Module 11: Securing a Microsoft ASP.NET Web Application.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Managing Identity and Permissions

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Managing Client Access

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Session 11: Security with ASP.NET

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

PROG Advanced Web Applications With.NET PROG Advanced Web Applications With.NET User Authentication & Authorization.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

Module 7: Creating a Microsoft ASP.NET Web Application.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

UMBC’s WebAuth Robert Banz – UMBC

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.

Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.

IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.

Module 5 : Security I Jong S. Bok

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

TOPIC: AUTHENTICITY CREATED BY SWAPNIL SAHOO AuthenticityAuthorisation Access Control Basic Authentication Apache BASIC AUTHENTICATIONDIGEST ACCESS AUTHENTICATIONDHCP.

Configuring and Deploying Web Applications Lesson 7.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

Internet Information Server 6.0 & new management features.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Security In your webSite.

Unit 7 Learning Objectives

Agenda Introduction Security flow for a request Authentication

Authentication and Authorisation in ASP.Net

Security Basics and ASP.NET Support

Configuring and Troubleshooting Routing and Remote Access

Jim Fawcett CSE686 – Internet Programming Summer 2005

Radius, LDAP, Radius used in Authenticating Users

Created by : Asst. Prof. Ashish Shah

Configuring Internet-related services

Security - Forms Authentication

Presentation transcript:

Module 11: Securing a Microsoft ASP.NET Web Application

Overview Web Application Security Overview Working with Windows-Based Authentication Working with Forms-Based Authentication Overview of Microsoft Passport Authentication

Lesson: Web Application Security Overview Authentication vs. Authorization What Are ASP.NET Authentication Methods? Multimedia: ASP.NET Authentication Methods Comparing the ASP.NET Authentication Methods What Are the IIS Authentication Mechanisms?

Authentication vs. Authorization Authentication Accepts credentials from a user Validates the credentials ( a process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority such as database ). If the credentials are valid, the entity that submitted the credentials is considered as an authenticated identity. )

Authentication vs. Authorization Authorization Given the authentication credentials supplied, determines the right to access a resource Can be assigned by user name or by role ( After an identity has been authenticated, the authorization process determines whether that identity has access to specifies resource. The authorization process limits access rights by granting or denying specific permission to an authenticated identity )

What Are ASP.NET Authentication Providers? Windows-based authentication Relies on the Windows operating system and IIS User requests a secure Web page and the request goes through IIS After credentials are verified by IIS, the secure Web page is returned The users must have valid Windows account. Forms-based authentication Use a custom ASP.NET page to collect credentials from users. If users attempt to access page for which they are not authorized, they will be automatically directed to the login page. User credentials can be stored in a variety of locations. Eg: Ms Sql Server, Access Database

What Are ASP.NET Authentication Methods? Microsoft Passport authentication Centralized authentication service that offers a single logon option Microsoft Passport is an XML Web service Users can use their MSN Passport to access your application/site.

Multimedia: ASP.NET Authentication Methods

Comparing the ASP.NET Authentication Methods MethodAdvantagesDisadvantages Windows-based Authentication  Uses existing Windows infrastructure  Controls access to sensitive information  Not appropriate for most Internet applications Forms-based Authentication  Good for Internet applications  Supports all client types  Based on cookies Microsoft Passport Authentication  Single sign in for many Internet sites  No need to maintain a database to store user information  Allows developers to customize the appearance of the registration page  Based on cookies  Fees involved

What Are the IIS Authentication Mechanisms? Mechanisms Security Level Description AnonymousNone  No authentication occurs Basic Low (Medium with SSL)  Client sends username and password as clear text  Can be encrypted by using SSL  Part of the HTTP specification and supported by most browsers DigestMedium  Sends information as encoded hash  Requires Internet Explorer 5 or later  Requires Active Directory Integrated WindowsHigh  Uses NTLM  Generally good for intranets, not Internet  Does not work through most firewalls

Lesson: Working with Windows- Based Authentication How to Enable Windows-Based Authentication Reading User Information Demonstration: Using Windows-Based Authentication

How to Enable Windows-Based Authentication Configure IIS to use one or more of the following authentication mechanisms: Basic Digest Integrated Windows security Set Windows-based authentication in Web.config 11 22

How to Enable Windows-Based Authentication (continued) Set up authorization in Web.config When users access the Web Form, IIS requests logon information 44 33

Reading User Information After authentication, the Web server can user read the identity lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated; lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated;

Lesson: Working with Forms- Based Authentication Overview of Forms-Based Authentication Multimedia: Forms-Based Authentication How to Enable Forms-Based Authentication Creating a Logon Page Demonstration: Using Forms-Based Authentication

Overview of Forms-Based Authentication Client requests page Authorized ASP.NET Forms Authentication Not Authenticated Authenticated Logon Page (Users enter their credentials) Authenticated Authentication Cookie Authorized Not Authenticated Access Denied Requested Secure Page  IIS Username Password Someone *********** Submit

Multimedia: Forms-Based Authentication

How to Enable Forms-Based Authentication Configure IIS to use Anonymous authentication Set Forms-based authentication in Web.config Set up authorization Build a Logon Web Form < forms name=".namesuffix" loginUrl="login.aspx" /> < forms name=".namesuffix" loginUrl="login.aspx" />

Lesson: Overview of Microsoft Passport Authentication How Microsoft Passport Works Other Microsoft Passport Resources

How Microsoft Passport Works Website.msft Client Passport.com The client requests a page from the host The site redirects the client to Passport.com The client is redirected and logs on to Passport.com Passport returns a cookie with the ticket information 66 The client accesses the host, this time with ticket information The host returns a Web Form and possibly a new cookie that it can read and write

Authorization for a Web Application File Authorization Available only if your application uses Ms Windows Authentication. Set permissions on files and directories by using Access Control Lists (ACLs) URL Authorization Available regardless of which authentication provider used. Use Web.config file in each directory of the application to assign permissions for the contents of the directory.

Review Web Application Security Overview Working with Windows-Based Authentication Working with Forms-Based Authentication Overview of Microsoft Passport Authentication

Exercise Study on : Membership How Membership works How to configure ASP.NET Application to use Membership

~ End Slides ~