Features or improvment that ASP.NET 3.0 should have !

1, All the places having XSS vulnerabilities (relating to text), the controls should have a properties that like the Literal contrl's Mode property to check tis vulnerabilities.

Sercurity Alerst:

1. By default, populating the TableCell control with data from untrusted sources can create XSS vulnerabilities.
2. By default, populating the Literal control with data from untrusted sources can create Cross Site Scripting (XSS) vulnerabilities. Set the Mode property to Encode to provide HTML encoding of untrusted data that will be placed into the Text property.
3. Populating the Label control with data from an untrusted source can create Cross Site Scripting (XSS) vulnerabilities.
4. Populating the CheckBox control’s Text property with data from an untrusted source can create Cross Site Scripting (XSS) vulnerabilities.
5. Populating the RadioButton control’s Text property with data from an untrusted source can create Cross Site Scripting (XSS) vulnerabilities.

Be sure to HTML encode all data using either the Server.HtmlEncode or the HttpUtility.HtmlEncode method.

ASP.NET and IIS security

d Windows authentication is used together with IIS authentication. When IIS authentication is complete, ASP.NET uses the authenticated identitiy to authorize access.

d In a Windows-based authentication model, the requests go directly to IIS to provide the authentication process. IIS first takes the user's credentials from the domain login. If this process fails, IIS desplays a pop-up dialog box so the user can enter his login information.

d Windows authenticaton is quite uesful in an intranet environment where you can let the server deal completely with the authentication process, especially in environments where users are already logged onto a network.

Code Access Security

CAS

@ When you run an unmanaged application in Windows 2003, XP or earlier, that code gets all the privileges your user account has. The application can do anything your user account has permissionos to do. so you are forced to log on with minimal privileges to restrict application permissions.

@ Code Access Security (CAS), a concept that .NET Framework introducted into Windows, enables users to restrict on a very granular level what managed application can do.

@ CAS allows administrators and developers to control applicatoin authorization similar to the way they have always been albe to authorize users.

@ Unfortunately, CAS can be applied only to managed applications that use the .NET Framework runtime. Unmanaged applications run without any CAS restrictions and are limited only by the operating system's RBS.

^ ASP.NET中的Membership和Role Management是对“人”（people, user）的权限管理（authentication和authorization）；而CAS则是对“程序”（application，code）进行权限管理。

Evidence

@ Generally, a security system use the username, password, access control lists to identify users and determine what a user can and can't do. However, CAS identifies and assigns permissions to applications ratha than to people, thus, it identifies assembilies using evdience.
@ In CAS, evidence is used just like a person's passport, password, and PIN - information that proves identity and describes an individual as deserving a certain level of trust.

@ Each piece of evidence is a way that an assembly can be identified, such as the location (folder or website) where the assembly is stored and running, a hash of the assembly's code, or the assembly's digital signature.

@ There are 2 types of evidence: host evidence and assembly evidence:

1. Host evidence describes the assembly's origin, such as the application directory, URL, or site; and also describes the assembly's identity, such as the hash, pulisher, or strong name.
2. Assembly evidence are ones provided by custom user or developer.

^ I think evidence is the Authentication part of the security process for application or code, just like username and password are the Authentication for people or users.

Permission

@ A permission is a CAS access control entry.

^ A permission set is a CAS ACL (Access Control List).

Authentication in an ASP.NET application

@ The Membership service convered all the details of authentication for an applications, whereas the Role Management service covers authorization.

@ To allow forms authentication in your web application, the 1st step is to turn on this Membership service in the web.config file.