ASP.NET Security

1
ASP.NET Security

• 9/9/2002 LA .NET Users Group
• Presented by David Henson
• dhenson_at_certifiednetworks.com

2
Introductions

• Dave Henson
• dhenson_at_certifiednetworks.com
• Machine Setup

\\ASSISTANT2 XP Home IE6 Visual Studio.NET Sniffer
\\CERTNET4 W2K Server IIS .NET Framework
3
What We Will cover

• IIS Security
• ASP.NET Security
• Authentication
• Authorization

4
Why be worried?

• Unauthorized Access to Private Data
• Site Availability
• Packet Sniffing

5
Areas of security

• Authentication
• Authorization
• Auditing
• Encryption
• Data Validation

6
Architecture

• Authentication is the starting point
• IIS is the gateway to ASP.NET
• Fundamental understanding of IIS security is
  critical

7
Authentication

• Initiated When A Resource Called By IIS Issues
  401 Access Denied
• IIS Sends Back To Browser
• 401 Access Denied
• WWW-Authenticate .

8
IIS Authentication

• Anonymous
• Integrated
• Basic

• Digest
• Client Certificates

ASP.NET Authentication

• Windows(see above)
• Forms
• Passport

9
Result of Authentication

• User Principal Defined in Access Token Delivered
  by IIS to the OS or to .NET
• Used by the OS/Code/Resource provider
• To authorize access to resources

10
Anonymous Access Considerations

• Resource access requires a user principal
• For .NET
• ASPNET Windows Account Is Used
• For IIS
• IUSR_Computername(In proc) Is Used
• IWAM_Computername(Out of proc) Is Used

11
Web.Config Authentication Settings

• lt?xml version"1.0" encoding"utf-8" ?gt
• ltconfigurationgt
• ltsystem.webgt
• ltauthentication mode"WindowsFormsPassportN
  one"/gt
• ltforms namename loginURLurl
• protectionAllNoneEncryptionValidation
  
• pathpath timeouttimeoutgt
• ltcredentials passwordFormatClearSHA1MD5gt
  
• ltuser nameUsername
  PasswordPasswordgt
• lt/credentialsgt
• lt/formsgt
• lt/system.webgt
• lt/configurationgt

12
Demonstration Configuration of IIS .NET
Authentication Options

• Using IIS Manager to Configure
• Basic
• Integrated
• Browser/Server Authentication Communication
• Using Auditing To Spy On IIS

13
.NET/IIS Authorization

• Native Authorization Support
• IIS Supports ACL Authorization
• .NET Supports ACL or URL Authorization
• Users/Roles configured in web.config or globally
  on machine.config
• You Can Always Write Your Own

14
Web.Config Authorization Settings

• lt?xml version"1.0" encoding"utf-8" ?gt
• ltconfigurationgt
• ltsystem.webgt
• ltauthentication mode"WindowsFormsPassportNon
  e"/gt
• ltidentity impersonate "truefalse" /gt
• ltauthorizationgt
• ltallow roles"CERTNET4\Sales" /gt
• ltallow users"CERTNET4\mary" /gt
• ltdeny users"" /gt
• lt/authorizationgt
• lt/system.webgt
• lt/configurationgt

15
Demonstration

• Using ACL Authorization
• Using URL Authorization and web.config
• Users
• Roles
• Parsing of Web.Config Files

16
Declarative Security Checks

• lt_at_page languagec inheritsMyStuff
  srcMyStuff.csgt
• Only Sales People Can See This Code!
• PrincipalPermission(SecurityAction.Demand,
  RoleSales)
• Public Class MyStuff System.Web.UI.Page
• //
• You Must Convert Any Security Exception You Throw
  Into HTTP 401 status code so IIS will
  authenticate the client!

17
Summary

• What We Have Learned
• Authentication
• Authorization
• IIS/.NET Interaction
• One MUST Experiment To Understand ASP.NET/IIS
  Security

18
References

• http//msdn.microsoft.com/msdnmag/issues/02/04/ASP
  Sec/Print.asp
• http//msdn.microsoft.com/msdnmag/issues/02/01/sec
  urity/Print.asp