.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
david stephan
Gaurav Pal
Post New Web Links

Secure or a Security Hole, hardening your Area

Posted By:      Posted Date: August 21, 2010    Points: 0   Category :ASP.Net

I've consoldated Levi's post on my blog entry Secure or a Security Hole, hardening your Area

View Complete Post

More Related Resource Links

Secure By Design: Your Field Guide To Designing Security Into Networking Protocols


If you were to build a new communications protocol from scratch, how would you address security? Here the authors take a look at that question and generate some valuable insights into secure protocols.

Mark Novak and Andrew Roths

MSDN Magazine September 2006

Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets


As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.

Neeraj Srivastava

MSDN Magazine November 2003

WS-Security: New Technologies Help You Make Your Web Services More Secure


Without good security, Web Services will never reach their potential. WS-Security and its associated technologies, the focus of this article, represent the future of security for Web Services. Provided here is an overview of these emerging security standards that explains what they do, how they work, and how they get along together. Topics discussed include integrity and confidentiality and how these are provided by public key cryptography, WS-Security, and more. Some of the key components of WS-Security, such as the wsu namespace, are also covered.

David Chappell

MSDN Magazine April 2003

Security in IIS 6.0: Innovations in Internet Information Services Let You Tightly Guard Secure Data


Security improvements have been a top priority in the evolution of IIS. IIS 6.0, which will be part of Windows .NET Server, has improved security features and a new approach to server configuration. New security-related tools for IIS, including IIS LockDown, make securing your server against attack easier than ever. The author explains how and why you can shut down services with IIS LockDown. He discusses limiting port access with TCP/IP filtering, controlling how files are served with extension mapping, what's new for Secure Sockets Layer, the use of URLScan, and more.

Wayne Berry

MSDN Magazine September 2002

ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and


Forms authentication is one of the most compelling and useful new features of ASP.NET. It enables developers to declaratively specify which files on their site can be accessed and by whom, and allows identification of a login page. When an unauthenticated user attempts to retrieve a page protected by forms authentication, ASP.NET automatically redirects them to the login page and asks them to identify themselves. Included here is an overview of forms authentication and what you need to know to put it to work. Also included is hard-to-find information on the security of cookie authentication and on combining forms authentication with role-based URL authorizations.

Jeff Prosise

MSDN Magazine May 2002

ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and


ASP.NET and Microsoft Internet Information Services (IIS) work together to make building secure Web sites a breeze. But to do it right, you have to know how the two interrelate and what options they provide for securing access to a Web site's resources. This article, the first in a two-part series, explains the ABCs of Web security as seen through the eyes of ASP.NET and includes a hands-on tutorial demonstrating Windows authentication and ACL authorizations. A range of security measures and authentication methods are discussed, including basic authentication, digest authentication, and role-based security.

Jeff Prosise

MSDN Magazine April 2002

Web Security: Putting a Secure Front End on Your COM+ Distributed Applications


The Internet requires that developers provide a different security model for clients than is used on a closed network. Because it would be too resource-intensive for both the client and server to prove their identity to each other, you need to look at other ways to ensure secure communications. This article covers the options, from digital certificates to public and private key encryption to Secure Sockets Layer and Web certificates. The discussion covers the installation of certificates in Microsoft Internet Information Services along with other options specific to IIS. This article was adapted from Keith Brown's Programming Windows Security (Addison-Wesley), due out in July 2000.

Keith Brown

MSDN Magazine June 2000

Secure channel cannot be opened because security negotiation with the remote endpoint has failed

Please help me to pinpoint what's wrong with the configurations. CoreClient client = new CoreClient(); client.ClientCredentials.UserName.UserName = "test"; client.ClientCredentials.UserName.Password = "test"; string msg = client.SayHello(); //==== ERROR Happens here Error message: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. Configurations: Host: <behaviors> <serviceBehaviors> <behavior name="DefaultBehavior"> <serviceMetadata httpGetEnabled="true"/> <serviceDebug includeExceptionDetailInFaults="false"/> <serviceCredentials> <serviceCertificate findValue="MyServerCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Promotion.Services.UsernameValidator, LibraryIIS" /> </serviceCredentials> </behavior>

Security hole in sessions - How to fix the problem


Hi all,

i need to store some informations in the session like username, userid and such other info (not password). I was reading about a big security hole in the sessions: when a session is created a cookie with the sessionId is created. Now, if i edit the cookie value of another browser on my pc i can use the session of the first original browser. This is really a big security hole, how can i fix this?

Security Update for Win 2003 Server (KB980436) causes access error to secure url via WCF



today in the morning i installed 5-6 security updates including (KB980436) on our production server. During the day we got errors when our application calls a secured web service :

An error occurred while making the HTTP request to https://[MyService]. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

I had nothing to do because we haven't made any change at our application. Then i remembered the security updates and walked through the update informations. I saw that KB is about :

MS10-049: Vulnerabilities in SChannel could allow remote code execution

I removed this update because its about secure channel, then everything worked fine.

So what should we do ? Who should be informed ?

SharePoint Tutorial - Security

Security in SharePoint is comprised of users, groups and roles.

Users, Groups and Roles

A user account comes from the authentication system. For example, if Active Directory is used to authenticate then the user accounts will come from it.

There are two types of groups SharePoint uses: domain groups and SharePoint groups.

Asp.net web site security database


Hello all, I'm new to asp.net and I'm currently practising some few stuffs. I'm creating a hotel reservation system using ASP.net Web site in visual studio 2008 and I currently don't have an App_Data in my solution explorer unlike visual web developer.

1. I have planned to make users of the website login before making their reservations.

2. I have also planned to develop the website such that I will be able to know all reservations made by each user.

First and formost, I will like to know how I can access/View the security database?

Secondly, how do I link my custom made reservation database and the security database in order to achieve my second plan above.?

Someone help me.

Thank you.



hello i have the following problem

i have upload my content to hosting server but i get the following error

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of typ

System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPerm


Good Day all,

Having an issue with an outside user accessing my IIS7 box. I do not have this problem when running the website from my host machine. I found this post: Http://forums.asp.net/t/1371394.aspx. I assure you that this is not a solution because I am not storing any of my files on a network share. 

What do you think my approach should be. 

I already have read rights to IIS user to my BIN folder. 

Thanks for the help. 

XBAP Security


We have a small XBAP file upload app that we are having trouble deploying. We were getting security errors when we were pushing this application that we don't get when running in our development environments on our machines. We gave the XBAP app full permissions and still got errors. Then we created a personal certificate and were able to get this to work. But that means we have to load a client side certificate for each and every machine that wants to run this which is ridiculous. Does anyone have a solution for this?

Intranet Users Challenged When Using Windows Integrated Security


We've setup an intranet site using Windows Integrated Security. Its up and running and users can access it. However, they are being challenged with a login dialog for the server when they initially access the site.

Isn't is possible to configure the server so that the users aren't challenged AND are recognized as being already authenticated by Windows? We're trying to go with a seamless experience, whereby all they have to do is login to their machine like normal and then go from there.

Security Question Answer Retrieval


I know there is a method built in for retrieving the encrypted password, but how do I retrieve the encrypted security answer?

What I want to do is have a member profile update screen that the end user can update their password and security question and answer. However, when they get to this page, I want to already be showing the security question (the easy part) and its answer (the not so easy part).

I have updated web.config with passwordFormat=Encrypted and have added a machineKey with the generator (forgot the link, but located on eggheadcafe somewhere).

I haven't done ANYTHING yet, since I already have a user store with hashed information. I wanted to get some functionality done before publishing, wiping the store and recreating users (only a couple developers).


ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend