保证 ADO.NET 应用程序的安全Securing ADO.NET Applications

编写安全 ADO.NET 应用程序不仅仅是避免常见的编码缺陷(如不验证用户输入)。Writing a secure ADO.NET application involves more than avoiding common coding pitfalls such as not validating user input. 访问数据的应用程序具有许多潜在的故障点,攻击者可以利用这些故障点来检索、操作或损坏敏感数据。An application that accesses data has many potential points of failure that an attacker can exploit to retrieve, manipulate, or destroy sensitive data. 因此,了解安全性的各个方面(从应用程序设计阶段期间的威胁建模过程到应用程序的最终部署和不断的维护)非常重要。It is therefore important to understand all aspects of security, from the process of threat modeling during the design phase of your application, to its eventual deployment and ongoing maintenance.

.NET Framework 提供了很多有用的类、服务和工具,以用于保证数据库应用程序的安全和对其进行管理。The .NET Framework provides many useful classes, services, and tools for securing and administering database applications. 公共语言运行库 (CLR) 提供了供代码在其中运行的类型安全环境,以及用于进一步限制托管代码权限的代码访问安全性 (CAS)。The common language runtime (CLR) provides a type-safe environment for code to run in, with code access security (CAS) to restrict further the permissions of managed code. 遵循安全数据访问编码惯例可降低由潜在攻击者造成的损坏。Following secure data access coding practices limits the damage that can be inflicted by a potential attacker.

编写安全代码不会阻止在使用非托管资源(如数据库)时自己造成的安全漏洞。Writing secure code does not guard against self-inflicted security holes when working with unmanaged resources such as databases. 多数服务器数据库(如 SQL Server)拥有其各自的安全系统,正确实现这些安全系统可增强安全性。Most server databases, such as SQL Server, have their own security systems, which enhance security when implemented correctly. 但是,即使是具有可靠安全系统的数据源,如果未适当配置,也可能受到攻击。However, even a data source with a robust security system can be victimized in an attack if it is not configured appropriately.

本节内容In This Section

安全性概述Security Overview
提供对设计安全 ADO.NET 应用程序的建议。Provides recommendations for designing secure ADO.NET applications.

安全数据访问Secure Data Access
描述如何使用受保护数据源中的数据。Describes how to work with data from a secured data source.

保证客户端应用程序的安全Secure Client Applications
描述客户端应用程序的安全注意事项。Describes security considerations for client applications.

代码访问安全性和 ADO.NETCode Access Security and ADO.NET
描述 CAS 如何帮助保护 ADO.NET 代码,Describes how CAS can help protect ADO.NET code. 还讨论如何使用部分信任。Also discusses how to work with partial trust.

隐私和数据安全性Privacy and Data Security
描述 ADO.NET 应用程序的加密选项。Describes encryption options for ADO.NET applications.

SQL Server 安全性SQL Server Security
描述从开发人员角度来讲的 SQL Server 安全功能。Describes SQL Server security features from a developer's perspective.

安全注意事项Security Considerations
描述实体框架应用程序的安全性。Describes security for Entity Framework applications.

安全性Security
包含描述 .NET 中各个安全方面的主题的链接。Contains links to topics describing all aspects of security in .NET.

安全性工具Security Tools
用于保证安全策略的安全和对其进行管理的 .NET Framework 工具。.NET Framework tools for securing and administering security policy.

创建安全应用程序的资源Resources for Creating Secure Applications
提供用于创建安全应用程序的主题的链接。Provides links to topics for creating secure applications.

安全性参考书目Security Bibliography
提供联机和印刷资料中提供的外部资源的链接。Provides links to external resources available online and in print.

请参阅See also