Chia sẻ: Mai Phuong | Ngày: | Loại File: PDF | Số trang:22

lượt xem


Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Demonstrate how to open the Web page that is provided on the Student Materials compact disc by double-clicking Autorun.exe or Default.htm in the StudentCD folder on the Trainer Materials compact disc.

Chủ đề:

Nội dung Text: Training

  1. Introduction Contents Introduction 1 Course Materials 2 Prerequisites 3 Course Outline 5 Setup 7 Lab Scenario 9 Microsoft Official Curriculum 11 Microsoft Certified Professional Program 12 Facilities 15
  2. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
  3. Introduction iii Instructor Notes Presentation: The Introduction module provides students with an overview of the course 30 minutes content, materials, and logistics for Course 2300, Developing Secure Web Applications. Required materials To teach this course, you need the following materials: ! Delivery Guide ! Trainer Materials compact disc Preparation tasks To prepare for this course, you must complete the Course Preparation Checklist that is included with the trainer course materials.
  4. iv Introduction How to Teach This Module This section contains information that will help you to teach this module. Introduction Welcome students to the course and introduce yourself. Provide a brief overview of your background to establish credibility. Ask students to introduce themselves and to provide their background, product experience, and expectations of the course. Record student expectations on a white board or flip chart that you can reference later in class. Course materials Tell students that everything they will need for this course is provided at their desk. Have students write their names on both sides of the name card. Describe the contents of the student workbook and the Student Materials compact disc. Tell students where they can send comments and feedback on this course. Demonstrate how to open the Web page that is provided on the Student Materials compact disc by double-clicking Autorun.exe or Default.htm in the StudentCD folder on the Trainer Materials compact disc. Prerequisites Describe the prerequisites for this course. This is an opportunity for you to identify students who may not have the appropriate background or experience to attend this course. Course outline Briefly describe each module and what students will learn. Be careful not to go into too much detail because the course is introduced in detail in Module 1 of Course 2300, Developing Secure Web Applications. Explain how this course will meet students’ expectations by relating the information that is covered in individual modules to their expectations. Setup Describe any necessary setup information for the course, including course files and classroom configuration. The biggest change from most developer courses is that there is a common database server named Glasgow, which will be used by all of the students. Any Microsoft® SQL Server™ configurations to the database server that need to be completed during class will be done by the instructor in demonstrations. Lab scenario Describe the lab scenario for the course. Emphasize that there are four Web applications that are built in the labs for this course: two Active Server Pages (ASP) Web applications and two Microsoft ASP.NET Web applications. Also emphasize the fact that some files, such as the CreateAccount Web page in the private folder, will be added to the TailspinToysAdmin Web applications for Lab 9. As a result, there are broken links in the Web site until then. Microsoft Official Explain the Microsoft Official Curriculum (MOC) program and present the list Curriculum of additional recommended courses. Refer students to the MOC Web page at training/ for information about curriculum paths.
  5. Introduction v Microsoft Certified Inform students about the Microsoft Certified Professional (MCP) program, any Professional program certification exams that are related to this course, and the various certification options. Facilities Explain the class hours, extended building hours for labs, parking, restroom location, meals, phones, message posting, and where smoking is or is not allowed. Let students know if your facility has Internet access that is available for them to use during class breaks. Also, make sure that the students are aware of the recycling program if one is available.
  6. Introduction 1 Introduction ! Name ! Company affiliation ! Title/function ! Job responsibility ! ASP, ASP.NET, Visual Basic Scripting Edition, Visual Basic .NET, and C# experience ! Expectations for the course *****************************ILLEGAL FOR NON-TRAINER USE******************************
  7. 2 Introduction Course Materials ! Name card ! Student workbook ! Student Materials compact disc ! Course evaluation ! Evaluation software *****************************ILLEGAL FOR NON-TRAINER USE****************************** The following materials are included with your kit: ! Name card. Write your name on both sides of the name card. ! Student workbook. The student workbook contains the material that is covered in class, in addition to the hands-on lab exercises. ! Student Materials compact disc. The Student Materials compact disc contains the Web page that provides you with links to resources pertaining to this course, including additional readings, review and lab answers, lab files, multimedia presentations, and course-related Web sites. Note To open the Web page, insert the Student Materials compact disc into the CD-ROM drive, and then in the root directory of the compact disc, double-click Autorun.exe or Default.htm. ! Course evaluation. To provide feedback on the course, training facility, and instructor, you will have the opportunity to complete an online evaluation near the end of the course. ! Evaluation software. An evaluation copy of Microsoft® Visual Studio® .NET is provided for your personal use only.
  8. Introduction 3 Prerequisites ! Familiarity with N-tier application architecture ! Experience in developing or designing Web applications ! Experience with one of the following programming languages: " Visual Basic " C# " Visual Basic .NET *****************************ILLEGAL FOR NON-TRAINER USE****************************** This course requires that you meet the following prerequisites: ! Familiarity with N-tier application architecture ! Experience in developing or designing Web applications ! Experience with one of the following programming languages: • Microsoft Visual Basic® • C# • Microsoft Visual Basic .NET
  9. 4 Introduction Prerequisites (continued) ! Experience in writing server-side and client-side scripts by using one or both of the following technologies: " ASP " ASP.NET ! Familiarity with all of the following Microsoft products and technologies is recommended: " Windows 2000 Server " Internet Information Services " SQL Server 2000 *****************************ILLEGAL FOR NON-TRAINER USE****************************** ! Experience in writing server-side and client-side code by using one or both of the following technologies: • Active Server Pages (ASP) • Microsoft ASP.NET ! Experience in writing server-side code that retrieves data from a database by using one or both of the following technologies: • ActiveX® Data Objects (ADO) • Microsoft ADO.NET ! Familiarity with all of the following Microsoft products and technologies is recommended: • Microsoft Windows® 2000 Server • Microsoft SQL Server™ 2000 • Internet Information Services (IIS) These prerequisites can be satisfied by completing the following courses: ! Course 1017, Mastering Web Application Development Using Microsoft Visual InterDev® ! Course 2310, Developing Microsoft ASP.NET Web Applications Using Visual Studio .NET ! Course 2373, Programming with Microsoft Visual Basic .NET ! Course 2124, Programming with C#
  10. Introduction 5 Course Outline ! Module 1: Introduction to Web Security ! Module 2: Planning for Web Application Security ! Module 3: Validating User Input ! Module 4: Internet Information Services Authentication ! Module 5: Securing Web Pages *****************************ILLEGAL FOR NON-TRAINER USE****************************** Module 1, “Introduction to Web Security,” provides an overview of the terms and concepts of, along with the justification for, Web application security. This module includes an introduction of the STRIDE model, which can be used to categorize threats to Web applications. This module also provides an overview of the technologies and best practices that can be used to build a secure solution for Web applications. After completing this module, you will be able to define the basic principals of, and motivations for, Web application security. Module 2, “Planning for Web Application Security,” explains the steps that are typically involved in the Web application design process, what role security considerations play in each of these steps, and finally, how these steps interrelate. You will examine in more detail the threat analysis step in the design process by identifying Web-accessible assets and the threats that are posed to those assets, and by calculating the risks of those threats being exposed to the assets. After completing this module, you will be able to perform a threat analysis of Web-accessible assets. Module 3, “Validating User Input,” explains how to manage user input in a secure way. The methods for checking user input, and a discussion of the consequences of not performing those checks, are the focus of this module. After completing this module, you will be able to secure your Web applications by validating user input. Module 4, “Internet Information Services Authentication,” provides insight into the Web client authentication methods that are supported by IIS and Windows 2000 Server. Initial Web client authentication and the flow of user identities through the Web application are the focus of this module. After completing this module, you will be able to select the best IIS authentication method for a given set of requirements. Module 5, “Securing Web Pages,” shows how to secure the Web pages in your Web application through the use of ASP and ASP.NET forms-based authentication. After completing this module, you will be able to implement forms-based authentication in both ASP and ASP.NET Web applications.
  11. 6 Introduction Course Outline (continued) ! Module 6: Securing File System Data ! Module 7: Securing Microsoft SQL Server ! Module 8: Protecting Communication Privacy and Data Integrity ! Module 9: Encrypting, Hashing, and Signing Data ! Module 10: Testing Web Applications for Security *****************************ILLEGAL FOR NON-TRAINER USE****************************** Module 6, “Securing File System Data,” explains how to protect file system data that is a part of a Web application. The two important security techniques that are covered in this module are using access control lists (ACLs) and using ASP.NET configuration files. After completing this module, you will be able to protect file system data by using the features in Windows 2000 and the Microsoft .NET Framework. Module 7, “Securing Microsoft SQL Server,” describes how to use SQL Server security features to protect Web application data. After completing this module, you will be able to connect securely to a SQL Server database, and use the SQL Server security model to protect a Web application against SQL injection attacks. Module 8, “Protecting Communication Privacy and Data Integrity,” begins with an overview of cryptography and digital certificates. The module then explains how you can protect data and communications between the Web browser and the Web server. After completing this module, you will be able to protect the portions of a Web application that require private communications by using Secure Sockets Layer (SSL) security. Module 9, “Encrypting, Hashing, and Signing Data,” shows you how to strengthen the security of your Web applications by incorporating the programmatic use of cryptography. Depending on your programming platform, you will use one of several cryptographic libraries to add encryption, hashing, and digital signing functionality to your Web application. After completing this module, you will be able to use the CAPICOM cryptographic library and the System.Security.Cryptography namespace to encrypt, hash, and sign data. Module 10, “Testing Web Applications for Security,” explains how testing the security of a Web application is different from testing features that are not related to security. This module also covers how to create a security test plan and how to implement with the plan. After completing this module, you will be able to employ a structured approach to testing for Web application security.
  12. Introduction 7 Setup ! Software " Windows 2000 Server, with SP2 " SQL Server 2000 Developer Edition, with SP2 " Visual Studio .NET, with SP1 ! Classroom setup " One shared database server on Glasgow computer ! Course files " ASP and ASP.NET exercises in each lab " Starter and solution code for each lab *****************************ILLEGAL FOR NON-TRAINER USE****************************** Software The following software will be used in the classroom: ! Windows 2000 Server ! Windows 2000 Server Service Pack (SP) 2 ! SQL Server 2000 Developer Edition ! SQL Server 2000 SP 2 ! Visual Studio .NET, Enterprise Developer Edition ! Visual Studio .NET SP 1 Classroom setup Each student computer in the classroom has Windows 2000 Server installed as a stand-alone server in a workgroup. You will log on under the user account 2300Student with a password of P@ssw0rd. This user account is in the Administrators and TailspinAdmins groups. This course uses one shared SQL Server database for all of the students; this database is installed on a separate computer in the classroom. The database server is named Glasgow.
  13. 8 Introduction Course files There are files associated with the labs in this course. The lab files are located in the folder install_folder\Labfiles\LabXX on the student computers. There are two Visual Studio .NET solutions, 2300Labs and 2300Labs.NET, which you will use to access the Web application files for the labs. There are both ASP and ASP.NET exercises in this course. The ASP files are in the install_folder\Labfiles\LabXX\ASP\Starter folder and the ASP.NET files are in the install_folder\Labfiles\LabXX\ASPXVB\Starter folder. For the ASP exercises, there are solution files in the install_folder\Labfiles\ LabXX\ASP\Solution folder. For the ASP.NET exercises, there are Visual Basic .NET solution files in the install_folder\Labfiles\LabXX\ ASPXVB\Solution folder. A C# version of the final lab solution is provided in the install_folder\Labfiles\CSharpLabSolution folder. The install_folder\Labfiles\database folder contains an SQL script that is used to install a backup of the TailspinToys database.
  14. Introduction 9 Lab Scenario ! TailspinToys, TailspinToys.NET " Internet site to view products and log on " Extranet site to view order status and change password ! TailspinToysAdmin, TailspinToysAdmin.NET " Intranet site to create reseller accounts and update order status ! Database "helper" functions " ASP .inc files " .NET class libraries: Tailspin_ReadDBUtils, Tailspin_WriteDBUtils *****************************ILLEGAL FOR NON-TRAINER USE****************************** In the labs for Course 2300, Developing Secure Web Applications, you will create two Web applications, TailspinToys and TailspinToysAdmin: ! The TailspinToys Web application consists of an Internet Web application that is accessible to all users, and an extranet Web application that is accessible only to Tailspin Toys resellers. The Internet Web application has Web pages where users can view information about the company, view the products that are offered by Tailspin Toys, and log on to the Web application as a reseller. The extranet Web application contains Web pages where resellers can view the status of their orders and change their logon passwords. ! The TailspinToysAdmin Web application is an intranet Web application that is accessible to all employees of Tailspin Toys. However, there are protected Web pages in the intranet Web application that allow only users in the TailspinAdmins group to create new reseller accounts, and to update the status of reseller orders. There are two versions, an ASP version and an ASP.NET version, of each Web application: ! TailspinToys ! TailspinToys.NET ! TailspinToysAdmin ! TailspinToysAdmin.NET
  15. 10 Introduction For each lab, there are ASP exercises that are done on the ASP Web applications, and ASP.NET exercises that are done on the ASP.NET Web applications. There are two Visual Studio .NET solutions that you will use to open the ASP or ASP.NET Web applications. The database that is used by the labs in this course is named TailspinToys, and it contains four tables: ! Users ! Products ! Orders ! OrderDetails There are many stored procedures that are used by the Web applications to read and modify the data that is in the database. There are also .inc files that are used by the ASP Web applications and two .NET Framework class libraries (Tailspin_ReadDBUtils and Tailspin_WriteDBUtils) provided, which call the stored procedures. In the labs, you will call the utility functions in the .inc and .NET class libraries, instead of writing ADO and ADO.NET code. The code for the .NET class libraries is in the install_folder/Labfiles/LabXX/ASPXVB/ Starter/2300Lab.NET folders. The labs start with all of the Web pages in one virtual root directory, but you will split them into folders and then apply different permissions to the folders. In Lab 5, you will create a resellers folder for the TailspinToys.NET Web applications that contains the Web pages that are accessible only to resellers. In Lab 6, you will create a private folder in the TailspinToysAdmin Web applications to secure the Web pages that are accessible only to employees of the Tailspin Toys company who are in the TailspinToysAdmin Windows group. And in Lab 8, you will create a private folder in the TailspinToys Web applications to secure the Login and ChangePassword Web pages by using SSL. Before completing Lab 9, the instructor will run a script on the database server that will change the password field in the Users table of the TailspinToys database to contain a binary data type. Students will then add new pages, including the CreateAccount Web page, to the TailspinToys and TailspinToysAdmin Web applications to work with the new field data type. Therefore, all links to the CreateAccount Web page will be broken until Lab 9.
  16. Introduction 11 Microsoft Official Curriculum Course 2632, Designing Security for Microsoft Networks Course 2300, Developing Secure Web Applications Course 2350, Securing and Deploying Microsoft .NET Assemblies *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Microsoft Training and Certification develops Microsoft Official Curriculum (MOC), including MSDN® Training, for computer professionals who design, develop, support, implement, or manage solutions by using Microsoft products and technologies. These courses provide comprehensive skills-based training in instructor-led and online formats. Additional Each course relates in some way to another course. A related course may be a recommended courses prerequisite, a follow-up course in a recommended series, or a course that offers additional training. Other related courses may become available in the future, so for up-to-date information about recommended courses, visit the Microsoft Training and Certification Web site. Microsoft Training and For more information, visit the Microsoft Training and Certification Web site at Certification information
  17. 12 Introduction Microsoft Certified Professional Program *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Microsoft Training and Certification offers a variety of certification credentials for developers and Information Technology (IT) professionals. The Microsoft Certified Professional program is the leading certification program for validating your experience and skills, keeping you competitive in today’s changing business environment. MCP certifications The Microsoft Certified Professional program includes the following certifications: ! MCSA on Microsoft Windows 2000 The Microsoft Certified Systems Administrator (MCSA) certification is designed for professionals who implement, manage, and troubleshoot existing network and system environments based on Windows 2000 platforms, including the Microsoft Windows .NET Server family. Implementation responsibilities include installing and configuring parts of the systems. Management responsibilities include administering and supporting the systems. ! MCSE on Microsoft Windows 2000 The Microsoft Certified Systems Engineer (MCSE) credential is the premier certification for professionals who analyze the business requirements and design and implement the infrastructure for business solutions based on the Windows 2000 platform and Microsoft server software, including the Windows .NET Server family. Implementation responsibilities include installing, configuring, and troubleshooting network systems.
  18. Introduction 13 ! MCSD The Microsoft Certified Solution Developer (MCSD) credential is the premier certification for professionals who design and develop leading-edge business solutions by using Microsoft development tools, technologies, platforms, and the Microsoft Windows DNA architecture. The types of applications that MCSDs can develop include desktop applications and multiuser, Web-based, N-tier, and transaction-based applications. The credential covers job tasks ranging from analyzing business requirements to maintaining solutions. ! MCDBA on Microsoft SQL Server 2000 The Microsoft Certified Database Administrator (MCDBA) credential is the premier certification for professionals who implement and administer SQL Server databases. The certification is appropriate for individuals who derive physical database designs, develop logical data models, create physical databases, create data services by using Transact-SQL, manage and maintain databases, configure and manage security, monitor and optimize databases, and install and configure SQL Server. ! MCP The Microsoft Certified Professional (MCP) credential is for individuals who have the skills to successfully implement a Microsoft product or technology as part of a business solution in an organization. Hands-on experience with the product is necessary to successfully achieve certification. ! MCT Microsoft Certified Trainers (MCTs) demonstrate the instructional and technical skills that qualify them to deliver Microsoft Official Curriculum through Microsoft Certified Technical Education Centers (Microsoft CTECs). Certification The certification requirements differ for each certification category and are requirements specific to the products and job functions addressed by the certification. To become a Microsoft Certified Professional, you must pass rigorous certification exams that provide a valid and reliable measure of technical proficiency and expertise. For More Information See the Microsoft Training and Certification Web site at You can also send e-mail to if you have specific certification questions.
  19. 14 Introduction Acquiring the skills MOC and MSDN Training Curriculum can help you develop the skills that you tested by an MCP exam need to do your job. They also complement the experience that you gain while working with Microsoft products and technologies. However, no one-to-one correlation exists between MOC and MSDN Training courses and MCP exams. Microsoft does not expect or intend for the courses to be the sole preparation method for passing MCP exams. Practical product knowledge and experience are also necessary to pass the MCP exams. To help prepare for the MCP exams, use the preparation guides that are available for each exam. Each Exam Preparation Guide contains exam-specific information, such as a list of the topics on which you will be tested. These guides are available on the Microsoft Training and Certification Web site at
Đồng bộ tài khoản