部署安全的網站系統

1、部署平安的網站系部署平安的網站系統統 LNLNiUnsecured Operating System ConfigurationUnmonitored AccessExploit Operating System WeaknessDistribute Virusesi iUSE LoginGO- Add account named webuser to Login databaseEXEC sp_addlogin webuser, m1x2y3z4p5t6l7k8, Login- Grant webuser access to the databaseEXEC sp_grantdbaccess

2、 webuser- Limit webuser to calling proc_IsUserValidGRANT EXECUTE ON proc_IsUserValid TO webuserserver=localhost;database=pubs;Trusted_Connection=yes string hash = FormsAuthentication.HashPasswordForStoringInConfigFile (password, SHA1);string CreateSaltedPasswordHash (string password) / Generate rand

3、om salt string RNGCryptoServiceProvider csp = new RNGCryptoServiceProvider (); byte saltBytes = new byte16; csp.GetNonZeroBytes (saltBytes); string saltString = Convert.ToBase64String (saltBytes); / Append the salt string to the password string saltedPassword = password + saltString; / Hash the salt

4、ed password string hash = FormsAuthentication.HashPasswordForStoringInConfigFile (saltedPassword, SHA1); / Append the salt to the hash string saltedHash = hash + saltString; return saltedHash;bool ValidatePassword (string password, string saltedHash) / Extract hash and salt string string saltString

5、= saltedHash.Substring (saltedHash.Length - 24); string hash1 = saltedHash.Substring (0, saltedHash.Length - 24); / Append the salt string to the password string saltedPassword = password + saltString; / Hash the salted password string hash2 = FormsAuthentication.HashPasswordForStoringInConfigFile (

6、saltedPassword, SHA1); / Compare the hashes return (hash1.CompareTo (hash2) = 0);if (Authenticate (name, password) string url = FormsAuthentication.GetRedirectUrl (name, true); FormsAuthentication.SetAuthCookie (name, true); HttpCookie cookie = Response.Cookies FormsAuthentication.FormsCookieName; /

7、 Set the cookie to expire 1 days from now cookie.Expires = DateTime.Now.AddDays (1); Response.Redirect (url);void Application_Error (Object sender, EventArgs e) / Formulate message to write to event log string msg = Error accessing + Request.Path + n + Server.GetLastError ().ToString (); / Write the message to Windows event log EventLog log