Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Slides:

Advertisements

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.

Session 11: Security with ASP.NET

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation

Copyright 2000 eMation SECURITY - Controlling Data Access with

1.NET Web Forms Security Issues © 2002 by Jerry Post.

State Management. What is State management Why State management ViewState QueryString Cookies.

Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Christopher M. Pascucci Basic Structural Concepts of.NET Managing State & Scope.

Module 11: Securing a Microsoft ASP.NET Web Application.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

Module 2: Overview of IIS 7.0 Application Server.

What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.

Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.

IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Module 4: Design IIS Maintenance and UDDI. Designing Internet Information Services Backup and Recovery Specifying Monitoring requirements Deploying UDDI.

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

Configuring and Deploying Web Applications Lesson 7.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.

Working with ASP.NET Controls What is ASP.NET Using server controls in your pages Allowing users to create their own accounts Creating a login page Letting.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

ASP.NET Essentials State management, authentication, and Web Services Daniele Pagano Arizona State University.

Security In your webSite.

Unit 7 Learning Objectives

Agenda Introduction Security flow for a request Authentication

Authentication and Authorisation in ASP.Net

Module Overview Installing and Configuring a Network Policy Server

Security Basics and ASP.NET Support

Jim Fawcett CSE686 – Internet Programming Summer 2005

Introduction to .net Impersonation

Created by : Asst. Prof. Ashish Shah

Configuring Internet-related services

Designing IIS Security (IIS – Internet Information Service)

Security - Forms Authentication

Presentation transcript:

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET

Determining Security Requirements Restricted File Types

Security Concepts Authentication: determining a user’s identity and forcing users to prove Authorization: has sufficient permissions to perform a given action Impersonation: all code runs under a fixed account defined in the machine.config file. Impersonation allows a portion of your code to run under a different identity, with a different set of Windows permissions.

The ASP.NET Security Model

Not in Asp.net world IIS attempts to authenticate the user. Generally, IIS allows requests from all anonymous users and automatically logs them in under the IUSR_[ServerName] account. IIS security settings are configured on a per-directory basis. If IIS authenticates the user successfully, it attempts to send the user the appropriate HTML file. The operating system performs its own security checks to verify that the authenticated user (typically IUSR_[ServerName]) is allowed access to the specified file and directory.

İn ASP.NET IIS attempts to authenticate the user. Generally, IIS allows requests from all anonymous users and automatically logs them in under the IUSR_[ServerName] account. If IIS authenticates the user successfully, it passes the request to ASP.NET with additional information about the authenticated user. ASP.NET can then use its own security services, depending on the settings in the web.config file and the page that was requested. If ASP.NET authenticates the user, it allows requests to the.aspx page or.asmx web service. Your code can perform additional custom security checks (for example, manually asking for another password before allowing a specific operation). When the ASP.NET code requests resources (for example, tries to open a file or connect to a database), the operating system performs its own security checks. All ASP.NET code runs under a fixed account that’s defined in the machine.config fileHowever, if you enable impersonation, these system operations will be performed under the account of the authenticated user (or a different account you specify).

Security Strategies Allow anonymous users but use ASP.NET’s forms authentication model to secure parts of your site. Forbid anonymous users, and use IIS authentication to force every user to log in using Basic, Digest, or Integrated Windows authentication. This system requires all users have Windows user accounts on the server (although users could share accounts).

Certificates certificates and SSL (Secure Sockets Layer)

Forms Authentication A common approach was to insert a little snippet of code at the beginning of every secure page. This code would check for the existence of a custom cookie. ASP.NET uses the same approach in its forms authentication model

The three steps: Set the authentication mode in the web.config file (or use the WAT). Restrict anonymous users from a specific page or directory in your application. Create the login page.

Web.config Settings

Authorization Rules

?????????????

Controlling Access to Specific Directories İn the

Controlling Access for Specific Users

The WAT website administration tool select Website ➤ ASP.NET Configuration from the menu.

The Login Page ASP.NET provides a special FormsAuthentication class in the System.Web.Security namespace, which provides static methods that help manage the process

The secret The first sets the name of the user

the second is a Boolean variable that creates a persistent forms authentication cookie when set to true or an ordinary forms authentication cookie when set to false. A persistent cookie will be stored on the user’s hard drive with an expiration date set to 50 years in the future.

Windows Authentication If your virtual directory uses the default settings, users will be authenticated under the anonymous IUSER_[ServerName] account. To implement Windows-based security with known users, you need to follow three steps: Set the authentication mode in the web.config file (or use the WAT). Disable anonymous access for a directory by using an authorization rule (or by disabling access in IIS Manager). You can also choose the protocol that will be used to transmit the user name and password information with IIS Manager. 3. Configure the Windows user accounts on your web server (if they aren’t already present)

IIS Settings disable anonymous access Then right-click a virtual directory or a subdirectory inside a virtual directory, and choose Properties. Select the Directory Security tab

Web config setting

Programmatical role control System.Security.Principal.WindowsBuiltInRole

A Windows Authentication Test

Impersination

Programmatic Impersonation To use programmatic impersonation, you need to use Windows authentication by disabling anonymous access for the virtual directory. You also need to make sure impersonation is disabled for your web application.

Membership User record management Security controls: Role-based security: The Membership Data Store

Membership with SQL Server 2005 Express