Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Published byPeter Walker Modified over 9 years ago

Similar presentations

Presentation on theme: "Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types."— Presentation transcript:

1 Dr. Mustafa Cem Kasapbaşı Security in ASP.NET

2 Determining Security Requirements Restricted File Types

3 Security Concepts Authentication: determining a user’s identity and forcing users to prove Authorization: has sufficient permissions to perform a given action Impersonation: all code runs under a fixed account defined in the machine.config file. Impersonation allows a portion of your code to run under a different identity, with a different set of Windows permissions.

4 The ASP.NET Security Model

5 Not in Asp.net world IIS attempts to authenticate the user. Generally, IIS allows requests from all anonymous users and automatically logs them in under the IUSR_[ServerName] account. IIS security settings are configured on a per-directory basis. If IIS authenticates the user successfully, it attempts to send the user the appropriate HTML file. The operating system performs its own security checks to verify that the authenticated user (typically IUSR_[ServerName]) is allowed access to the specified file and directory.

6 İn ASP.NET IIS attempts to authenticate the user. Generally, IIS allows requests from all anonymous users and automatically logs them in under the IUSR_[ServerName] account. If IIS authenticates the user successfully, it passes the request to ASP.NET with additional information about the authenticated user. ASP.NET can then use its own security services, depending on the settings in the web.config file and the page that was requested. If ASP.NET authenticates the user, it allows requests to the.aspx page or.asmx web service. Your code can perform additional custom security checks (for example, manually asking for another password before allowing a specific operation). When the ASP.NET code requests resources (for example, tries to open a file or connect to a database), the operating system performs its own security checks. All ASP.NET code runs under a fixed account that’s defined in the machine.config fileHowever, if you enable impersonation, these system operations will be performed under the account of the authenticated user (or a different account you specify).

7

8

9 Security Strategies Allow anonymous users but use ASP.NET’s forms authentication model to secure parts of your site. Forbid anonymous users, and use IIS authentication to force every user to log in using Basic, Digest, or Integrated Windows authentication. This system requires all users have Windows user accounts on the server (although users could share accounts).

10 Certificates certificates and SSL (Secure Sockets Layer)

11 Forms Authentication A common approach was to insert a little snippet of code at the beginning of every secure page. This code would check for the existence of a custom cookie. ASP.NET uses the same approach in its forms authentication model

12

13 The three steps: Set the authentication mode in the web.config file (or use the WAT). Restrict anonymous users from a specific page or directory in your application. Create the login page.

14 Web.config Settings

15 Authorization Rules

16 ?????????????

17 Controlling Access to Specific Directories İn the

18 Controlling Access for Specific Users

19 The WAT website administration tool select Website ➤ ASP.NET Configuration from the menu.

20 The Login Page ASP.NET provides a special FormsAuthentication class in the System.Web.Security namespace, which provides static methods that help manage the process

21

22

23 The secret The first sets the name of the user

24 the second is a Boolean variable that creates a persistent forms authentication cookie when set to true or an ordinary forms authentication cookie when set to false. A persistent cookie will be stored on the user’s hard drive with an expiration date set to 50 years in the future.

25 Windows Authentication If your virtual directory uses the default settings, users will be authenticated under the anonymous IUSER_[ServerName] account. To implement Windows-based security with known users, you need to follow three steps: Set the authentication mode in the web.config file (or use the WAT). Disable anonymous access for a directory by using an authorization rule (or by disabling access in IIS Manager). You can also choose the protocol that will be used to transmit the user name and password information with IIS Manager. 3. Configure the Windows user accounts on your web server (if they aren’t already present)

26 IIS Settings disable anonymous access Then right-click a virtual directory or a subdirectory inside a virtual directory, and choose Properties. Select the Directory Security tab

27 Web config setting

28 Programmatical role control System.Security.Principal.WindowsBuiltInRole

29 A Windows Authentication Test

30 Impersination

31 Programmatic Impersonation To use programmatic impersonation, you need to use Windows authentication by disabling anonymous access for the virtual directory. You also need to make sure impersonation is disabled for your web application.

32 Membership User record management Security controls: Role-based security: The Membership Data Store

33 Membership with SQL Server 2005 Express

Download ppt "Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.

Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.

Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Similar presentations

Ads by Google