ASP.Net Security - PowerPoint PPT Presentation

1 / 35

About This Presentation

Title:

ASP.Net Security

Description:

Firewalls and DoS (port security), SSL and HTTPS (protocol security), IIS security, ... Simple Base64 encoded password may not be secure enough ... – PowerPoint PPT presentation

Number of Views:765

Avg rating:3.0/5.0

Slides: 36

Provided by: paulturne

Category:

more less

Transcript and Presenter's Notes

Title: ASP.Net Security

1
ASP.Net Security

Presented by
Paul Turner
pturner_at_eds.com

2
Overview

Web Security
Authentication Modes
Web.config
Authentication
Authorization
Securing Directories
Putting it together
After Authentication
Demo

3
Web application security

Physical security,
Firewalls and DoS (port security),
SSL and HTTPS (protocol security),
IIS security,
ASP.Net security,
SQL Server security,
Windows security,
COM and others

4
Authentication and Authorization

Authentication identifies a user (Who are you?)
Windows,
Forms,
Passport, and
None (Custom).
Authorization controls what they can see and do.

5
Authentication Modes

Windows
Best used in internal applications and intranets,
Can use no prompts,
Must be Windows Domain user,
Can use either
Basic Authentication (clear text passwords)
Simple Base64 encoded password may not be secure
enough
Digest Authentication (encrypted passwords)
Internet Explorer only
Integrated Authentication (Kerberos)
Generally wont work through a firewall or over
the internet
Cannot be persistent.
Can be cookieless.

6
Authentication Modes cont

Forms
Familiar to commercial web sites,
Can present a nice looking login screen,
Can use no prompts (if persistent),
Can be any type of user,
Can be persistent (via cookies),
Can be cookieless.

7
Sidebar Cookieless

By default, the authentication process will
create a client side cookie.
Speeds up page access i.e. does not need to do a
full check for each page.
Some browsers will reject cookies.
So. Make it cookieless
ltsessionState mode"InProc" stateConnectionString
"tcpip127.0.0.142424" cookieless"true"
timeout"20" /gt
Beware of the URLs it creates i.e.
http//localhost/MagMan/(r3q03p454vvgx345tf5k4455)
/General/Default.aspx

8
Authentication Modes cont

Passport
Some commercial web sites but mainly Microsofts
sites,
Strict guidelines for branding and use,
Child protection features,
Licensed, and
Hosted by Microsoft.

9
Authentication Modes cont

None
This is really just Anonymous access
Dont need to do anything
Runs under IUSER_machinename by default (via
impersonation).
Roll your own authentication via ISAPI.

10
Web.config

Controls all security for a site
Only one per site (not really true)
Can have more in sub directories but they are
structured differently.
The important parts
ltauthentication modeMode /gt
ltauthorizationgt
ltallow users ?, , user or group" /gt
ltdeny users "?, , user or group" /gt
ltallow roles role" /gt
ltdeny roles "role" /gt
ltallow verb GET, POST, HEAD users ?, ,
user or group /gt
ltdeny verb GET, POST, HEAD users ?, ,
user or group /gt
lt/authorization gt

11
Web.ConfigWindows Authentication

Just need to specify the mode
ltauthentication modeWindows /gt

12
Web.Config Forms Authentication

Need to specify the mode and login forms
location.
Can include credentials if you are going to
authenticate against the Web.config. There are
many reasons why you may not want to do this
ltauthentication mode"Forms"gt
ltforms loginUrlloginform.aspx other options
can go here /gt
ltcredentials passwordFormatSHA1, MD5 or Cleargt
ltuser nameJoe passwordjoespassword /gt
lt/credentialsgt
lt/authenticationgt

13
Web.Config Passport Authentication

Download the Passport SDK.
Development Licence is free, production licence
is NOT.
Specify the mode
ltauthentication modePassport /gt

14
Web.Config None Authentication

Mainly for anonymous sites.
Lets you handle authentication and authorization
completely via ISAPI.
Just need to specify the mode
ltauthentication modeNone /gt

15
Web.Config Authorization

Anonymous users (? Users)
Authenticated users ( Users)
Role based
Applies to Windows Authentication.
Everything else is custom i.e. via the Web.config
or in code.
Verb based
GET, POST or HEAD (based on HTTP protocol)

16
Web.Config Authorization

Two types of access and two identities.
ltauthorizationgt
ltallow users "?" /gt
ltallow roles "Builtin\Administrators" /gt
ltdeny users "" /gt
ltdeny verb HEAD users ? /gt
lt/authorizationgt
? Anonymous users
Everyone

17
Web.Config Securing Directories and Pages

Add a location element to your Web.config
ltconfigurationgt
ltlocation somepage.aspxgt
ltsystem.webgt
ltauthorizationgt
lt/authorization gt
lt/system.webgt
lt/locationgt
lt/configurationgt

18
Web.Config Securing Directories and Pages cont

Create a Web.config file and put it in the
directory.
Just needs to contain
ltconfigurationgt
ltsystem.webgt
ltauthorizationgt
lt/authorization gt
lt/system.webgt
lt/configurationgt

19
Putting it together

Decide on the Mode (Windows, Forms, Passport,
None)
Decide on who will have access (Authorization and
Web.config file)

20
Windows Mode

Create/edit your Web.config.
Setup your Windows accounts/groups.
Start using it!
ltconfigurationgt
ltsystem.webgt
ltauthentication modeWindows /gt
ltauthorizationgt
lt/authorization gt
lt/system.webgt
lt/configurationgt

21
Forms Mode

Create/edit your Web.config.
Create your login form.
Choose your user credentials repository
Web.config (Why is it not recommended?),
A text/xml file (Why is it not recommended?),
An Database server,
A web service,
Others NDS, Lotus Notes, Websphere

22
Forms Mode cont

ltconfigurationgt
ltsystem.webgt
ltauthentication modeFormsgt
ltforms loginUrllogin.aspxgt
lt/authenticationgt
ltauthorizationgt
lt/authorization gt
lt/system.webgt
lt/configurationgt

23
Creating a login form

Create a new aspx file.
Add username and password text boxes.
Add a Remember Me check box (optional).
Add a button.

24
Behind the button

If you are using ltcredentialsgt
FormsAuthentication.Authenticate(
string username,
string password)
Reads the Web.config credentials then returns
either True or False
Then if the user is authentic, call
FormsAuthentication.RedirectFromLoginPage(
string AuthName,
bool Persistent)

25
Behind the button cont

If you are using your own authentication method
you must decide if the username and password are
OK.
Then if the user is authentic, call
FormsAuthentication.RedirectFromLoginPage(
string AuthName,
bool Persistent)

26
If the user is not authentic..

Response.Redirect(string Url)

27
After authentication

Get the user Identity
Get authorization details
IsInRole (Windows Only),
Personalization, and
Storing stuff in the Session Object.

28
Authenticated Users

System.Web.Security namespace
User property can be either
GenericPrincipal
GenericIdentity
FormsIdentity
PassportIdentity (separate topic).
WindowsPrincipal
WindowsIdentity
WindowsPrincipal contains extra functionality for
Windows based authentication

29
GenericPrincipal

GenericIdentity
AuthenticationType property,
Name property, and
IsAuthenticated property.

30
GenericPrincipal

FromsIdentity
Same as GenericIdentity plus
Ticket property (this is the cookie).

31
GenericPrincipal

PassportIdentity
Same as GenericIdentity plus many other things
Separate topic.

32
WindowsPrincipal

WindowsIdentity
Same as GenericIdentity plus
IsAnonymous property,
IsGuest property,
IsSystem property,
Token property (Users Windows account identifier,
can be used to access ADSI), and
Impersonate method.

33
Common Methods/Properties