IIS and .Net security

1
IIS and .Net security

• -Vasudha Bhat

2
What is IIS?Why do we need IIS?

• Internet Information Services (IIS) is a Web
  server, its primary job is to accept connections
  from remote clients and respond to HTTP requests
  arriving through those connections.
• IIS  provides integrated, reliable, scalable,
  secure, and manageable Web server capabilities
  over an intranet and the Internet
• Organizations of all sizes use IIS to host and
  manage Web pages on the Internet or on their
  intranet.

3
ASP.NET Architecture Integrating with IIS

• As the illustration shows, all Web clients
  communicate with ASP.NET applications through
  Microsoft Internet Information Services (IIS).
• IIS authenticates callers and creates a Windows
  access token for the caller. Through the IIS
  configuration manager found under Administrative
  Tools, IIS permits authentication control to be
  applied to individual files and directories. A
  given file or directory can be configured to
  allow anonymous access (access by unauthenticated
  users), authenticated access, or both.

4
IIS and ASP.NET Processing

• If anonymous access is enabled within IIS, then a
  Windows access token for the anonymous Internet
  user account (typically, IUSR_MACHINE) is created
  by IIS where machine is the Web server's machine
  name. IUSR_machinename is a special account
  that's created when IIS is installed. 1-
  Administrative tools-gt Computer management -gt
  Users
• Figure
  1. IIS and ASP.NET communication
• Figure 1. IIS passes the Windows access token to
  the ASP.NET worker process. The ASP.NET Windows
  authentication module uses this to construct a
  WindowsPrincipal
• object and the ASP.NET File authorization
  module uses it to perform Windows access checks
  to ensure the caller is authorized to access the
  requested file.

5
IIS and .Net security

• IIS is not installed by default on the operating
  systems in the Windows Server 2003 family.
  Administrators must explicitly select and install
  IIS.
• IIS installs by default in a locked-down state,
  capable of serving only static content. Using the
  Web Service Extensions node, Web site
  administrators can Configuring IIS For Dynamic
  Content IIS functionality based on the individual
  needs of their organization.
• IIS security features include the following
  security-related tasks
• Authentication in IIS 6.0 2- Example -gt
  Presentation (Virtual Directory)
• Anonymous Authentication
• Basic Authentication
• Integrated Windows Authentication
• .NET Passport Authentication
• Digest Authentication

6

• Auditing in IIS 6.0 3 Event Log
• Once IIS logging is enabled, you can configure
  how and when log files are created and saved.
• Access Control It supports two forms of
  authorization
• ACL authorization (also known as file
  authorization) It checks the access control list
  (ACL) of
• the .aspx or .asmx handler file to determine
  whether a user should have access to the file.
• Example3
• ACL Default permissions
• Location Access type
  Account Comments
• gtgtSystemRoot\System32 Read
  Process Contains system DLLs loaded by
  the .NET Framework.
• gtgtWeb application directory Read
  Process This is the location for
  application files.
• gtgtWeb directory\App_Data Read/write
  Process This is the default location
  for data files in an ASP.NET Web application.

7

• URL authorization With URL authorization, you
  explicitly allow or deny access to a particular
• directory by user name or role. To do so, you
  create an authorization section in the
• configuration file for that directory.
• Example3
• ltauthorizationgt
• ltallow users"Kim"/gt
• ltallow roles"Admins"/gt
• ltdeny users"John"/gt
• ltdeny users"/gt
• lt/authorizationgt
• Certificates 4 IIS Directory Security
• Each Web site can have only one server
  certificate assigned to it.
• One certificate can be assigned to multiple Web
  sites.

8
ASP.NET Authentication

• ASP.NET implements additional authentication
  schemes using authentication providers, which
• are separate from and apply only after the IIS
  authentication schemes. ASP.NET supports the
• following authentication providers
• Windows (default)
• Forms
• Passport
• None
• To enable an authentication provider for an
  ASP.NET application, use the authentication
  element in either machine.config or Web.config as
  follows
• Example3
• ltsystem.webgt
• lt!-- modeWindowsFormsPassportNone --gt
• ltauthentication mode"Windows" /gt
• lt/system.webgt

9
The security section of a Web.config file is
organized as follows. http//msdn2.microsoft.com/
en-us/library/aa719552(vs.71,dprinter).aspx

• ltauthentication mode"WindowsFormsPassportNone
  "gt
• ltforms name"name"
• loginUrl"url
• protection"AllNoneEncryptionValid
  ation"
• path"path"
• timeout"minutes" requireSSL"truefa
  lse
• slidingExpiration"truefalse"gt
  ltcredentials passwordFormat"ClearMD5SHA1"gt
• ltuser name"UserName"
  password"password"/gt lt/credentialsgt lt/formsgt
  ltpassport redirectUrl"internal"/gt
• lt/authenticationgt
• ltauthorizationgt
• ltallow users"comma separated list of
  users
• roles"comma separated list of
  roles"/gt
• ltdeny users"comma separated list of
  users
• roles"comma separated list of
  roles"/gt
• lt/authorizationgt

10

• ltidentity impersonate "truefalse
• userName"domain\user_name
• password"user_password"/gt
• lttrust level"FullHighMediumLowMinimal"
• originUrl""/gt
• ltsecurityPolicygt
• lttrustLevel name"Full" policyFile"internal"/gt
  
• lttrustLevel name"High" policyFile"web_hightru
  st.config"/gt
• lttrustLevel name"Medium" policyFile"web_mediu
  mtrust.config"/gt
• lttrustLevel name"Low" policyFile"web_lowtrust
  .config"/gt
• lttrustLevel name"Minimal" policyFile"web_mini
  maltrust.config"/gt
• lt/securityPolicygt

11
Authentication providers

• Windows (default) Pro
• Authenticates using Windows accounts, so you do
  not need to write any custom authentication code.
  
• Con
• May require the use and management of individual
  Windows user accounts.
• Forms
• Pros
• Makes it possible for custom authentication
  schemes using arbitrary criteria.
• Does not require corresponding Windows accounts.
• Cons
• Is only applicable for resources mapped to
  Aspnet_isapi.dll.

12

• Passport
• Pros
• Supports single sign-in across multiple domains.
• Compatible with all browsers.
• Con
• Places an external dependency for the
  authentication process.
• None
• Pros
• Offers total control of the authentication
  process providing the greatest flexibility.
• Provides the highest performance if you do not
  implement an authentication method.
• Cons
• Requires extra work to custom-build an
  authentication scheme.

13
Demonstration

• Create a .Net web application
• Create a virtual directory
• Authentication and access control
• Domain Restrictions
• Grant Permissions
• Event Logs
• Server Certificates
• Connections to the webpage

Basic Authentication
Integrated Authentication
14
References

• Installing IIS http//adamv.com/dev/articles/iis
  -on-xp-home
• IIS and .Net Security reference
  http//nsa2.www.conxion.com/win2k/guides/w2k-14.pd
  f
• IIS 6.0 Reference http//www.microsoft.com/tech
  net/prodtechnol/WindowsServer2003/Library/IIS/dcec
  9cb2-9270-4ea5-8556-46528fea058d.mspx?mfrtrue
• Complete reference - IIS security features
• http//www.microsoft.com/technet/prodtechno
  l/WindowsServer2003/Library/IIS

15
Questions ??????