設定 ADO.NET 應用程式的安全性Securing ADO.NET Applications

撰寫安全的 ADO.NET 應用程式並不只是為了避免常見的編碼錯誤,例如未驗證使用者輸入。Writing a secure ADO.NET application involves more than avoiding common coding pitfalls such as not validating user input. 用於存取資料的應用程式有許多潛在的錯誤,攻擊者可以利用這些錯誤來擷取、管理或毀損機密資料。An application that accesses data has many potential points of failure that an attacker can exploit to retrieve, manipulate, or destroy sensitive data. 因此,了解安全性的所有面向就相當重要,從應用程式設計階段期間的威脅模組處理,到最終的部署以及進行中的作業,都包括在內。It is therefore important to understand all aspects of security, from the process of threat modeling during the design phase of your application, to its eventual deployment and ongoing maintenance.

.NET Framework 提供許多有用的類別 (Class)、服務和工具,能用於保護及管理資料庫應用程式。The .NET Framework provides many useful classes, services, and tools for securing and administering database applications. Common Language Runtime (CLR) 提供型別安全的環境,讓您在其中執行程式碼,方法是使用程式碼存取安全性 (CAS),進一步限制 Managed 程式碼的使用權限。The common language runtime (CLR) provides a type-safe environment for code to run in, with code access security (CAS) to restrict further the permissions of managed code. 遵循安全資料存取編碼實務,可限制潛在的攻擊者所可能造成的損害。Following secure data access coding practices limits the damage that can be inflicted by a potential attacker.

撰寫安全的程式碼,並不能防衛在使用 Unmanged 資源 (例如資料庫) 時自身造成的安全性漏洞。Writing secure code does not guard against self-inflicted security holes when working with unmanaged resources such as databases. 大部分的伺服器資料庫 (例如 SQL Server) 都擁有自己的安全性系統,如果實作正確即可提升安全性。Most server databases, such as SQL Server, have their own security systems, which enhance security when implemented correctly. 不過,即使是具有嚴密安全性系統的資料來源,如果設定不正確,也可能在攻擊中受損。However, even a data source with a robust security system can be victimized in an attack if it is not configured appropriately.

本章節內容In This Section

安全性概觀Security Overview
針對設計安全的 ADO. NET 應用程式提供建議。Provides recommendations for designing secure ADO.NET applications.

安全資料存取Secure Data Access
說明如何使用安全資料來源的資料。Describes how to work with data from a secured data source.

保護用戶端應用程式的安全Secure Client Applications
說明用戶端應用程式的安全性考量。Describes security considerations for client applications.

程式碼存取安全性和 ADO.NETCode Access Security and ADO.NET
說明 CAS 如何協助保護 ADO.NET 程式碼,Describes how CAS can help protect ADO.NET code. 也將討論如何使用部分信任。Also discusses how to work with partial trust.

隱私權和資料安全性Privacy and Data Security
說明 ADO. NET 應用程式的加密選項。Describes encryption options for ADO.NET applications.

SQL Server 安全性SQL Server Security
從開發人員的觀點說明 SQL Server 安全性功能。Describes SQL Server security features from a developer's perspective.

安全性考量Security Considerations
描述 Entity Framework 應用程式的安全性。Describes security for Entity Framework applications.

SecuritySecurity
包含說明 .NET 中所有安全性面向之主題的連結。Contains links to topics describing all aspects of security in .NET.

安全性工具Security Tools
保護及管理安全性原則的 .NET Framework 工具。.NET Framework tools for securing and administering security policy.

用於建立安全應用程式的資源Resources for Creating Secure Applications
提供建立安全應用程式的主題連結。Provides links to topics for creating secure applications.

安全性參考書目Security Bibliography
提供可線上使用及列印版本的外部資源連結。Provides links to external resources available online and in print.

請參閱See also