IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET Security 9/9/2002 LA.NET Users Group Presented by David Henson
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Internet Information Server (IIS)
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Module 1: Installing Internet Information Services 5.0.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Session 11: Security with ASP.NET
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 8 Configuring and Securing SharePoint Services and Service Applications.
15.47 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Copyright 2000 eMation SECURITY - Controlling Data Access with
 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
1 Windows 2008 Configuring Server Roles and Services.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Module 2: Overview of IIS 7.0 Application Server.
CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
WEB SERVER SOFTWARE FEATURE SETS
Configuring and Deploying Web Applications Lesson 7.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Internet Information Server 6.0 & new management features.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Free, online, technical courses Take a free online course. Microsoft Virtual Academy.
Agenda Introduction Security flow for a request Authentication
Module 3: Enabling Access to Internet Resources
Jim Fawcett CSE686 – Internet Programming Summer 2005
Security mechanisms and vulnerabilities in .NET
IIS.
Introduction to .net Impersonation
Created by : Asst. Prof. Ashish Shah
Configuring Internet-related services
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

IIS and.Net security -Vasudha Bhat

What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept connections from remote clients and respond to HTTP requests arriving through those connections. IIS provides integrated, reliable, scalable, secure, and manageable Web server capabilities over an intranet and the Internet Organizations of all sizes use IIS to host and manage Web pages on the Internet or on their intranet.

ASP.NET Architecture Integrating with IIS As the illustration shows, all Web clients communicate with ASP.NET applications through Microsoft Internet Information Services (IIS). IIS authenticates callers and creates a Windows access token for the caller. Through the IIS configuration manager found under Administrative Tools, IIS permits authentication control to be applied to individual files and directories. A given file or directory can be configured to allow anonymous access (access by unauthenticated users), authenticated access, or both.

IIS and ASP.NET Processing If anonymous access is enabled within IIS, then a Windows access token for the anonymous Internet user account (typically, IUSR_MACHINE) is created by IIS where machine is the Web server's machine name. IUSR_machinename is a special account that's created when IIS is installed. [1- Administrative tools-> Computer management -> Users] Figure 1. IIS and ASP.NET communication Figure 1. IIS passes the Windows access token to the ASP.NET worker process. The ASP.NET Windows authentication module uses this to construct a WindowsPrincipal object and the ASP.NET File authorization module uses it to perform Windows access checks to ensure the caller is authorized to access the requested file.

IIS and.Net security IIS is not installed by default on the operating systems in the Windows Server 2003 family. Administrators must explicitly select and install IIS. IIS installs by default in a locked-down state, capable of serving only static content. Using the Web Service Extensions node, Web site administrators can Configuring IIS For Dynamic Content IIS functionality based on the individual needs of their organization.Configuring IIS For Dynamic Content IIS security features include the following security-related tasks: Authentication in IIS 6.0 [2- Example -> Presentation (Virtual Directory)]Authentication in IIS 6.0 Anonymous Authentication Basic Authentication Integrated Windows Authentication.NET Passport Authentication Digest Authentication

Auditing in IIS 6.0 [3 – Event Log]Auditing in IIS 6.0 Once IIS logging is enabled, you can configure how and when log files are created and saved. Access Control : It supports two forms of authorization:Access Control ACL authorization (also known as file authorization): It checks the access control list (ACL) of the.aspx or.asmx handler file to determine whether a user should have access to the file. Example3: ACL Default permissions – Location Access type Account Comments >>%SystemRoot%\System32 Read Process Contains system DLLs loaded by the.NET Framework. >>Web application directory Read Process This is the location for application files. >>Web directory\App_Data Read/write Process This is the default location for data files in an ASP.NET Web application.

URL authorization :With URL authorization, you explicitly allow or deny access to a particular directory by user name or role. To do so, you create an authorization section in the configuration file for that directory. Example3: Certificates [4 – IIS Directory Security]Certificates Each Web site can have only one server certificate assigned to it. One certificate can be assigned to multiple Web sites.

ASP.NET Authentication: ASP.NET implements additional authentication schemes using authentication providers, which are separate from and apply only after the IIS authentication schemes. ASP.NET supports the following authentication providers:  Windows (default)  Forms  Passport  None To enable an authentication provider for an ASP.NET application, use the authentication element in either machine.config or Web.config as follows: Example3:

The security section of a Web.config file is organized as follows. <forms name="[name]" loginUrl="[url]“ protection="[All|None|Encryption|Validation]" path="[path]" timeout="[minutes]" requireSSL="[true|false]“ slidingExpiration="[true|false]"> <allow users="[comma separated list of users]“ roles="[comma separated list of roles]"/> <deny users="[comma separated list of users]“ roles="[comma separated list of roles]"/>

<identity impersonate ="[true|false]“ userName="[domain\user_name]“ password="[user_password]"/> <trust level="[Full|High|Medium|Low|Minimal]" originUrl=""/>

Authentication providers: Windows (default) Pro  Authenticates using Windows accounts, so you do not need to write any custom authentication code. Con  May require the use and management of individual Windows user accounts. Forms Pros  Makes it possible for custom authentication schemes using arbitrary criteria.  Does not require corresponding Windows accounts. Cons  Is only applicable for resources mapped to Aspnet_isapi.dll.

Passport Pros  Supports single sign-in across multiple domains.  Compatible with all browsers. Con  Places an external dependency for the authentication process. None Pros  Offers total control of the authentication process providing the greatest flexibility.  Provides the highest performance if you do not implement an authentication method. Cons  Requires extra work to custom-build an authentication scheme.

Demonstration: Create a.Net web application Create a virtual directory Authentication and access control Domain Restrictions Grant Permissions Event Logs Server Certificates Connections to the webpage Integrated Authentication Basic Authentication

References:  Installing IIS :  IIS and.Net Security reference:  IIS 6.0 Reference : ea fea058d.mspx?mfr=true ea fea058d.mspx?mfr=true  Complete reference - IIS security features:

Questions ??????