Dec 11

How to Secure Your .Net Applications

How to Secure Your .Net Application

  • Use multiple levels of security: Physical Level (data center security), Network Level (firewall), Operating System Level (accounts, trust level), Web Server Level (use virtual directory), Web Application Level (authentication, authorization), Database Level (different accounts to perform different types of database operations), Data Level (encrypt sensitive data), use Best Practices (prevent SQL Injection and XSS)
  • Use separate database servers than the web server (in general more secure but not the better choice always, you may need to consider pros and cons between performance and security, your future scalability requirements, application requirements).
  • Take security measures in terms of accounts and trust levels on who can access the physical machine and from where and how
  • Control the permissions for the account under which the web-application is running. (Ole DB, Registry, File/IO)
  • Configure IIS for anonymous access. use IIS_machinename system account with limited access
  • Configure web-pages to require authentication whose information you want not to be available publicly
  • Use database based authentication for internet applications
  • Use role level security; also use page level and control level security. Control access to the feature, control access to the page, also control access to the controls
  • For the database operations, based on the user permission level, use separate database accounts to perform database operations. When user has read only access, use a db user that only has read only operation permission on the database.
  • Use database based accounts; do not use windows based authentication
  • Never trust user input, avoid dynamic SQL, do not use the admin account to perform database operations, encrypt the sensitive data stored in the database,
  • Display custom error messages to the user. Do not display system generated error messages to the user
  • Encode and quote user input. Do not provide feature for end users to create dynamic SQLs.
  • Always validate data, check for data types as well.
  • set HTMLEncodeValue = true
  • Use SSL
  • Use POST and Session avoid using Get and Cookies
  • Encrypt URL parameters using key based encryption
  • Do not decrypt data for validation checking but encrypt and compare
  • Encrypt all sensitive data


Skip to toolbar