.NET news » Security

As the attacks in which hackers use become more and more sophisticated, and the programs in which they attack become increasingly complex, encryption is becoming the last line of defense in database management system (DBMS) security. Since Microsoft announced their Trustworthy Computing security initiatives four years ago, the industry has been waiting to see how these initiatives would be implemented in upcoming products. With the introduction of Microsoft's newest DBMS, SQL Server 2005, it does indeed seem as though they have provided what they have promised.

What follows is a two-part article series that provides an in-depth examination of encrypting data in SQL Server 2005. In this article we will exploring key challenges facing database systems and the motivations for providing robust encryption mechanisms directly within the database system. We will also look at encryption fundamentals and SQL Server 2005's encryption capabilities.

A simple, string-oriented class for symmetric encryption, asymmetric encryption, and hashing.

This article teaches you how to disable and enable your windows firewall programatically

The labyrinth of security features for WCF is intricate and at times even overwhelming. At its core, however, are a basic set of security principals for authentication, authorization, and message transfer protection.

Explains advantages of using application domains features in .NET. Include two Visual Studio .NET sample projects with source code.

Certificates are used in many places across the Microsoft .NET Framework, from secure communication to code signing to security policies. The .NET Framework 2.0 introduced revamped support for certificates and it added a completely new namespace for standards-compliant cryptographic operations with certificates. In this article, I will discuss the background for certificates and the Windows Certificate Store. I'll also show you how to work with the certificate APIs and how they are used by the Framework to implement security features.

Starting with version 1.1, ASP.NET preprocesses any posted data (forms and query string), looking for suspicious combinations of characters that may be exploited by XSS attackers. But this barrier is not a silver bullet and you have to take responsibility. If your pages use query string parameters, you need to ensure that they are properly validated before use. How do you do that?

In this column, I build an HTTP module that reads an XML file where you have hardcoded the expected structure of the query string. The module then validates the query string of any requested page against the given schema. And you don't need to touch the code of any page.

Discussion of securing text in an application. The example project contains a SecureString wrapper to make working with SecureString easier, and a textbox that directly manipulates a SecureString.

Now that Windows Server 2003 is widely deployed, Keith Brown addresses questions from readers who are trying to use protocol transition to build secure gateways into their intranets.

Cross-site scripting attacks are platform and browser independent, and can allow malicious users to perform malicious actions such as gaining unauthorized access to client data like cookies or hijacking sessions entirely. Simple steps that developers can take to prevent XSS attacks in their ASP.NET applications include doing the following: 1. Validating and constraining input 2. Encoding output For defense in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.