Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.NET Security 9/9/2002 LA.NET Users Group Presented by David Henson

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ASP.NET Security 9/9/2002 LA.NET Users Group Presented by David Henson"— Presentation transcript:

1 ASP.NET Security 9/9/2002 LA.NET Users Group Presented by David Henson dhenson@certifiednetworks.com

2 Introductions Dave Henson dhenson@certifiednetworks.com Machine Setup: \\ASSISTANT2 XP Home IE6 Visual Studio.NET Sniffer \\CERTNET4 W2K Server IIS.NET Framework

3 What We Will cover IIS Security ASP.NET Security –Authentication –Authorization

4 Why be worried? Unauthorized Access to Private Data Site Availability Packet Sniffing

5 Areas of security Authentication Authorization Auditing Encryption Data Validation

6 Architecture Authentication is the starting point IIS is the gateway to ASP.NET Fundamental understanding of IIS security is critical

7 Authentication Initiated When A Resource Called By IIS Issues 401 Access Denied IIS Sends Back To Browser: 401 Access Denied WWW-Authenticate ….

8 IIS Authentication Anonymous Integrated Basic ASP.NET Authentication Windows(see above) Forms Passport Digest Client Certificates

9 Result of Authentication User Principal Defined in Access Token Delivered by IIS to the OS or to.NET Used by the OS/Code/Resource provider To authorize access to resources

10 Anonymous Access Considerations Resource access requires a user principal For.NET –ASPNET Windows Account Is Used For IIS: –IUSR_Computername(In proc) Is Used –IWAM_Computername(Out of proc) Is Used

11 Web.Config Authentication Settings <forms name=“[name]” loginURL=“[url]” protection=“[All|None|Encryption|Validation]” path=“[path]” timeout=“[timeout]”>

12 Demonstration – Configuration of IIS &.NET Authentication Options –Using IIS Manager to Configure Basic Integrated –Browser/Server Authentication Communication –Using Auditing To Spy On IIS

13 .NET/IIS Authorization Native Authorization Support: –IIS Supports ACL Authorization –.NET Supports ACL or URL Authorization Users/Roles configured in web.config or globally on machine.config You Can Always Write Your Own

14 Web.Config Authorization Settings

15 Demonstration Using ACL Authorization Using URL Authorization and web.config –Users –Roles Parsing of Web.Config Files

16 Declarative Security Checks Only Sales People Can See This Code! [PrincipalPermission(SecurityAction.Demand, Role=“Sales”)] Public Class MyStuff: System.Web.UI.Page{ //… } You Must Convert Any Security Exception You Throw Into HTTP 401 status code so IIS will authenticate the client!

17 Summary What We Have Learned –Authentication –Authorization –IIS/.NET Interaction One MUST Experiment To Understand ASP.NET/IIS Security

18 References http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/Print.asp http://msdn.microsoft.com/msdnmag/issues/02/01/security/Print.asp

Download ppt "ASP.NET Security 9/9/2002 LA.NET Users Group Presented by David Henson"

Similar presentations

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
ASP.NET Reuven Abliyev Elyahu Sivaks Ariel Daliot.

ASP.NET Reuven Abliyev Elyahu Sivaks Ariel Daliot.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Internet Information Server (IIS)

Internet Information Server (IIS)
Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.

Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Authentication and Authorization CS795/895. How.Net Security Works Users who log in to the application are granted a principal and an identity, based.

Authentication and Authorization CS795/895. How.Net Security Works Users who log in to the application are granted a principal and an identity, based.

Similar presentations

Ads by Google