ASP.NET / IIS 6.0 : ASP.NET / IIS 6.0 :

childlikenumberΑσφάλεια

5 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

67 εμφανίσεις

TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
1
ASP.NET / IIS 6.0 :
ASP.NET / IIS 6.0 :






























 
  
 
    
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
2


ASP.NET 2.0
ASP.NET 2.0
   
   












ASP.NET 2.0
ASP.NET 2.0




IIS 6.0
IIS 6.0
 
  
 
    
ASP
ASP




allow users, allow roles
allow users, allow roles
deny users, deny roles
deny users, deny roles
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
3
    
    
<?xml version="1.0" encoding="utf
<?xml version="1.0" encoding="utf
-
-
8"?>
8"?>
<configuration
<configuration
xmlns="http://schemas.microsoft.com/.NetC
xmlns="http://schemas.microsoft.com/.NetC
onfiguration/v2.0">
onfiguration/v2.0">
<system.web>
<system.web>
<authorization>
<authorization>
<deny users="?" />
<deny users="?" />
</authorization>
</authorization>
<authentication mode="Forms"
<authentication mode="Forms"
loginUrl
loginUrl
="
="
Login.aspx
Login.aspx
"
"
/>
/>
</system.web>
</system.web>
</configuration>
</configuration>


ASP.NET
ASP.NET
 !  !  !  ! 
 !  !  !  ! 
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
4


FBGHIJKLFBGHIJKLFBGHIJKLFBGHIJKL
FBGHIJKLFBGHIJKLFBGHIJKLFBGHIJKL
<roleManager enabled="
<roleManager enabled="
true
true
" />
" />
 !"#$%&' !"#$%&' !"#$%&' !"#$%&'
 !"#$%&' !"#$%&' !"#$%&' !"#$%&'
ISAPI
ISAPI


( ( ( (
( ( ( (
,
,
)*)*)*)*
)*)*)*)*
ASP
ASP
+$%&+$%&+$%&+$%&
+$%&+$%&+$%&+$%&
aspnet_isapi.dll
aspnet_isapi.dll
(
( (
(
( ( ( (
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
5
IIS 6.0 Wildcard Mapping
IIS 6.0 Wildcard Mapping


TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
6
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
7
+#+#+#+#
+#+#+#+#
Health Monitoring
Health Monitoring
,-./01,-./01,-./01,-./01
,-./01,-./01,-./01,-./01
STUV:W6/XYZSTUV:W6/XYZSTUV:W6/XYZSTUV:W6/XYZ
STUV:W6/XYZSTUV:W6/XYZSTUV:W6/XYZSTUV:W6/XYZ
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
8
WebBaseErrorEvent
WebBaseErrorEvent
9:9:9:9:
9:9:9:9:
WebBaseErrorEvent
WebBaseErrorEvent
WebErrorEvent
WebErrorEvent
WebRequestErrorEvent
WebRequestErrorEvent
WebErrorCompilationError
WebErrorCompilationError
WebErrorConfigurationError
WebErrorConfigurationError
WebErrorParserError
WebErrorParserError
WebErrorOtherError
WebErrorOtherError


.
.
RuntimeErrorViewStateFailure
RuntimeErrorViewStateFailure
RuntimeErrorPostToLarge
RuntimeErrorPostToLarge
RuntimeErrorValidationFailure
RuntimeErrorValidationFailure


WebFailureAuditEvent
WebFailureAuditEvent
9:9:9:9:
9:9:9:9:
WebFailureAuditEvent
WebFailureAuditEvent
WebAuthenticationFailureAuditEvent
WebAuthenticationFailureAuditEvent
WebViewStateFailureAuditEvent
WebViewStateFailureAuditEvent
AuditFormsAuthenticationFailure
AuditFormsAuthenticationFailure
AuditMembershipAuthenticationFailure
AuditMembershipAuthenticationFailure
AuditInvalidViewStateFailure
AuditInvalidViewStateFailure
AuditUrlAuthorizationFailure
AuditUrlAuthorizationFailure
AuditUnhandledSecurityException
AuditUnhandledSecurityException
AuditUnhandledAccessException
AuditUnhandledAccessException
AuditFileAuthorizationFailure
AuditFileAuthorizationFailure
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
9
23;23;23;23;
23;23;23;23;
:
:
56565656
56565656
ASP.NET
ASP.NET


<authorization>
<deny users="?" />
</authorization>
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
10
BC+#BC+#BC+#BC+#
BC+#BC+#BC+#BC+#
Provider
Provider
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
11
23F23F23F23F
23F23F23F23F
:
:
G>?HIG>?HIG>?HIG>?HI
G>?HIG>?HIG>?HIG>?HI
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
12
JKJKJKJK
JKJKJKJK
ASP.NET
ASP.NET
LMNOLMNOLMNOLMNO
LMNOLMNOLMNOLMNO
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
13
RSRSRSRS
RSRSRSRS
LMNOLMNOLMNOLMNO
LMNOLMNOLMNOLMNO
TUTUTUTU
TUTUTUTU

Minimal
 
Medium

   

   

   

   
1.
 
SQL Server








2.
 
CodeAccessPermission
















Assert








Low
 
High

   











   
1.











2.
 

  


  





 









 



 

  


  
 



 
Medium
1.
 
Windows








2.
 
Service








(COM+








)
 
3.
 
Event Log
 
4.
 
Microsoft Message Queue








5.
 
OLE DB








High
 



 
ASP.NET Web



















Full

  


 
web_mediumtrust.config
web_mediumtrust.config
VWVWVWVW
VWVWVWVW
<configuration>
….
<NamedPermissionSets>
<PermissionSet
class="NamedPermissionSet"version="1"
Name="ASP.Net">
<IPermission class="FileIOPermission"
version="1"Read="$AppDir$"
Write="$AppDir$"Append="$AppDir$"
PathDiscovery="$AppDir$"
/>
</PermissionSet>
</NamedPermissionSets>

</configuration>
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
14
Medium Trust App
Medium Trust App
XY !Z(XY !Z(XY !Z(XY !Z(
XY !Z(XY !Z(XY !Z(XY !Z(
1.
1.
rsrsrsrs
rs
rsrs
rs
Event Log
Event Log
YZtuYZtuYZtuYZtu
YZtu
YZtuYZtu
YZtu
2.
2.
rsvwxuTy6`a rsvwxuTy6`a rsvwxuTy6`a rsvwxuTy6`a
rsvwxuTy6`a
rsvwxuTy6`a rsvwxuTy6`a
rsvwxuTy6`a
3.
3.
rsrsrsrs
rs
rsrs
rs
OLE DB
OLE DB
z{|z{|z{|z{|
z{|
z{|z{|
z{|
4.
4.
rs}~-.6rs}~-.6rs}~-.6rs}~-.6
rs}~-.6
rs}~-.6rs}~-.6
rs}~-.6
XML Web Service
XML Web Service
5.
5.
rsrsrsrs
rs
rsrs
rs
Windows
Windows
6u6u6u6u
6u
6u6u
6u
(Registry)
(Registry)
6.
6.
ia/ia/ia/ia/
ia/
ia/ia/
ia/
AllowPartiallyTrustedCallersAttribute
AllowPartiallyTrustedCallersAttribute
(APTCA)
(APTCA)
6666
6666
Strong
Strong
-
-
named
named
ZZZZ
ZZZZ
[LMNO !\Z(]^_`
[LMNO !\Z(]^_`[LMNO !\Z(]^_`
[LMNO !\Z(]^_`
[LMNO !\Z(]^_`[LMNO !\Z(]^_`[LMNO !\Z(]^_`[LMNO !\Z(]^_`
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
15
78787878
78787878
Security Policy
Security Policy
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
16
ebcebcebcebc
ebcebcebcebc
APTCA Attribute
APTCA Attribute
d:fgd:fgd:fgd:fg
d:fgd:fgd:fgd:fg
GAC
GAC
ABABABAB
AB
ABAB
AB
Visual Studio
Visual Studio
MN6MN6MN6MN6
MN6
MN6MN6
MN6
[
[
MMMM
M
MM
M
]
]




BBBB
BBBB
sn.exe
sn.exe


Strong name Assembly
Strong name Assembly
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
17
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
18
,-xyz{,-xyz{,-xyz{,-xyz{
,-xyz{,-xyz{,-xyz{,-xyz{
UVUVUVUV
UVUVUVUV
SQL Injection
SQL Injection
§¨§¨§¨§¨
§¨§¨§¨§¨
UVUVUVUV
UVUVUVUV
Cross
Cross
-
-
Site Scripting
Site Scripting
§¨§¨§¨§¨
§¨§¨§¨§¨
+#+#+#+#
+#+#+#+#
DevInspect
DevInspect
,-z{,-z{,-z{,-z{
,-z{,-z{,-z{,-z{
'()*'()*'()*'()*
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
19
,-gz{|},-gz{|},-gz{|},-gz{|}
,-gz{|},-gz{|},-gz{|},-gz{|}
'(+,'(+,'(+,'(+,
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
20
GGGG
GGGG
Security
Security


Log
Log
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
21
ASP.NET 2.0]^_`]^_`]^_`]^_`
ASP.NET 2.0]^_`]^_`]^_`]^_`
pe
pe
-.
-.-.
-.
-.-.-.-.
(Provider Encryption)
(Provider Encryption)
ProtectSection
ProtectSection
/0/0/0/0
/0
/0/0
/0
UnprotectSection
UnprotectSection
/0/0/0/0
/0
/0/0
/0
+#+#+#+#
+#+#+#+#
ASPNET_RegIISZZZZ
ASPNET_RegIISZZZZ
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
22
nnnn
nnnn
nVWnVWnVWnVW
nVWnVWnVWnVW
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
23
+#+#+#+#
+#+#+#+#
SectionInformation
SectionInformation


(
(
;;;;
;;;;
)
)
appSettings
appSettings
connectionStrings
connectionStrings
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
24
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
25
opopopop
opopopop
TechEd 2005



© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
26
+#+#+#+#
+#+#+#+#
aspnet_setreg.exe
aspnet_setreg.exe
Z23Z23Z23Z23
Z23Z23Z23Z23
1.
1.
././././
././././
aspnet_setreg
aspnet_setreg


k:software
k:software
\
\
ASP.NET Web
ASP.NET Web
B9CDB9CDB9CDB9CD
B9CDB9CDB9CDB9CD


\
\
Identity
Identity
-
-
u:
u:
EFEFEFEF
EFEFEFEF
-
-
p:
p:
2G2G2G2G
2G2G2G2G
2.
2.
}Z}Z}Z}Z
}Z}Z}Z}Z
Web.config
Web.config
,
,
````
````
<identity>
<identity>
vvvv
vvvv
<identity impersonate="true"
<identity impersonate="true"
userName
userName
="
="
registry:HKLM
registry:HKLM
\
\
software
software
\
\
WebApplicatio
WebApplicatio
n1
n1
\
\
Identity
Identity
\
\
ASPNET_SETREG,
ASPNET_SETREG,
userName
userName
"
"
password="
password="
registry:HKLM
registry:HKLM
\
\
software
software
\
\
WebApplication
WebApplication
1
1
\
\
Identity
Identity
\
\
ASPNET_SETREG,
ASPNET_SETREG,
password
password
" />
" />
3.
3.
j./jj./jj./jj./j
j./jj./jj./jj./j
Windows
Windows
IJIJIJIJ
IJIJIJIJ
./Xe./Xe./Xe./Xe
./Xe./Xe./Xe./Xe
(
(
eH67HXeH67HXeH67HXeH67HX
eH67HXeH67HXeH67HXeH67HX
aspnet_setreg
aspnet_setreg
_EeH_EeH_EeH_EeH
_EeH_EeH_EeH_EeH
)
)
+#+#+#+#
+#+#+#+#
aspnet_setreg.exe
aspnet_setreg.exe
Z23Z23Z23Z23
Z23Z23Z23Z23
(
(


)
)