Presentation is loading. Please wait.

Presentation is loading. Please wait.

XML and Web Services ASP.NET and Its Security Lesson 8

Published byClement Ferguson Modified over 7 years ago

Similar presentations

Presentation on theme: "XML and Web Services ASP.NET and Its Security Lesson 8"— Presentation transcript:

1 XML and Web Services ASP.NET and Its Security Lesson 8
Jin X. Liu, Ph.D. Bridge-to-Future Technology, Inc. Redistribution of this notes is not allowed

2 Attacks Web applications are subject to several types of attacks
Passive attack Active attack Passive attacks are limited to monitoring information being exchanged between trusted sides acting over a network. Sniffers to read plain text information Man-in-the-middle to use your information to talk to your party on the other hand Active attacks work to alter and forge the information being exchanged, to inject false data, and to corrupt existing data. Another type of active attack is blocking the service and the network itself. Data Modification IP adress spoofing Password attack Compromised key Denial-of-service – stopping the service from running Web Server attack XML and Web Services Jin X. Liu

3 Golden Rules for Secure Coding
Don’t trust – don’t trust the users Buffer overruns – check the input string carefully SQL Injections Keep low profile – don’t grant any extra right to your user Cross-site scripting XML and Web Services Jin X. Liu

4 Configuring ASP.NET Applications for Security
First let’s see an example of ASP.NET (example) Download any security patches and hot-fixes is a good way to keep your system safe. Choose strong password: Must at least 8 characters long Contain elements from any of the following groups: Lowercase letters Uppercase letters Nonalphanumeric symbols, and digits Expire frequently (at least every 90 days) Storing password in a safe place Use encryptions for your password (don’t write your own encription program) XML and Web Services Jin X. Liu

5 The ASP.NET Account You can configure the ASPNET account through the <processModel> section in the machine.config <processModel enable=“true” userName=“machine” password=“AutoGenerate” …/> The processModel section cannot be overrriden in a web.config The changes will not be applied until you restart the IIS. This machine.config file is at your windows directory, e.g: C:\WINDOWS\Microsoft.NET\Framework\v \CONFIG The ASPNET account is created in the Users group The ASPNET account is given a strong password and with the minimum privileges. XML and Web Services Jin X. Liu

6 The Five User Rights Granted to ASPNET
Access the computer from the network Deny logon locally Deny logon through Terminal Services Logon as a batch job Logon as a service XML and Web Services Jin X. Liu

7 Folders Can Be Accessed
.Net Framework root folder Temporary ASP.NET files Global Assembly Cache (GAC) Windows System Folder Application Root Folder Web Site Root XML and Web Services Jin X. Liu

8 Who Really Runs ASP.NET Applications?
ASPNET is only the default account to run ASP.NET pages. The role of ASPNET account is configured in the machine.config as: <processModel enable=“true’ userName=“machine” password=“AutoGenerate”…./> <identity impersonate=“false”/> If impersonate is true, ASP.NET application is controlled by the Windows account authenticated through either integrated windows, digest, or basic methods. Unlike the processModel section, the <identity> section can be set in a local web.config file. XML and Web Services Jin X. Liu

9 Secure Storage of Passwords
You can either store the password as a plain text string in the configuration file You can also use the ASP.NET Set Registry tool (aspnet_setreg.exe) to encrypt the credentials and store them in the registry. The tool creates registry keys under the HKEY_LOCAL_MACHINE subtree and store the encrypted user name and password there. Example: If you want to create a user name and password to store in the <processModel> section, you do: Aspnet_setreg.exe -k:”Software\Protected ASP.NET\ProcessModel” -u:userID -p:password If you look at the registry, you will find the newly created keys NOTE: This feature is only available in ASP.NET1.1 and Service Pack 3. XML and Web Services Jin X. Liu

10 <identity> and <sessionState>
The sessions of <identity> and <sessionState> are processed by the ASP.NET worker process. These identities may change. Once you have the user name and password in the registry, you need to write the following in your configuration file, under <identity> registry:HKLM\SOFTWARE\Protected ASP.NET\identity\ASPNET_SETREG.userName registry:HKLM\SOFTWARE\Protected ASP.NET\identity\ASPNET_SETREG.password NOTE: If your access has error, you most likely use an old version of aspnet_isapi.dll XML and Web Services Jin X. Liu

11 Change The Identity of The ASP.NET Process
Using the <processModel> section is the only way to change the real identity of the ASP.NET process. <processModel userName=“…” password=“…”/> If you do so, you need to grant the five privileges to this new account. XML and Web Services Jin X. Liu

12 Impersonation and Identity
To start with: You create a user account Add a setting to the web.config or machine.config <identity impersonate=“true” username=“MyAccount” password=*s$sssd123”/> Impersonation can apply to either an authenticated user or an anonymous user Impersonation is optional in ASP.NET Impersonation can be configured at the machine, site, or application level. Impersonation through anonymous account is running the application using the same ASPNET account but with the anonymous signature. Impersonation is used only with the code executed within the page and not for the preliminary steps that happen before the request is handed to the HTTP page handler. XML and Web Services Jin X. Liu

13 Code Access Security and The CLR
Code access security is a set of services that the CLR provides to control access to managed resources. CLR provides 4 separate levels of policy that can be used to control access to the managed resources: Enterprise Machine User AppDomain By default, ASP.NET applications run from the MyComputer zone with full trust. If you want, you can set the level of trust of ASP.NET applications by changing the <trust> section in web.config. XML and Web Services Jin X. Liu

14 <trust> Section
The <trust> section can be used to configure permissions for a web application and decide whether it has to run fully or partially trusted. This is the list of trust levels: Full High Medium Low Minimal None XML and Web Services Jin X. Liu

15 User Authentication and Authorization
When user issues a web request, the following sequence of authentication and authorization events occurs: IIS authentication ASP.NET authentication ASP.NET authorization XML and Web Services Jin X. Liu

16 IIS Authentication When a request hits IIS, IIS first ensures that the request comes from a trusted IP address. If the IP address is not trusted, an error of will be generated and request is rejected. Then it checks if the requested resources is available for reading or browsing. If not, an error of is generated and the request is rejected. Then, IIS is trying to authenticate the caller by use of either: Integrated Windows method Digest method Basic method XML and Web Services Jin X. Liu

17 ASP.NET Authentication Types
IIS may or may not handle the request itself. In this case, IIS hands the authentication to the ASP.NET. ASP.Net has 4 types of authentications: Windows Passport Forms None – completely rely on the IIS authentication You can choose the ASP.NET authentication by using the <authentication> section in web.config. By default, the authentication mode is set to windows. The authentication mode can be set at the machine.config or in the application level web.config Child subdirectories inherit the authentication mode for the application. XML and Web Services Jin X. Liu

18 ASP.NET Authorization Rules
The goal of authorization is allowing or denying user access to particular pages of the application. You can set authorization rules in the <authorization> section in the web.config The <authorization> rules consists of two distict blocks: The child <allow> tag defines users, roles, and actions allowed, The child <deny> tag defines users, roles, or actions not allowed. XML and Web Services Jin X. Liu

19 ASP.NET and SQL Server In order to connect to SQL Server from within the ASP.NET, you need to pass a string. You can pass the username and password to SQL Server You can pass a request string to SQL Server, and let the SQL Server to call back to Windows for user name and password. This is called trusted connection. Example of trusted connection: String connString = “Server=localhost;…;TRUSTED_CONNECTION=true;”; SQLConnection conn=new SQLConnection(connString); Conn.Open(); ….. Conn.Close(); XML and Web Services Jin X. Liu

20 Authentication with SQL
To set up the ASPNET account as a SQL server login, you open the SQL Server Enterprise Manager, select the logins items under the security node, and then select the New Login item under the security node, and select the New Login item from the Action menu. A dialog pops up to let you choose the user account to associate with a particular database On the database access tab, you specify which databases can be accessed using the login. You can check as many databases as needed and set up database roles. At this point, you can connect to SQL Server from within an ASP.NET application using the trusted connection mechanism. XML and Web Services Jin X. Liu

21 Working with Untrusted Connections
The .NET Framework defines a tailor-made, XML based API to access configuration files. Configuration files are typically created offline or during the development You can connect to SQL Server by using a string: SERVER=localhost;…;UID=whoever;PWD=$s%a1; If SQL Server was installed to use the Windows Authentication, the connection just fails. If SQL Server was installed to use Mixed_Mode Authentication, the authentication is performed using the User ID and the password contained in the connection string. NOTE: SQL Server needs more time to handle the trusted connection, because SQL Server calls back to check the authentication. XML and Web Services Jin X. Liu

22 Windows Authentication
When using Windows Authentication, ASP.NET works in conjunction with IIS. The real authentication is performed by IIS. When in Windows authentication mode, ASP.NET does not perform any further steps. Windows Authentication is typical for intranet, since your web server has all the user information for authentication in the company. XML and Web Services Jin X. Liu

23 Authenticating Users through IIS
Basic Authentication The browser prompts the user with a dialog box and gets the user name and password The information gathered is sent to IIS, and IIS tries to match it with any of the web server’s accounts Basic authentication works by transmitting the user name and password as clear text, encoded as Base64 XML and Web Services Jin X. Liu

24 Authenticating Users through IIS…
Digest Authentication Digest authentication differs from Basic authentication mostly because it does not transmit credentials in clear text. Credentials are hashed using a web server-provided code. Same as Basic authentication, a user’s request for a page on a site where anonymous access has been disabled. It bounces back the first time with a status code of 401. The user is prompt with a dialog to enter user name and password The browser creates the message digest (i.e. non-human-readable credentials The message digest is passed back to the web server using the Authorization HTTP header. Digest authentication is safer, however, it is a HTTP 1.1 feature, so not all browsers support it. XML and Web Services Jin X. Liu

25 Authenticating Users through IIS…
Integrated Windows Authentication When Integrated Windows Authentication is configured, user does not have to explicitly enter user name and password The browser passes the credentials of the current logon user to the web server. The user needs to have a valid account on the server to be successfully authenticated This technique is not supported outside the family of Internet Explorer browsers It is impracticable in the presence of firewalls. XML and Web Services Jin X. Liu

26 The Windows Authentication Provider
In ASP.NET , the windows authentication mode is ruled by an HTTP module class named WindowsAuthenticationModule During the authentication process, the module fires the Authenticate event that can be caught from within the global.asax file void WindowsAuthentication_OnAuthenticate( object sender, WindowsAuthenticationEventArgs e) { ……. } The event data is in WindowsAuthenticationEventArgs instance and contains: Context Identity User XML and Web Services Jin X. Liu

27 How to Verify The Identity of The User
Assume that: you configure the web server to work with the Integrated Windows authentication mode and you disabled anonymous access. The ASP.NET application works in Windows Authentication mode. When a user connects to the application, IIS authenticates the user by popping up a dialog box and then hands the security tocken over to ASP.NET Let’s look at the authentication code section: XML and Web Services Jin X. Liu

28 Sample Code of Authentication
void Page_Load(object sender, EventArgs e) { if (User.Identity.IsAuthenticated) Response.Write(“Welcome, <b>” + User.Identity.Name + “</b> ! <br>”); Response.Write(“(“ + User.Identity.AuthenticationType + “)<br>”); } else Response.Write(“Welcome, anonymous user”); XML and Web Services Jin X. Liu

29 Using ACLs to Authorize Access
User specific pages in the web application can be protected from unauthorized access using ACLs (i.e. access control lists) on the file. When ASP.NET is about to access a resource, the FileAuthorizationModule HTTP module is called into action. File authorization performs an ACL check on ASP.NET files using the callers identity. For example, user A will never be able to access an .aspx page whose ACL doesn’t include an entry for him. Once you have set an configured ACL on an ASP.NET resource, nobody will be able to access the resource without permission. BUT, how about non-ASP.NET resources (e.g. local files)? XML and Web Services Jin X. Liu

30 Enabling Impersonation
In ASP.NET, impersonation is disabled by default. Impersonation is the ASP.NET capability of accessing pages and running code on behalf of the impersonated identity. You control the impersonation flag on a per-application basis using the following in the web.config file: <configuration> <system.web> <identity impersonate=“true”/> </system.web> </configuration> The <identity> section also lets you indicate a particular identity in terms of user name and password. If username and password is not specified, ASP.NET attempts to impersonate the server user that IIS has authenticated. XML and Web Services Jin X. Liu

31 What Is The Functionality of Impersonation
The key is, if impersonated, the web application access any resource using the caller’s identity. Without impersonation, you can control which pages are served to which user, but you can not control whether a page, for some reason, serves the user contents that she’s not authorized to view. XML and Web Services Jin X. Liu

32 URL Authorization and User-based Security
URL authorization is controlled by UrlAuthorizationModule HTTP module. The behaviors of the module are driven by the settings stored in the <authorization>section of the web.config file. Example settings: <configuration> <system.web> <authorization> <allow users=“domain\Joe”/> <deny users=“*”/> </authorization> </system.web> </configuration> That is, only Joe is allowed to access this web application. The <authorization> section can be set for each folder in the web application. This give you the control of access on the folder basis. XML and Web Services Jin X. Liu

33 Passport Authentication
Passport authentication is a Microsoft-centralized authentication service. Passport provides a way to authenticate users across all the sites that participate in the initiative. User only needs a single login and then can freely move though all the member sites. ASP.NET provides the PassportAuthenticationModule to set up authentication for web applications hosted by member sites. You need to install the Microsoft Passport SDK in order to implement this service. You can configure to use the passport authentication like this: <configuration> <system.web> <authentication mode=“passport”/> </system.web> </configuration> XML and Web Services Jin X. Liu

34 Forms Authentication Both Windows and Passport authentications are platform dependent (i.e. it assume that clients also use Windows platforms). So, around the world, bothe of them may not be so practical (what if your clients use UNIX platforms?) The solution is to include security code on the top of each non-public web pages and redirect users to the login page. If user input a valid user name and password, then redirect him/her to the original page. Forms authentication is designed based on this principle but is much simpler. XML and Web Services Jin X. Liu

35 Forms Authentication Provider
The governing module is FormsAuthenticationModule You can configure it in the web.config file <configuration> <system.web> <authentication mode=“Forms”> <forms loginURL=“login.aspx”/> </authentication> </system.web> </configuration> If the anonymous access is allowed, the above configuration does not make sense. So, you need to add the following under the <system.web> tag <authorization> <deny users=“*”/> </authorization> You have to write the login form and write program to check the credentials. XML and Web Services Jin X. Liu

36 How to Configure The Forms Authentication
Forms authentication is driven by the contents of the <forms> section of the <authentication> section. <forms name=“cookie” loginURL=“myUrl” protection=“All|None|Encryption|Validation” timeout=“30” requireSSL=“true|false” slidingExpiration=“true|false” path=“/”> <credentials passwordFormat=“format”/> </forms> XML and Web Services Jin X. Liu

37 The <credentials> section
<credentials passwordFormat=“mode”> <user name=“A” <user name=“B” password=“AKKAJS”/> ……. </credentials> It is conceptually good but not practical. You may need to programmatically check the credentials and save the credentials in a database. XML and Web Services Jin X. Liu

38 The Login Process <configuration> <system.web>
<authentication mode=“Forms”> <forms loginUrl=“login.aspx”/> </authentication> <authorization> <deny users=“?”/> </authorization> </system.web> </configuration> ? – anonymous user * -- all users XML and Web Services Jin X. Liu

39 URL Authorization Sample code if (User.IsInRole(“Boss”)
Response.Write(“The user is the boss”); The IsInRole function is defined in the GenericPrinciple class Other principle classes are: WindowsPrinciple PassportPrinciple FormsPrinciple XML and Web Services Jin X. Liu

40 How to Bind A Role to Authenticated User
Sample code: void Application_OnAuthenticationRequest() { if (!Request.IsAuthenticated) return; string roleStr = GetRole(User.Identity, Name); string[] roles = roleString.Split(‘,’); Context.User = new GenericPrinciple(User.Identity, roles); } XML and Web Services Jin X. Liu

41 Summary Security is complicated. On the Web, there is no 100% security. Securing a web application is to protect the web server against attacks like: Packet and port sniffing Denial service Sensitive data stealing You can rely on the IIS to do the authentication. You can also configure your application to do authentication, authorization and impersonation. You can add security to the machine level, web application level, or folder level (form level). .NET framework provides you easy tools for you to do the jobs. XML and Web Services Jin X. Liu

Download ppt "XML and Web Services ASP.NET and Its Security Lesson 8"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Module 8: Managing Client Configuration and Connectivity.

Module 8: Managing Client Configuration and Connectivity.

Similar presentations

Ads by Google