ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Slides:



Advertisements
Similar presentations
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Advertisements

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Configuring Applications MacDonald Ch. 9 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Navigation Controls MacDonald Ch. 11 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Sql Server Advanced Features MIS 424 Professor Sandvig.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
CONFIGURING WINDOWS SERVER MIS 424 Professor Sandvig.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Session 11: Security with ASP.NET
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
1.NET Web Forms Security Issues © 2002 by Jerry Post.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.
File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
Page 1 User Accounts Lecture 3 Hassan Shuja 09/21/2004.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
ADVANTAGES OF DATA BASE MANAGEMENT SYSTEM. TO BE DICUSSED... Advantages of Database Management System  Controlling Data RedundancyControlling Data Redundancy.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Privilege Management Chapter 22.
Configuring and Deploying Web Applications Lesson 7.
Understanding Security
1 CS 3870/CS 5870: Note 14. Prog5 Due 10 PM Wednesday, Oct 21 Authentication and Authorization 2.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
19 Copyright © 2008, Oracle. All rights reserved. Security.
Administrating a Database
Security In your webSite.
Unit 7 Learning Objectives
Chapter One: Mastering the Basics of Security
Authentication and Authorisation in ASP.Net
ASP .NET MVC Authorization Training Videos
Jim Fawcett CSE686 – Internet Programming Summer 2005
Security mechanisms and vulnerabilities in .NET
Created by : Asst. Prof. Ashish Shah
Chapter 13 Security Methods Part 3.
Administrating a Database
Security - Forms Authentication
Presentation transcript:

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig

Overview Today Security Concepts & Terminology Security Concepts & Terminology Authentication and Authorization Role-based security ASP.NET approaches: ASP.NET approaches: 1.Do it yourself 2.Windows authentication 3.Forms authentication 4..NET membership provider

Security Terminology Authentication Process of identifying the user Process of identifying the user User provides credentials User provides credentials Username / Password Username / Password ID card, key, finger print, eye scan… ID card, key, finger print, eye scan… Authentication done once at login Authentication done once at login

Security Terminology Authorization Permissions Permissions Which resources user is allowed to access Type of access Read, write, modify, delete, change permissions… Read, write, modify, delete, change permissions… Performed with every request Performed with every request

Example - WWU Library Authentication Who are you? Who are you? WWU student Lost Canadian Authorization What are you allowed to do? What are you allowed to do? WWU student Checkout books, laptops, IIL services… Checkout books, laptops, IIL services… Lost Canadian Look at books, use restrooms, stay warm Look at books, use restrooms, stay warm

Security Terminology Principle of least privilege Principle of least privilege Every program and every user of the system should operate using the least set of privileges necessary to complete their job. Benefits: Benefits: Protects data Protects organization Protects individuals

Role-based Security Permissions assigned based upon role of job function

Role-based Security Create roles AdministratorUserStudent Anonymous user etc, etc. … Roles are assigned specific permissions Principle of least privilege Principle of least privilege People are assigned to roles

Role-Based Security Benefit Simplifies management of permissions Example: Roles in WWU Banner system Students Students Faculty Faculty Administrators Administrators Many types, each with specific permissions Enforced at both application & DB level Enforced at both application & DB level

ASP.NET Security Approaches: Do-it-yourself Do-it-yourself Forms authentication Forms authentication Windows authentication Windows authentication ASP.NET Membership Provider ASP.NET Membership Provider

Do-it-yourself Authentication Each.aspx page checks for authorization Redirect unauthorized users to login Single line of code: if (Session["authenticated"] == null) Response.Redirect("Login.aspx");

Do it yourself Authentication Advantages Simple Simple Flexible – page-by-page Flexible – page-by-page Database access Database accessDisadvantages Need to include code in every.aspx page Need to include code in every.aspx page Pages need to be executable Pages need to be executable Excludes.html pages, images, etc.

Windows Authentication Authenticate against Windows user accounts Username/password managed with Windows (Active Directory) Username/password managed with Windows (Active Directory)

Windows Authentication Authorization Specify in web.config Specify in web.config First match algorithm Set on each directory Set on each directory Sample Page Sample Page

Windows Authentication Benefits: Secures every file type Secures every file type Use existing Windows accounts Use existing Windows accountsIntranet Not public web Fine-level control of permissions Fine-level control of permissionsLimitations Users need permissions on server Users need permissions on server

Forms Authentication Create login page Authenticate against any data source Authenticate against any data source database, LDAP, web service, CAS… database, LDAP, web service, CAS… Login page.aspx file.aspx file access database, other data sources Authentication ticket issued Authentication ticket issued Encrypted cookie Redirects back to requested page Redirects back to requested page

Forms Authentication How to Configure Web.config file Web.config file Authentication mode=“Forms” Root directory of application Create Login Page Create Login PageExample: Sample Sample Sample

ASP.NET Membership Drag & Drop controls Implements Forms authentication Implements Forms authentication No code required No code required Automatically creates SQL Server Database Can define users & roles Quite sophisticated

ASP.NET Membership Provider

No code “Magical” “Magical” Many configuration options Password recovery Password recovery Change password control Change password control Sends Sends Create groups (programmatically) Create groups (programmatically) Assign users to groups Assign users to groups

Summary Application Security options: Do-it-yourself Do-it-yourself Windows authentication Windows authentication Forms authentication Forms authentication ASP.NET Membership provider ASP.NET Membership providerSecurity Complex topic Complex topic Discuss other aspects later Discuss other aspects later