Implementing Application Security - App & DB Level (SQL Server 08)
Feb 19, 2010
I am about to deploy an ASP .NET application (developed with LINQ-to-SQL). I have taken following precautions: Database access via user with limited access, however, since application is to access the sensitive data, I can't deprive this limited access user from it Database server is not exposed to external network - is hiding behind DMZ and all external ports are blocked I have done thorough security testing of the web-application; SQL Injections, rights management, illegal data access (via post/get data tempering) Application is operating on SSL
1 - I am using ASP .NET authorization API; any recommendation for avoiding session hijacking (in case someone some-how gets to know the session key). Is there are way to change the authentication cookie less prone to threats? Say like, changing it after every request? (I know I am get very conscious about this particular item)
2 - Data in the database is not encrypted. To make things ultra-secure, I am thinking about implementing transparent data encryption. Can someone share his/her experience or a link about implementing data level encryption with SQL Server 2008 along with pros-and-cons?
3 - Recommendation for storing connection string in web.config. Is using integrated security better then using encrypted database connection string?
View 3 Replies
Similar Messages:
Oct 14, 2010
There seems to be an issue with the "Trust" level when executing within a "Cloud" environment. In order for the following app to work it needs a trust level of at least "Medium." This web app is developed using VB.NET 3.5, and Visual Studio 2008. The app works perfectly on my local sever but when deployed/published to the "Cloud" it returns the error: System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. I have added all 4 required values, ConsumerKey, ConsumerSecret, OAuthToken, and OAuthTokenSecret to the web.config file in the "appSettings" section of the "configuration"
[Code]....
If found that by going to [URL] and signing into the account that is using the application, then go to the "Settings" page, go to the bottom of the page and click on the "API" menu option. Once the API page appears you will clik on the button "2", Register An App. On the right side on the new page, you will see a button "View Your Applications." If you have previously registered your app, click this button, If not fill out the appliction for a new app. Now at the View your Applications page, select the app you want to get the authorization keys for where is says "Edit Details". Now click on the button to the right that says, "Application Detail." Here you will find your Consumer Key and your Consumer Secret Key. On the right side of this page you will see the menu option "My Access Token", click it and you will find your oauth_token and your oauth_token_secret keys! Not that you have all the keys, put them in the "appSettings" section of the web.config file. Add "Dim twConn As New TwitterVB2.TwitterAPI" at the top of the page.
I then created a subroutine where I pass in the Tweet:
[Code]....
This code works great in an enviornment that allows at least a "Medium" trust level. However it appears that many of the "new" hosting envrionments such as "Cloud Hosting" and others do not allow this trust level automatically!However if the trust level is less than "Medium" on your host you will likely receive the error message: "Twitter Returned: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed." If anyone has found a fix for this "Trust Level"
View 9 Replies
Feb 8, 2011
I am developing a web application using asp.net 4.0, vb.net 4.0 and Sql-Server 2005 as backend. I want to implement read only or read/write permissions for a particular logged in user. Ex : I have a Purchase order page, now I want to assign only view permissions to a particular user and read/write permissions to another user. what would be the best way to do it ? Use authentication and authorization provided by .Net or implement custom authentication and authorization ?
View 2 Replies
Feb 28, 2011
I'm looking for a way to add 3 level product catalog to cart based on MVC musicstore sample:
root product categories
sub categories
products
Clicking in catalog item should show subitems with pictures.
Control is placed to Site.Master. It can be treeview in cart left side or horizontal menu in upper part of screen.
Data is read from database from controller.
How to implement this ? Which free control is best for this or is there sample code for this ?
View 23 Replies
Mar 9, 2010
how to implement page level and control level security in MVC applications. Also I would like to know the definition for Page Level and Control Level Security in MVC. Please refer me if any third party tools avilable to implement security in MVC.
View 1 Replies
May 15, 2010
Error Description while browsing the website under IIS "The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file." Initially I deleted the virtual directory, created again, set the permission to anonymous, set the browse and execute permissions, no solution. Then after doing many trials, I found out the basic problem reading the error "not allowed by the security policy". In web configuration file if we set the security policy to Fully Trusted, then problem solved and application working fine. or Set the trust level to the main configuration file in he "C:WINDOWSMicrosoft.NETFrameworkv2.0.50727CONFIGweb.config"
View 1 Replies
Oct 28, 2010
I have a hierarchy in my website project as below:
[CustomControl1 - folder]
- CustomControl1.ascx
- CustomControl1.css
- CustomControl1.js
I load css and js files dynamicaly based on which controls are used on particular page. I am doing it by using following code:
[code]....
where AddLinks method adds HtmlLink controls to Page.Header with href attribute set to coresponding css and/or js file.
I would like to add Interface that would force new controls to have AddLinks method but it is impossible since it is a static method. Because my custom controls inherit from Control class I cannot use abstract class and/or virtual methods either. How can I achieve my goal?
View 1 Replies
Jan 31, 2011
I have to handle error related to web application. I am not sure how its works. I am thinking that I will add an error page (error.aspx) and in global.asax ,application_onError, I will redirecting the user to error page and that should be enough ! i mean it will handle error automatically.
View 4 Replies
Sep 28, 2010
When setting up asp.net error handlers for things like 404 errors, it is more 'efficient' to do this in IIS, or handle it in the Global.asax Application_Error event? I know the latter will be called, and I want to log this information in a database, but should I then just return without any redirect and let IIS do the redirect, or would it be better to do a response.redirect inside application_error once we've logged it?
View 1 Replies
Feb 3, 2010
How to remove the unused references in form level, vb.net application and web application?
How can I use fxcop to identity undisposed objects like dataset, dataview, connection, stream...? Any one having custom rules for the same?
View 1 Replies
May 5, 2010
I am implementing an eCommerce application using ASP.Net. I would like to know if custom Google search is sufficient enough or if we plan to go implement our search functionality.. how do we go about doing it?
View 3 Replies
Sep 8, 2010
I have a site We have different Pages under one folder. we have stored these pages information in a database table with pageid. Then we have User access table. there we store userid and pageid , for which pages user has access. Now I need to provide access to that pages only .
View 8 Replies
Apr 12, 2010
I'm working on a project that involves exporting HTML to PDF. I was told that this can be accomplished with a a free library called ITextSharp:http://itextsharp.sourceforge.net/This looks like it's actually a JAVA-based interface. Does anyone know how to actually inistall this and reference these dlls in your ASP.Net project? Maybe there there's a different version of ITextSharp for .Net that I missed...
View 3 Replies
Apr 5, 2010
When debugging my application, I m getting an application level error in global.asax file. The Server.GetLastError() reads "File does not exist." but thats it. No more details on the filename or the location where the code is trying to find a file. I commented out the application_error method, with a hope that the exception would be thrown when the debug the application, but no errors were thrown. How do i find the source of the error, cos I want to resolve this issue by either putting the file that the application is looking for or by completely removing the code that is referencing the file.
View 7 Replies
Jan 16, 2011
I am new to asp.net and developing an application where there will be some roles like (admin, entry user, maker, checker) one user can have all or can have partial roles based on the provided roles and the page should restrict functionality based on the user role.
What is the best way of implementing it without memberships in asp.net ..
View 1 Replies
May 5, 2010
I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).
I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.
View 1 Replies
Jun 21, 2010
I need an example on how to implement AES encryption/decryption in .NET. I've been googling but haven't yet found any good examples. I've for example found AES example whih after some research wasn't 100% AES. I have to make sure by AES encryption/decryption is 100% AES, as I have to send email to the authorities explaining how I use AES (with secret key all), so they can hire some encryption expert which verify that we encrypt/decrypt it correctly. So he can verify that the what I implemented in AES is actually 100%. I'm reading the AES standard and how it's to be implemted in .NET Here is some code I'm having trouble with:
[Code]....
Which throws an CryptographicException: Specified key is not a valid size for this algorithm.
View 1 Replies
Apr 28, 2010
i want to implement sign in using Google feature so that users do not have to remember multiple passwords.
Are there any ready to use controls for this? Links to tutorials will also be helpful.
View 2 Replies
Feb 16, 2011
In my asp.net application, users are created by the administrators & those users need to log-in into the system using their own email/password or openid. So what is the best option to implement in this scenario?
I mean, as users can't register them self,do administrator required to associate each openid with the users & what kind of table structure do I need?
And do I also need the log-in interface like that of [URL] showing multiple types of authentication(default & openid from various providers)?
View 1 Replies
Jan 25, 2010
want to make sure I am not assuming something foolish here, when implementing the singleton pattern in an ASP .Net web application the static variable scope is only for the current user session, right? If a second user is accessing the site it is a different memory scope...?
View 4 Replies
Jan 5, 2011
We have a web application that makes a call to a remotely hosted ASMX service that worked in Server 2003 under IIS6. We are now migrating it to a Server 2008/IIS 7 setup and it doesn't appear that the application makes the call to the remote web service anymore. We ran Wireshark and don't see any traffic to the service URL. It seems to throw a 404 error without trying to connect.
Is there some security policy or restriction in Server 2008 or IIS 7 we need to set to allow an ASP.NET application make a call to a remote web service? We are using Network Service as our application pool user, but also tried using Local System as a troubleshooting step. In addition, the same code works if run from a console application on the server instead of the web application.
Is there some setting under IIS7 or server 2008 that would be causing this?
View 3 Replies
Jun 26, 2010
i am working in asp.net and csharp, we have 10 user, but certain user only need to put dataentry. how to enable and disable based on the user to access certain form ,like add, modify view options.
View 1 Replies
Apr 11, 2010
My ISP recently has migrated my app to a new platform. The app has now to be parked in a root subfolder, say site1, rather than at the root.
The main page can still be accessed via [URL] is now located at /site1/default.aspx. Subfolder pages however cannot be accessed correctly anymore since the url includes now subfolder name "site1" ie
[URL]
instead of
[URL]
This of course breaks page referencing.
Despite multiple requests, I have not yet obtained an answer so far. Question: Is there a simple way to strip away string "site1" from the url, preferably at the web.config level? I know this can be done programmatically at the page level, to clean up page references (>30 pages). In addition, this could entail further compatibilty problems between the deployment version and the local development site.
View 3 Replies
Nov 9, 2010
My web application is composed of several Visual Studio projects. It currently runs fine under high trust level (<trust level = "High" />). When I try to run it under medium trust level, I get this error:
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.Security
Exception: Request failed.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityException: Request failed.]
System.RuntimeTypeHandle._GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark stackMark, Boolean loadTypeFromPartialName) +0
System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark stackMark) +64
System.RuntimeType.PrivateGetType(String typeName, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark stackMark) +58
System.Type.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase) +65
System.Web.Compilation.BuildManager.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase) +342
System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) +52
Version Information: Microsoft .NET Framework Version:2.0.50727.4952; ASP.NET Version:2.0.50727.4955
What is the best way to identify the problem and convert the application to run properly under medium trust?
View 1 Replies
Oct 18, 2010
I used MicrosoftReportview in my project , The reports are avalable in project folderWhen I run web site in Server (not VS development server) . It give this type of error.Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. Parser Error Message: The element 'buildProviders' cannot be defined below the application level.
<add assembly="Infragistics2.WebUI.WebSpellChecker.v7.3, Version=7.3.20073.1043, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB"/>
</assemblies>
<buildProviders>
<add extension=".rdlc" type="Microsoft.Reporting.RdlBuildProvider, Microsoft.ReportViewer.Common, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
[code]...
View 1 Replies