HOW TO: áÍ»¾ÅÔपѹ·Õè¨ÐÊÃéÒ§º¹.NET Framework ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂ

º·¤ÇÒÁ·ÕèÁÕ¡Ò÷ÕÅТÑ鹵͹¹Õé͸ԺÒ¶֧¢éͤÇþԨÒóҷÕèÊӤѭÊÓËÃѺ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂâ»Ãá¡ÃÁ»ÃÐÂØ¡µì·ÕèÊÃéÒ§º¹.NET Framework º·¤ÇÒÁ¹Õé¤×ͪش¢Í§º·¤ÇÒÁ·ÕèÁÕ¢éÍÁÙÅÃÒÂÅÐàÍÕ´ÊÓËÃѺâ»Ãá¡ÃÁ»ÃÐÂØ¡µì·ÕèÊÃéÒ§º¹.NET Framework ÍÂèÒ§ã´ÍÂèҧ˹Öè§

º·¤ÇÒÁ㹪ش¹ÕéÃÇÁµèÍ仹Õé:

¡ÒûÃѺ»Ãا¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ Framework .NET ã¹à¡³±ìࢵ¾×é¹·Õè´éÇÂࢵ

.NET Framework ¡Ó˹´ÃдѺ¢Í§¤ÇÒÁ¹èÒàª×èͶ×ÍãËéáÍÊà«ÁºÅÕ·Õèä´éÃѺ¡ÒèѴ¡Òà ¡Ó˹´àËÅèÒ¹Õé¢Öé¹ ã¹Êèǹ ࢵ¾×é¹·Õè·Õè·Ó§Ò¹¢Í§áÍÊà«ÁºÅÕ¹Ñé¹ â«¹·ÕèÁҵðҹ¤×Í ¤ÍÁ¾ÔÇàµÍÃì¢Í§©Ñ¹ ÍÔ¹·ÃÒà¹çµÀÒÂã¹ ÍÔ¹à·ÍÃìà¹çµ 䫵ì·Õèàª×èͶ×Íä´é áÅР䫵ì·ÕèäÁè¹èÒàª×èͶ×Í ¤Ø³ÍÒ¨µéͧà¾ÔèÁ ËÃ×ÍÅ´ÃдѺ¢Í§¤ÇÒÁ¹èÒàª×èͶ×Í·Õèà¡ÕèÂÇ¢éͧ¡Ñºà¢µ¾×é¹·ÕèàËÅèÒ¹ÕéÍÂèÒ§ã´ÍÂèҧ˹Öè§ .NET Framework ÃÇÁ¶Ö§à¤Ã×èͧÁ×ÍÊÓËÃѺ¡ÒûÃѺ¡ÒõÑ駤èÒàËÅèÒ¹Õé

ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺ¡ÒûÃѺ»Ãا¤ÇÒÁ¹èÒàª×èͶ×Í¡Ó˹´ãËé¡Ñºâ«¹ ¤ÅÔ¡ËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õéà¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft:

»ÃѺÃдѺ¢Í§¤ÇÒÁ¹èÒàª×èͶ×Í·Õè¤Ø³¡Ó˹´ä»ÂѧáÍÊà«ÁºÅբͧ¡Ãͺ§Ò¹.NET

.NET Framework ÁÕËÅÒÂÇÔ¸Õà¾×èÍ¡Ó˹´ÃдѺ¢Í§¤ÇÒÁ¹èÒàª×èͶ×Í·Õè¤Ø³¤ÇÃãËé¡ÑºáÍÊà«ÁºÅÕ ÍÂèÒ§äáçµÒÁ ¤Ø³ÊÒÁÒöÊÃéÒ§¡®¡ÒÃà»Ô´ãªé§Ò¹áÍÊà«ÁºÅÕ·ÕèÃкØä»ÂѧÃдѺ·ÕèÊÙ§¡ÇèҢͧºÃÔÉÑ·¡ÇèÒ¹Ñ鹨ÐÁÑ¡¨ÐÃѺ¢Öé¹ÍÂÙè¡ÑºËÅÑ¡°Ò¹·ÕèãËéÁÒà¾×èÍÃѹä·ÁìÀÒÉÒ·ÑèÇä»ä´éÃѺ¢éÍ¡àÇé¹ .NET Framework áÊ´§à¤Ã×èͧÁ×͵ÑǪèÇÂÊÃéÒ§à»ç¹¾ÔàÈÉÊÓËÃѺÇѵ¶Ø»ÃÐʧ¤ì¹Õé

ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺÇÔ¸Õ¡ÒûÃѺÃдѺ¤ÇÒÁ¹èÒàª×èͶ×ÍÊÓËÃѺáÍÊà«ÁºÅÕ ¤ÅÔ¡ËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õéà¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft:

¡Òä׹¤èÒÃдѺ¢Í§¹âºÒ·ÕèàÅ×Í¡¡Ó˹´ä´éáÅéÇ

°Ò¹Ð¼Ùé´ÙáÅ ¤Ø³ÊÒÁÒö¤Çº¤ØÁ¼èÒ¹¡ÒÃà¢éÒ¶Ö§·Õè¤Ø³ãËé¡ÑºáÍÊà«ÁºÅÕ·Õè·Ó§Ò¹ã¹ÃдѺ¢Í§¤ÇÒÁ¹èÒàª×èͶ×͵èÒ§ æ ¶éҤس¡Ó˹´ÃдѺ¢Í§¤ÇÒÁ¹èÒàª×èͶ×Í ¤Ø³ÍÒ¨¾º»Ñ­ËÒàÁ×èͤسàÃÕ¡ãªéâ»Ãá¡ÃÁ»ÃÐÂØ¡µì·Õèâ´Â»¡µÔ·Ó§Ò¹ÀÒÂãµéÃдѺ¤ÇÒÁ¹èÒàª×èͶ×ÍÁҵðҹ ÍÂèÒ§äáçµÒÁ ¤Ø³ÊÒÁÒöàÃÕ¡ä´éÍÂèÒ§ÃÇ´àÃçǤ׹ÃдѺ¢Í§¹âºÒ¡ÒõÑ駤èÒàÃÔèÁµé¹

ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺÇÔ¸Õ¡Òä׹¤èÒÃдѺ¢Í§¹âºÒ¡ÒõÑ駤èÒàÃÔèÁµé¹ ¤ÅÔ¡ËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õéà¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft:

ÊÔ·¸Ôì·Õè¨Ð͹حҵãËéáÍÊà«ÁºÅÕ·Õè»ÃÐàÁÔ¹

When you have enterprise, machine, and user security configuration policies, and customizable trust levels, it can be difficult to assess the permissions that have been granted to a managed assembly. The .NET Framework Configuration tool includes a simple method to evaluate these permissions.

For additional information about how to evaluate permissions that have been granted to an assembly, click the following article number to view the article in the Microsoft Knowledge Base:

Audit the Security of .NET-Connected Applications

During upgrades, testing, and troubleshooting, the configuration of production systems may to change in unintentional ways. For example, an administrator might grant administrative credentials to a user while determining whether an error is related to access rights. If that administrator forgets to revoke those elevated credentials after completing the troubleshooting process, the integrity of the system is compromised.

Because system security can be degraded over time by this type of action, it is a good idea to perform regular audits. To do this, document key aspects of a pristine system to create a baseline measure. Compare these settings against the baseline over time to determine if any problems have developed that might significantly reduce the level of vulnerability.

For additional information about specific configuration items that you should audit for .NET-connected applications, or specifically for ASP.NET applications, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Configure a .NET-Connected Application and Microsoft SQL Server to Use an Alternate Port Number for Network Communications

Many automated tools identify available services and vulnerabilities by querying well known port numbers. These tools include both legitimate security assessment tools and tools that malicious users might use.

One way to reduce the exposure to these types of tools is to change the port number that the applications use. You can apply this method to .NET-connected applications that rely on a back-end Microsoft SQL Server database. This method works if both the server and the client are correctly configured.

For additional information about how to change the port number a .NET-connected application uses to communicate with a computer running SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:

Lock Down an ASP.NET Web Application or Web Service

ÁÕËÅÒÂÇÔ¸Õ㹡ÒÃà¾ÔèÁ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ¢ͧáÍ»¾ÅÔपѹàÇçº ASP.NET áÅÐàÇçºà«ÍÃìÇÔÊ µÑÇÍÂèÒ§àªè¹ ¤Ø³ÊÒÁÒöãªé¡ÒáÃͧᾤà¡çµ ä¿ÃìÇÍÅÅì ÊÔ·¸Ôì¢Í§á¿éÁ·Õè¨Ó¡Ñ´ ¡Ãͧ URL ISAPI ¡ÒÃÊ᡹ áÅФǺ¤ØÁÍÂèÒ§ÃÐÁÑ´ÃÐÇѧÊÔ·¸Ô¢Í§ SQL Server ¤ÇõÃǨÊͺÇÔ¸Õ¡ÒõèÒ§ æ àËÅèÒ¹Õéà¾×èÍãËéÁÕ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂã¹ÅÖ¡ÊÓËÃѺâ»Ãá¡ÃÁ»ÃÐÂØ¡µì ASP.NET ä´é

For additional information about how to increase ASP.NET-application security at multiple layers, click the following article number to view the article in the Microsoft Knowledge Base:

¡ÒáÓ˹´¤èÒá¿éÁÃкºä¿Åì NTFS ÊÔ·¸Ôìã¹à¾×èÍà¾ÔèÁ¤ÇÒÁ»ÅÍ´ÀÑ¢ͧâ»Ãá¡ÃÁ»ÃÐÂØ¡µì ASP.NET

NTFS file permissions continue to be an important layer of security for Web applications. ASP.NET applications include many more file types than previous Web application environments. The files that anonymous user accounts must have access to is not obvious.

For additional information about the minimum file permissions that common ASP.NET file types must have, click the following article number to view the article in the Microsoft Knowledge Base:

¡ÒõÑ駤èҤ͹¿Ô¡ SQL Server ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂÊÓËÃѺâ»Ãá¡ÃÁ»ÃÐÂØ¡µì·Õè¡ÓÅѧÊÃéÒ§º¹.NET Framework

By default, SQL Server does not grant users the ability to query or update databases. This rule also applies to ASP.NET applications and the ASPNET user account. To enable ASP.NET applications to gain access to data that is stored in a SQL Server database, the database administrator must grant rights to the ASPNET account.

For additional information about how to configure SQL Server to allow queries and updates from ASP.NET applications, click the following article number to view the article in the Microsoft Knowledge Base:

¡ÒõÑ駤èҤ͹¿Ô¡ URLScan à¾×èÍà¾ÔèÁ¡Òûéͧ¡Ñ¹¢Í§áÍ»¾ÅÔपѹàÇçº ASP.NET

When you install URLScan on an Internet Information Services 5.0 (IIS 5.0) server, it is configured to allow ASP 3.0 applications to run. However, when you install the .NET Framework, the URLScan configuration is not updated to include the new ASP.NET file types. If you want the added security of the URLScan ISAPI filter for your ASP.NET applications, adjust the URLScan configuration.

For additional information about how to modify the URLScan configuration to increase security for ASP.NET applications, click the following article number to view the article in the Microsoft Knowledge Base:

Require Authentication for ASP.NET Web Applications

Many ASP.NET applications do not allow anonymous access. An ASP.NET application that requires authentication can use one of the following three methods: Forms authentication, Microsoft .NET Passport authentication, and Windows authentication. Each authentication method requires a different configuration technique.

¨Ó¡Ñ´à©¾ÒмÙéãªé¨Ò¡¡ÒÃ͹حҵ¡ÒÃà¢éÒ¶Ö§ä»Âѧ·ÃѾÂҡâͧàÇ纷ÕèÃкØ

ASP.NET includes Forms authentication. This is a unique way to authenticate users without creating Windows accounts. ASP.NET also includes the ability to grant or deny these users access to different Web resources.

For additional information about how to control access to Web resources on a per-user basis, click the following article number to view the article in the Microsoft Knowledge Base:

¨Ó¡Ñ´¡ÒúÃÔ¡ÒÃàÇçºâ»ÃⵤÍÅ«Öè§Í¹Ø­ÒµãËéà«ÔÃì¿àÇÍÃì

By default, ASP.NET supports three ways for Web services clients to issue requests to Web services: SOAP, HTTP GET, and HTTP PUT. However, most applications require only one of these three methods. It is a good idea to reduce the attack surface by disabling any unused protocols.

For additional information about how to disable unused Web services protocols, click the following article number to view the article in the Microsoft Knowledge Base:

äÁè͹حҵ¡ÒÃàºÃÒÇìà«ÍÃì¡ÒÃà¢éÒ¶Ö§¡ÒÃàª×èÍÁµèÍ.NET àÇçºà«ÍÃìÇÔÊ

ASP.NET Web services provide a browser-friendly interface to make it easier for developers to create Web services clients. This friendly interface permits anyone who can reach the Web service to view the complete details of the methods that are available and any required parameters. This access is useful for public Web services that include only publicly available methods. However, it may decrease the security of private Web services.

For additional information about how to control access to Web resources on a per-user basis, click the following article number to view the article in the Microsoft Knowledge Base:

Use ASP.NET to Protect File Types

The structure of ASP.NET applications causes many private files to be stored with files that end-users request. ASP.NET protects these files by intercepting requests for the files and returning an error. You can extend this type of protection to any file type by using configuration settings. If your application includes unusual file types that should remain private, you can use ASP.NET file protection to protect those files.

For additional information about how to configure ASP.NET to protect nonstandard file types, click the following article number to view the article in the Microsoft Knowledge Base:

For more information about how to secure applications that are built on the .NET Framework, visit the following Microsoft Web sites: