安全概述Security overview

保护应用程序的安全是一个持续的过程。Securing an application is an ongoing process. 因为不可能预知将来会出现哪种新的攻击技术,所以开发人员永远都不能保证某一应用程序可以免受所有的攻击。There will never be a point where a developer can guarantee that an application is safe from all attacks, because it is impossible to predict what kinds of future attacks new technologies will bring about. 仅因为还没有人发现(或发布)系统中的安全性缺陷,也不意味着不存在或可能不存在安全性缺陷。Conversely, just because nobody has yet discovered (or published) security flaws in a system does not mean that none exist or could exist. 在项目的设计阶段,您需要对安全性进行规划,并规划如何在应用程序生存期内维护其安全。You need to plan for security during the design phase of the project, as well as plan how security will be maintained over the lifetime of the application.

安全性设计Design for Security

在开发安全应用程序时遇到的最大问题之一是安全通常是事后的补救办法,即在项目的代码完成后才想起需要实现某些内容。One of the biggest problems in developing secure applications is that security is often an afterthought, something to implement after a project is code-complete. 因为未考虑如何维护应用程序的安全,所以在开始阶段未注重应用程序安全性将导致所开发的应用程序不安全。Not building security into an application at the outset leads to insecure applications because little thought has been given to what makes an application secure.

最新的安全实现会导致更多的 bug,因为软件会在新的限制下中断,或者必须重新编写才能容纳意想不到的功能。Last-minute security implementation leads to more bugs, as software breaks under the new restrictions or has to be rewritten to accommodate unanticipated functionality. 每行修订的代码都可能引入新 Bug。Every line of revised code contains the possibility of introducing a new bug. 因此,您在开发过程的初始阶段就应考虑安全性,使得安全性可与新功能的开发同步进行。For this reason, you should consider security early in the development process so that it can proceed in tandem with the development of new features.

威胁建模Threat Modeling

您只有了解系统可能会受到的所有攻击,才能使系统免受这些攻击。You cannot protect a system against attack unless you understand all the potential attacks that it is exposed to. 若要确定 ADO.NET 应用程序中安全漏洞的可能性和后果,需要评估安全威胁(称为 "威胁建模")的过程。The process of evaluating security threats, called threat modeling, is necessary to determine the likelihood and ramifications of security breaches in your ADO.NET application.

威胁建模由三个高级步骤组成:了解攻击者的目的、辨别系统安全性和确定威胁。Threat modeling is composed of three high-level steps: understanding the adversary’s view, characterizing the security of the system, and determining threats.

威胁建模是一种迭代方法,用于评估应用程序中的漏洞,以找到可公开敏感数据的最危险的漏洞。Threat modeling is an iterative approach to assessing vulnerabilities in your application to find those that are the most dangerous because they expose the most sensitive data. 一旦确定了漏洞,您就可以按安全性对其进行排列,并创建一组按优先顺序排列的措施以应对威胁。Once you identify the vulnerabilities, you rank them in order of severity and create a prioritized set of countermeasures to counter the threats.

有关更多信息,请参见以下资源:For more information, see the following resources:

资源Resource 描述Description
安全工程门户上的威胁建模站点The Threat Modeling site on the Security Engineering Portal 此页上的资源将帮助您了解威胁建模的过程,并帮助您创建可以用于保护自己的应用程序的威胁模型The resources on this page will help you understand the threat modeling process and build threat models that you can use to secure your own applications

最低特权原则The Principle of Least Privilege

当设计、构建及部署应用程序时,您必须假定您的应用程序将受到攻击。When you design, build, and deploy your application, you must assume that your application will be attacked. 通常,这些攻击来自使用运行此代码的用户的权限执行的恶意代码,Often these attacks come from malicious code that executes with the permissions of the user running the code. 其他攻击可能源自被攻击者利用的善意代码。Others can originate with well-intentioned code that has been exploited by an attacker. 在规划安全性时,始终假设将出现最糟糕的情况。When planning security, always assume the worst-case scenario will occur.

您可以使用的一种措施是:尝试使用最小特权来运行代码,在代码周围树立尽可能多的障碍。One counter-measure you can employ is to try to erect as many walls around your code as possible by running with least privilege. 最小特权原则指出,应在完成工作所需的最短时间内向所需的最少代码授予任何给定的特权。The principle of least privilege says that any given privilege should be granted to the least amount of code necessary for the shortest duration of time that is required to get the job done.

创建安全应用程序的最好方法是在开始阶段不授予任何权限,然后对执行的特定任务添加最有限的权限。The best practice for creating secure applications is to start with no permissions at all and then add the narrowest permissions for the particular task being performed. 相反,如果开始具有所有权限而以后拒绝个别权限,就会导致难以测试和维护的不安全应用程序,因为无意中授予过多的权限会造成完全漏洞。By contrast, starting with all permissions and then denying individual ones leads to insecure applications that are difficult to test and maintain because security holes may exist from unintentionally granting more permissions than required.

有关保护应用程序的详细信息,请参阅以下资源:For more information on securing your applications, see the following resources:

资源Resource 描述Description
保护应用程序Securing Applications 包含一般安全性主题的链接,Contains links to general security topics. 还包含保护分布式应用程序、Web 应用程序、移动应用程序和桌面应用程序的主题的链接。Also contains links to topics for securing distributed applications, Web applications, mobile applications, and desktop applications.

代码访问安全性 (CAS)Code Access Security (CAS)

代码访问安全性 (CAS) 是帮助限制代码对受保护资源和操作的访问权限的一种机制。Code access security (CAS) is a mechanism that helps limit the access that code has to protected resources and operations. 在 .NET Framework 中,CAS 执行下列功能:In the .NET Framework, CAS performs the following functions:

  • 定义权限和权限集,它们表示访问各种系统资源的权限。Defines permissions and permission sets that represent the right to access various system resources.

  • 使管理员能够通过将权限集与代码组关联来配置安全策略。Enables administrators to configure security policy by associating sets of permissions with groups of code (code groups).

  • 使代码能够请求运行所必需的权限及其他一些有用的权限,并指定代码绝对不能拥有哪些权限。Enables code to request the permissions it requires in order to run, as well as the permissions that would be useful to have, and specifies which permissions the code must never have.

  • 根据代码要求的权限和安全策略允许的操作,向加载的每个程序集授予权限。Grants permissions to each assembly that is loaded, based on the permissions requested by the code and on the operations permitted by security policy.

  • 使代码能够要求其调用方拥有特定的权限。Enables code to demand that its callers have specific permissions.

  • 使代码能够要求其调用方拥有数字签名,从而只允许特定组织或特定站点的调用方来调用受保护的代码。Enables code to demand that its callers possess a digital signature, thus allowing only callers from a particular organization or site to call the protected code.

  • 通过将调用堆栈上为每个调用方授予的权限与调用方必须拥有的权限相比较,加强在运行时对代码的限制。Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the permissions that callers must have.

若要将因攻击成功而导致的损害降到最低,请为你的代码选择安全上下文,以便只向资源授予其完成工作所必需的访问权限。To minimize the amount of damage that can occur if an attack succeeds, choose a security context for your code that grants access only to the resources it needs to get its work done and no more.

有关更多信息,请参见以下资源:For more information, see the following resources:

资源Resource 描述Description
代码访问安全性和 ADO.NETCode Access Security and ADO.NET 从 ADO.NET 应用程序角度描述代码访问安全性、基于角色安全性以及部分受信任环境之间的交互。Describes the interactions between code access security, role-based security, and partially trusted environments from the perspective of an ADO.NET application.
代码访问安全性Code Access Security 包含描述 .NET Framework 中 CAS 的主题的链接。Contains links to additional topics describing CAS in the .NET Framework.

数据库安全性Database Security

最小特权原则也适用于数据源。The principle of least privilege also applies to your data source. 数据库安全性一般准则包括:Some general guidelines for database security include:

  • 使用最低可能的特权创建帐户。Create accounts with the lowest possible privileges.

  • 不允许用户访问管理帐户,只允许运行代码。Do not allow users access to administrative accounts just to get code working.

  • 不要将服务器端错误消息返回到客户端应用程序。Do not return server-side error messages to client applications.

  • 验证客户端和服务器端的所有输入。Validate all input at both the client and the server.

  • 使用参数化命令,避免动态 SQL 语句。Use parameterized commands and avoid dynamic SQL statements.

  • 为您使用的数据库启用安全审核和记录,以便违反任何安全性时得到警报。Enable security auditing and logging for the database you are using so that you are alerted to any security breaches.

有关更多信息,请参见以下资源:For more information, see the following resources:

资源Resource 描述Description
SQL Server 安全性SQL Server Security 提供 SQL Server 安全性和应用方案的概述,这些应用方案提供用于创建针对 SQL Server 的安全 ADO.NET 应用程序的指南。Provides an overview of SQL Server security with application scenarios that provide guidance for creating secure ADO.NET applications that target SQL Server.
数据访问策略的建议Recommendations for Data Access Strategies 提供用于访问数据和执行数据库操作的建议。Provides recommendations for accessing data and performing database operations.

安全策略和管理Security Policy and Administration

不正确管理代码访问安全性 (CAS) 策略可能会导致安全漏洞。Improperly administering code access security (CAS) policy can potentially create security weaknesses. 应用程序一旦部署,就应使用监视安全性的技术,因为将出现评估为新威胁的风险。Once an application is deployed, techniques for monitoring security should be used and risks evaluated as new threats emerge.

有关更多信息,请参见以下资源:For more information, see the following resources:

资源Resource 描述Description
安全策略管理Security Policy Management 提供有关创建和管理安全策略的信息。Provides information on creating and administering security policy.
安全策略最佳实践Security Policy Best Practices 提供描述如何管理安全策略的链接。Provides links describing how to administer security policy.

另请参阅See also