Secure Client Applications (ADO.NET)

Applications typically consist of many parts that must all be protected from vulnerabilities that could result in data loss or otherwise compromise the system. Creating secure user interfaces can prevent many problems by blocking attackers before they can access data or system resources.

Validate User Input

When constructing an application that accesses data, you should assume that all user input is malicious until proven otherwise. Failure to do so can leave your application vulnerable to attack. The .NET Framework contains classes to help you enforce a domain of values for input controls, such as limiting the number of characters that can be entered. Event hooks allow you to write procedures to check the validity of values. User input data can be validated and strongly typed, limiting an application's exposure to script and SQL injection exploits.

Security noteSecurity Note:

You must also validate user input at the data source as well as in the client application. An attacker may choose to circumvent your application and attack the data source directly.

Windows Applications

In the past, Windows applications generally ran with full permissions. The .NET Framework provides the infrastructure to restrict code executing in a Windows application by using code access security (CAS). However, CAS alone is not enough to protect your application.

ASP.NET and XML Web Services

ASP.NET applications generally need to restrict access to some portions of the Web site and provide other mechanisms for data protection and site security. These links provide useful information for securing your ASP.NET application.

An XML Web service provides data that can be consumed by an ASP.NET application, a Windows Forms application, or another Web service. You need to manage security for the Web service itself as well as security for the client application.

For more information, see the following resources.

Resource

Description

Securing ASP.NET Web Sites

Discusses how to secure ASP.NET applications.

Securing XML Web Services Created Using ASP.NET

Discusses how to implement security for an ASP.NET Web Service.

Script Exploits Overview

Discusses how to guard against a script exploit attack, which attempts to insert malicious characters into a Web page.

Basic Security Practices for ASP.NET Web Applications

General security information and links to further discussion,

Remoting

.NET remoting enables you to build widely distributed applications easily, whether the application components are all on one computer or spread out across the entire world. You can build client applications that use objects in other processes on the same computer or on any other computer that is reachable over its network. You can also use .NET remoting to communicate with other application domains in the same process.

Resource

Description

Configuration of Remote Applications

Discusses how to configure remoting applications in order to avoid common problems.

Security in Remoting

Describes authentication and encryption as well as additional security topics relevant to remoting.

Security and Remoting Considerations

Describes security issues with protected objects and application domain crossing.

See Also

Concepts

Recommendations for Data Access Strategies

Securing Applications

Protecting Connection Information (ADO.NET)

Other Resources

Securing ADO.NET Applications

ADO.NET Managed Providers and DataSet Developer Center