SecurityE-Learning Chapter 08

Security

• Control access to your web site– 3 Techinques for

• Identifying users• Giving users access to your site

• Securing data transmitted across the internet– Others can’t read it

Authenticating and Authorizing Users

Lesson 1

Authentication and Authorization

• Authentication– The process of identifying users– “Who are you?”

• Authorization– The process of granting access based on identity– “I’ve checked your credentials out and you’re OK …

Come on in!”

• Choose an Authorization strategy based on the type of application you’re creating

Anonymous Users

• Public web sites– Anyone can see information– Users are not authenticated

• Impersonation– Technique for allowing anonymous access to

web site– Assigns a user account to an unknown user

• IUSER_<machineName> – Anonymous user account

Anonymous Access Account – See or Change priviledges

• Log in as administrator on server

• Start | Control Panel | Administrative Tools | Computer Management | Local Users and Groups | Users | rt-click on IUSER_<machineName> | Properties

IUSER_<machineName> Properties

Member of

• <default> Guest group– Limited priviledges

• My ‘Member of’– Debugger Users Group

• ASP.NET – Uses ASPNET account– Anything outside priviledges produces security

exception – access denied– Exception appears in the Security Event Log of the

Event Viewer

Restricting Anonymous Users

• Set Windows File Permissions

• Must have NTFS File System, FAT won’t work

• See Windows Security Help topics

Access by Authenticated Users

• Authenticated Users– Allows users to

• Access private information• Perform restricted tasks (placing orders, etc.)

• 3 Ways to Authenticate– Windows Authentication

• Identify and authorize users based on server’s user list– Forms Authentication

• Directs users to a form that collects name and password• Authenticates against user list or database

– Passport Authentication• Authenticated by Passport site hosted by Microsoft

System.Web.Security Namespace

• Windows, Forms, Passport Security classes provided in .NET by System.Web.Security namespace

Visual Basic .NETImports System.Web.Security

Visual C#using System.Web.Security

Applying authentication methods to web application components

Web App Component

•Web Forms (.aspx)

•Modules (.asax)

•Other resources that pass through web app executable

Authentication Modes

•Windows

•Forms

•Passport

Can use

Web App Component

(htm or html pages)

•Handled by IIS, not ASP.NET

Can’t use directly x

ASP.NET executable

Must be mapped see Lesson 1

.NET Web Security Overview

ASP.NET architecture

                         

IIS and ASP.NET InteractionIIS

•Request comes in (for Web Form)

•If IIS authentication,

•Authorization performed

•Auth. Info added to request

•Info passed to ASP.NET runtime

ASP.NET•Windows

•Auth. Performed•Request processed

•Forms•ASP.NET checks forms auth. Cookie•No cookie login page•If successful login,

•Auth. Cookie set•User redirected to requested resource

•Passport•ASP.NET checks for Passport Cookie•No cookiesite’s Passport Login Page•Successful login, cookie set•User redirected to resource

Set/Change Authentication Method Used by IIS

• Open Internet Services Manager• Select site, virtual directory or file you want to

authenticate• Right-click, select Properties• Select Directory (or File) Security Tab• In Anonymous Access and Authentication

Control section, click Edit button• In Authentication Methods dialog box, uncheck

Anonymous Access check box.• Check desired authentication

Set Authentication Method in IIS

Windows Authentication

Lesson 2

Types of Windows Authentication

• Basic– User must supply user name and password– Supported by Netscape Navigator and IE– User credentials sent unencrypted– Should only be used with a secure channel (SSL)– SSL should be used on all pages, since credentials are passed on all

subsequent requests• Digest

– Browser transmits a hash of the user’s credentials– Requires IE 5.0 or later– Password encryption can be reversed

• Integrated Windows Authentication– Kerebos or NTLM– Uses encrypted exchange between IE Browser and Server– Used in Intranet scenarios– Used by Web Server

• Only if anonymous access is disabled or• Anonymous access has been denied through Windows File System

Permissions

More Windows Authentication Methods

• Certificates– Client certificate is passed to the web server– IIS maps certificate to user account

• Anonymous authentication– When you don’t need to authenticate users or– When you use a custom authorization scheme– Web server creates an access token

• Represents all anonymous users with (guest) account• IUSR_MACHINENAME

Integrated Windows Authentication

• Uses integrated Windows NT and XP authentication to authenticate web users

• Advantage– Uses same security scheme as your corporate network– Names, passwords, and permissions are the same – Users on corporate intranet don’t have to login to website -

automatic

• Disadvantage– Only for Internet Explorer– Users on corporate network using a proxy connection can’t use– Every user must have a password on Web Server or Domain

controller trusted by the Web server.

Configuring Windows Authentication -Web.config file

<!-- AUTHENTICATION This section sets the authentication policies of the application. Possible modes are "Windows", "Forms", "Passport" and "None"

"None" No authentication is performed. "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to its settings for the application. Anonymous access must be disabled in IIS. "Forms" You provide a custom form (Web page) for users to enter their credentials, and then you authenticate them in your application. A user credential token is stored in a cookie. "Passport" Authentication is performed via a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. --> <authentication mode="Windows" />

Allowing or Denying Access to Certain Users

• Authorize/Deny list set in Web.config file<authorization> <allow users="contoso\DeannaMeyer, contoso\MichaelEmanuel" />    <!-- Allow two users. --> <deny users="*"  />     <!-- Deny anyone else. --> </authorization>

• “*” – All• “?” – Unauthenticated Users• Comma-separated names – format: domain\username

Role-based Authorization

• Allows users based on role in organization

• Windows – Computer Management– Administrators– Users– Guests

• See roles/groups in Start | Control Panel | Administrative Tools | Computer Management | Local Users and Groups

Role-Based Authorization – web.config

<authorization>     <allow roles="contoso\Administrators" />    <!-- Allow Administrators. -->     <deny users="*"  />          <!-- Deny anyone else. --> </authorization>

User Object, Identity Property

• User.Identity available after authentication and authorization

• Returns name and role informationPrivate Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 'Put user code to initialize the page here spnAuthenticated.InnerText = User.Identity.IsAuthenticated spnUserName.InnerText = User.Identity.Name SPNAUTHENTICATIONTYPE.InnerText = User.Identity.AuthenticationType

End Sub

If User.IsInRole("Administrators") Then     ' Do something End If

IIS and Web.config Overlap

• Security settings may overlap

• Most restrictive applies

• Setting security in IIS• IIS > Rt-Click on Web Site > Properties > Directory

Security Tab > Anonymous Access and Authentication Control Section > Edit

• Best practice: allow IIS to control password on anonymous account

• Basic and Digest Authentication – less restrictive

Impersonation• After Authentication and Authorization

– Web app runs under ASPNET user account (by default) – demo– Limited user account

• Impersonation – allows user to run in context of his/her own account• Use web.config to set identity element to enable impersonation

<configuration>   <system.web>     <!-- Impersonate the authenticated user in code -->     <identity impersonate="true" />   </system.web> </configuration> -- or --

<!-- Impersonate special account (the Administrator account) --> <identity impersonate="true" username="Administrator" password="O#thip32x" />

Folder-level Impersonation• Impersonates a specific user account• Can be used with Forms and Passport Authentication

<!-- From root-level Web.config file --> <configuration>$   <system.web>     <authentication mode="Windows" />      <authorization>        <deny users="?"  />  <!-- Authenticate (but allow) all users. -->      </authorization>     <!-- Turn off impersonation (default). -->     <identity impersonate="false" />   </system.web> </configuration> <!-- From /Admin folder Web.config file --> <configuration>   <system.web>     <authorization>       <allow users="contoso\Jane"  />   <!-- Allow only Jane. -->       <deny users="*" />     </authorization>      <!-- Impersonate the Administrator account -->     <identity impersonate="true" username="Administrator"       password="O#thip32x" />   </system.web> </configuration>

Forms Authentication

Lesson 3

Reference for ASP.NET Security

http://msdn2.microsoft.com/en-us/library/330a99hc.aspx

Providing Secure Communication

Chapter 8 Lesson 5

I’d like to send some sensitive

data across the

web!

But I don’t want just anyone to be able to

read it!

IIS provides:

• Standard means for encrypting and decrypting

• Both Web requests and responses

Requires:

Server Certificate

(Encryption Key)

Issued by:

Independent 3rd Party

(Certificate Authority)

Secure Sockets Layer

• Standard means for ensuring data can’t be read by others.• Overview:

Using SSL

Request authorization from recognized certificate authority

Server CertificateInstall certificate in IIS (identifies your server)

Server certificates are licensed (for a fee), but you can get one for testing purposes

• Certificate Authority acts as clearinghouse

• Identifies your server’s identity over the Internet

Using Secure CommunicationsBrowser Web Server

Requests Server Certificate

Returns Server Certificate

Certificate Authority (CA)

• Check against list of trusted sites

• Web address registered with certificate?

• Anything wrong with certificate?Response from CA

• CA provides encryption

• Assures users your web site is authentic

Warnings from Browser

IIS on Web Server

I need a certificate

I can help!

1. Use IIS to generate a certificate request. Certificate

Request

Certificate Authority (CA)

2. Request Certificate from CA

IIS on Web Server

3. Install certificate on Server

4. Install certificate on Browser (test certificate)

5. Use Secure Hypertext Transfer Protocol

(HTTPS) in your web pages

Certificate

Installed!