference
 
   

Monday, February 06, 2006

Taking Security Precautions(Chapter 1)

As with all new technologies or software systems,ASP.NET will require a bedding- in period before we can fully call it a stable technology. While Beta 2 is widely considered to be the full final release, it may still have bugs and security holes waiting to be discovered.The buzz surrounding the .NET technologies will attract the unethical as well as, or maybe more than, the ethical, and some are sure to try to exploit everything they can to their own ends.
It is well worth developing your applications with .NET; there are already ISPs who will host and support .NET-based sites, and Microsoft has a program in which you can already launch your site under the Beta 2.
Having said this, you would be well advised to be cautious. As with all Beta software, Microsoft programmers will be constantly developing and bug-fixing right up until launch.This makes the .NET Framework a bit of a moving target from a security point of view.
If you do intend to host a .NET site on a live environment, make sure you have not inadvertently included any of the example sites or codes in your upload. As well as being an unnecessary additional upload, the code may have vulnerabilities that could be exploited, and the code will have been well researched by now. Secondly, as part of the .NET Framework installation, a slimmed-down developer’s version of Microsoft SQL Server is included, called Microsoft Data Engine (MSDE), which is a desktop edition of SQL Server scaled down to five concurrent users.This acts as a working SQL Server installation, including support for stored procedures. Unfortunately, an administration user named “SA” is installed by default without a password.This means that a remote user can log into a .NETequipped host using the SQL Query Analyzer as SA and, using built-in stored procedures, gain access to your systems command line—nasty! Another area the developer should be aware of is the debug tracing that the server can now perform. In the past, programmers would add parameters into the application memory to conveniently store things like database connection strings, usernames, and passwords. Unfortunately, now this is not practical, as a page fault or a developer manually switching on tracing would cause these values to be output to the screen. An alternative method is available by adding these parameters into the applications configuration files instead, and they are just as easily accessible.
In order to be forewarned and to avoid these security problems, and keep up to date in general, it would be a good idea to subscribe to one or more of the many e-mail discussion lists and newsletters out there that are covering ASP.NET.

0 Comments:

Post a Comment

<< Home