Some important ASP.NET 4.5 security improvements

The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these improvements you need to do a few changes to you application's configuration file. The documentation is a bit scattered over MSDN and MSFT blogs, I figured I'd collect them here for easy reference.

The ASP.NET team published a nice article on What's New in ASP.NET 4.5 and Visual Studio 2012. There you'll learn that:

• There are changes to the ASP.NET request validation, it now supports deferred (lazy) validation, as well as giving the option to fetch data unvalidated.
• The AntiXSS library is included in the framework.

However, there's no mention of two other important changes:

• There are significant Cryptographic Improvements in ASP.NET 4.5. Read it! This is important stuff!
• Windows Identity Foundation is now included in the framework, referred to as WIF 4.5.

To take advantage of these new bits you'll have to do a bit of configuration, we'll get into that right away.

Promising new WIF tools

Vittorio Bertocci has shared some exciting news about the upcoming WIF tools for Visual Studio 11 on his blog. The tools look really nice, especially the local development STS. Here are the direct links (for future reference):

• WIF Tools for Visual Studio 11 Part I: Using The Local Development STS
• WIF Tools for Visual Studio 11 Part II: Manipulating Common WIF Settings From the UI
• WIF Tools for Visual Studio 11 Part III: Connecting With a Business STS (e.g. ADFS2)
• WIF Tools for Visual Studio 11 Part IV: Get an F5 Experience with ACS2

On the blog, you'll also find that the Identity team is hiring. I just checked the list of open positions at Microsoft, and they have 35 (!) open positions on their identity page. I expect we'll see more cool stuff from the identity team in the future!

If you're a .NET developer, now is the time to get on the WIF train. WIF will be an integral part of the .NET framework as of version 4.5, which is currently in beta (for those of us who went all-in on WIF last year, this is quite a relief).

How to enable WIF token replay detection

Windows Identity Foundation (WIF) is vulnerable to replay of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?):

As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank account using the bank’s Web site, logs off and leaves, but does not close the browser. The response to the user’s logon page, which contains the STS token, is still in the browser’s history. Another person could then browse back to that response page and replay it, which would repost the STS token to the bank’s Web site.

This scenario is very much real and it does not involve any fancy hacking techniques. All you need is a browser and a "back" button. You'll find some scattered references on the Internet to the solution of the problem, the tokenReplayDetection configuration setting. You'll find a mention of the configuration element in the WIF FAQ on Technet and in the WIF book, but you'll find the most helpful explanation in the ACS security guidelines.

I'll cut to the chase, here's the config to enable the token replay detection. Please don't use the parameters as is, read the security considerations and tweak the values accordingly. Seriously.

WIF security considerations

I've been working with WIF (Windows Identity Foundation) for the last couple of months, and have to admit I've spent some time googling for WIF articles explaining how the framework should be used. I'll be putting together a blog post on some of the most useful resources I've found when I find the time. However, you'll discover that there aren't many resources covering WIF and the nitty gritty security details out there. An MSDN article on WIF security was brought to my attention the other day (thanks Jonas!), so I figured I'd link to it sooner rather than later. It might be useful for some of you out there.

The article is titled Security considerations, and it's not easy to find on Google. It contains quite a few security considerations you'd want to look into if you're using, or are contemplating, to use WIF. Stay tuned for more WIF (security) stuff as my calendar hopefully frees up at work, and the golf season ends here in Norway.

Digging into WIF, or not.

A couple of weeks ago I attended a great talk by Dominick Baier on WIF (Windows Identity Foundation) at an NNUG meeting. I've been contemplating for some time to dig into WIF and learn first hand how just how beneficial the framework is. Mr. Baier's excellent presentation was the final push I needed to start investigating. But behold, WIF is nowhere to be found on my computer (XP, with VS2010). Intense googling revealed that the WIF SDK cannot be installed on Windows XP. From the download page at the Microsoft Download Center:

Supported Operating Systems: Windows 7;Windows Server 2003 Service Pack 2;Windows Server 2008 R2;Windows Server 2008 Service Pack 2;Windows Vista

Too bad. No WIF for me. Time to upgrade from XP I guess.