patterns & practices Security Guidance Roundup

This is a comprehensive roundup of our patterns & practices security guidance for the Microsoft platform.   I put it together based on customers looking for our security guidance, but having a hard time finding it.  While you might come across a guide here or a How To there, it can be difficult to see the full map, including the breadth and depth of our security guidance.   This is a simple map. organized by “guidance type” (i.e. Guides, App Scenarios, Checklists, Guidelines, How Tos, … etc.)

Books / Guides (“Blue Books”)
If you’re familiar with IBM Redbooks, then you can think of our guides as Microsoft “Blue Books.”  Our patterns & practices Security Guides provide prescriptive guidance and proven practices for security.   Each guide is a comprehensive collection of principles, patterns, and practices for security.  These are also the same guides used to compete in competitive platform studies.  Here are our patterns & practices Security Guides:

• Building Secure ASP.NET Applications
• Improving Web Application Security - Threats and Countermeasures
• Improving Web Services Security: Scenarios and Implementation Guidance for WC
• patterns & practices Security Engineering Explained

The HTML and PDF version of the guides are available for free on MSDN.  The print versions are available for sale on on Amazon.

For more on the impact of Blue Books for platform success, see The Power of Blue Books for Platform Impact.

Key Features of the Guides
Key Features of the guides include:

• Prescriptive guidance.   Prescriptive guidance “prescribes” solutions based on proven practices vs. simply “describe” the problem or solution.   This is possible because rather than just write content, we are a full engineering team (including PM, architect, dev, test, UE, and subject matter experts) that works through the problem space, creating reproductions of the problems and reproductions of the solutions.  Additionally, we partner with internal and external experts in the security space to find and share proven practices.  We partner with SWI/SDL, ACE, MCS, CSS, and product teams, as well as industry experts, Security MVPs, community members, and customers (including Solution Integrators and Enterprises, as well as small/medium businesses.)
• Scenario-Based.   You can’t evaluate design or implementation decisions in a vacuum.   Customer-scenarios provide the backdrop against which we perform our inspections, assessments, and analysis, as well as engineer our prescriptive guidance.  The scenarios provide the context so that we can effectively evaluate and measure effectiveness.  While we have to generalize the guidance to make it more applicable beyond a particular scenario, we try to keep it as specific as possible by focusing on the technical constraints, deployment scenarios, and real-world customer problems to keep it relevant and actionable.
• Framework approach. Rather than a random collection of guidance, the guides the guide provides a framework that chunks up security into logical units to help you integrate security throughout your application life cycle.  One part of the framework is the structure of the prescriptive guidance (checklists, guidelines, how tos, … etc.) and the other part of the framework is the actual security domain, where we chunk up security by actionable hot spots (authentication, authorization, input/data validation, … etc.)
• Frames. The guide uses frames as a “lens” to organize security into a handful of prioritized categories, where your choices heavily affect security success. The frames are based on reviewing hundreds of applications.
• Principles, patterns, and practices. These serve as the foundation for the guide and provide a stable basis for recommendations. They also reflect successful approaches used in the field.
• Modular. Chapters within the guides are designed to be read independently. You do not need to read the guide from beginning to end to get the benefits. Use the parts you need.
• Holistic. Each guide is designed with the end in mind. If you do read a guide from beginning to end, it is organized to fit together. The guide, in its entirety, is better than the sum of its parts.
• Job aids. Each guide provides an architecture and design review to help you evaluate the performance implications of your architecture and design choices early in the life cycle. A code review helps you spot implementation issues. Checklists that capture the key review elements are provided.
• How Tos. Each guide provides a set of step-by-step procedures to help you implement key solutions from the guide.
• Subject matter expertise. Each guide exposes insight from various experts throughout Microsoft and from customers in the field.
• Validation. The guidance is validated internally through testing. Also, extensive reviews have been performed by product, field, and product support teams. Externally, the guidance is validated through community participation and extensive customer feedback cycles.
• What to do, why, how. Each section in the guide presents a set of recommendations. At the start of each section, the guidelines are summarized using bold, bulleted lists. This gives you a snapshot view of the recommendations. Then, each recommendation is expanded upon telling you what to do, why, and how.  “What to do” gives you the recommendation.  “Why” gives you the rationale for the recommendation, helps you understand the issues, and explains any trade-offs you may need to consider.  “How” gives you the implementation details to make the recommendation actionable.

Security Engineering
To meet your security objectives, security engineering activities must be an integral part of your software development practices. Our patterns & practices Security Engineering builds on, refines, and extends core life cycle practices to create security-specific practices. You can adopt these activities incrementally as you see fit. These security activities are integrated in MSF Agile, available with Visual Studio Team System. This provides tools, guidance, and workflow to help make security a seamless part of your development experience.

• Security Engineering Explained (PDF)
• Security Design Inspection
• Security Code Inspection
• Security Deployment Inspection
• Threat Modeling Web Applications
• .NET Framework 2.0 Code Inspection Questions
• ASP.NET 2.0 Code Inspection Questions

Application Scenarios and Solutions

ASP.NET Application Scenarios

• ASP.NET Intranet Scenarios and Solutions
• ASP.NET Extranet Scenarios and Solutions
• ASP.NET Internet Scenarios and Solutions

WCF (Intranet Application Scenarios)

• Web to Remote WCF Using Transport Security (Original Caller, TCP)
• Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
• Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
• Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

WCF (Internet Application Scenarios)

• WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
• Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
• Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Cheat Sheets
A Cheat Sheet present reference information as a quick view.  They are easy to print out and put up on the wall as a quick reference or reminder of key information.  Here are our security Cheat Sheets:

• Web Application Security Frame

Checklists
A Checklist present a verification to perform ("what to check for", "how to check" and "how to fix".)  Checklists work hand-in-hand with Guidelines.  Whereas Guidelines are the “what to do”, “why”, and “how”, the Checklist is a distilled set of checks to perform.  Here are our security Checklists:

• .NET Framework 2.0 Security Checklist
• ADO.NET 2.0 Security Checklist
• ASP.NET 2.0 Security Checklist
• WCF Security Checklist

Guidelines
Our Guidelines present the “what to do”, “why”, and “how”.  Here are our security Guidelines:

• .NET Framework 2.0 Security Guidelines
• ADO.NET 2.0 Security Guidelines
• ASP.NET 2.0 Security Guidelines
• WCF Security Guidelines

Practices at a Glance
Our Practices at a Glance are brief problem and solution pairs that summarize solutions and link to more information.

• .NET Framework 2.0 Security Practices at a Glance
• ASP.NET 2.0 Security Practices at a Glance
• WCF Security Practices at a Glance

Explained
An Explained article exposes the what and how mechanics (e.g. how things work, basic architecture, design intentions, usage scenarios).  Here are our security Explained articles:

• Forms Authentication Explained
• Windows Authentication Explained

FAQs
A FAQ article is a collection of frequently asked question related to a technology, product, technique.  They aren’t restricted to high-level questions.  In fact, many of the questions actually cut pretty deep.  Here are our security FAQs:

• ASP.NET 2.0 Security FAQ
• WCF Security FAQ

How Tos
A How To article provides steps to execute an end to end task.  They compliment the Guidelines and Checklists.  While the Guidelines will simply provide a high-level of the “what to do” or a Checklist will simply identify a check to perform, our How Tos actually elaborate and walkthrough the steps to perform it.  Here are our security How Tos:

Security Engineering How Tos

• How To: Perform a Security Code Review for Managed Code (Baseline Activity)
• How To: Perform a Security Deployment Review for ASP.NET 2.0
• How To: Create a Threat Model for a Web Application at Design Time

ASP.NET How Tos

• How To: Configure MachineKey in ASP.NET 2.0
• How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
• How To: Create a Service Account for an ASP.NET 2.0 Application
• How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
• How To: Improve Security When Hosting Multiple Applications in ASP.NET 2.0
• How To: Instrument ASP.NET 2.0 Applications for Security
• How To: Prevent Cross-Site Scripting in ASP.NET
• How To: Protect Forms Authentication in ASP.NET 2.0
• How To: Protect From Injection Attacks in ASP.NET
• How To: Protect From SQL Injection in ASP.NET
• How To: Use ADAM for Roles in ASP.NET 2.0
• How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
• How To: Use Code Access Security in ASP.NET 2.0
• How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
• How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
• How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
• How To: Use Health Monitoring in ASP.NET 2.0
• How To: Use Impersonation and Delegation in ASP.NET 2.0
• How To: Use Medium Trust in ASP.NET 2.0
• How To: Use Membership in ASP.NET 2.0
• How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
• How To: Use Regular Expressions to Constrain Input in ASP.NET
• How To: Use Role Manager in ASP.NET 2.0
• How To: Use the Network Service Account to Access Resources in ASP.NET
• How To: Use Windows Authentication in ASP.NET 2.0

WCF How Tos

• How to: Audit and Log Security Events in WCF Calling from Windows Forms
• How to: Create and Install Temporary Certificates in WCF for Message Security During Development
• How to: Create and Install Temporary Certificates in WCF for Transport Security During Development
• How to: Create and Install Temporary Client Certificates in WCF During Development
• How to: Host WCF in a Windows Service Using TCP
• How to: Impersonate the Original Caller in WCF Calling from a Web Application
• How to: Impersonate the Original Caller in WCF Calling from Windows Forms
• How to: Perform Input Validation in WCF
• How to: Perform Message Validation with Schema Validation in WCF
• How to: Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms
• How to: Use Certificate Authentication and Message Security in WCF Calling from Windows Forms
• How to: Use Certificate Authentication and Transport Security in WCF Calling from Windows Forms
• How to: Use Delegation for Flowing the Original Caller Credentials to the Back End in WCF Calling from Windows Forms
• How to: Use Health Monitoring to Instrument a WCF Service for Security
• How to: Use netTcpBinding with Windows Authentication and Message Security in WCF Calling from Windows Forms
• How to: Use netTcpBinding with Windows Authentication and Transport Security in WCF Calling from Windows Forms
• How to: Use Protocol Transition for Impersonating and Delegating the Original Caller in WCF
• How to: Use the SQL Server Role Provider with Username Authentication in WCF Calling from Windows Forms
• How to: Use the SQL Server Role Provider with Windows Authentication in WCF Calling from Windows Forms
• How to: Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF from Windows Forms
• How to: Use Username Authentication with Transport Security in WCF Calling from Windows Forms
• How to: Use wsHttpBinding with Username Authentication and TransportWithMessageCredentials in WCF Calling from Windows Forms
• How to: Use wsHttpBinding with Windows Authentication and Message Security in WCF Calling from Windows Forms
• How to: Use wsHttpBinding with Windows Authentication and Transport Security in WCF Calling from Windows Forms

Most Recent patterns & practices Security Guidance Work
Most recent patterns & practices security guidance efforts include the following:

• A Guide to Claims–based Identity and Access Control
• Improving Web Services Security: Scenarios and Implementation Guidance for WCF
• Azure Security Guidance (project start is slated for FY11 – current efforts are focused on figuring out the most relevant app scenarios)

My Related Posts

• Security Principles at a Glance
• The Power of Blue Books for Platform Impact
• patterns & practices Security Engineering Cheat Sheet

Comments

• Anonymous
  May 28, 2010
  Can you provide some reference material on how the per call negotiation works in WCF? I am unable to find a detailed content on how the service credential negotiation works in WCF.

• Anonymous
  May 28, 2010
  @ Sam -- I haven't seen anything.  A sequence diagram and a simple write up of the flow would be nice.  You might try posting to the <a href="social.msdn.microsoft.com/.../">WCF forum</a> to see if somebody's tackled this.