Dr. Mustafa Cem Kasapbaşı

Security in ASP.NET

Determining Security RequirementsRestricted File Types

Security ConceptsAuthentication: determining a user’s identity and

forcing users to prove Authorization: has sufficient permissions to perform a

given actionImpersonation: all code runs under a fixed account

defined in the machine.config file. Impersonation allows a portion of your code to run under a different identity, with a different set of Windows permissions.

The ASP.NET Security Model

Not in Asp.net worldIIS attempts to authenticate the user. Generally, IIS

allows requests from all anonymous users and automatically logs them in under the IUSR_[ServerName] account. IIS security settings are configured on a per-directory basis.

If IIS authenticates the user successfully, it attempts to send the user the appropriate HTML file. The operating system performs its own security checks to verify that the authenticated user (typically IUSR_[ServerName]) is allowed access to the specified file and directory.

İn ASP.NET IIS attempts to authenticate the user. Generally, IIS allows

requests from all anonymous users and automatically logs them in under the IUSR_[ServerName] account.

If IIS authenticates the user successfully, it passes the request to ASP.NET with additional information about the authenticated user. ASP.NET can then use its own security services, depending on the settings in the web.config file and the page that was requested.

If ASP.NET authenticates the user, it allows requests to the .aspx page or .asmx web service. Your code can perform additional custom security checks (for example, manually asking for another password before allowing a specific operation).

When the ASP.NET code requests resources (for example, tries to open a file or connect to a database), the operating system performs its own security checks. All ASP.NET code runs under a fixed account that’s defined in the machine.config fileHowever, if you enable impersonation, these system operations will be performed under the account of the authenticated user (or a different account you specify).

Security StrategiesAllow anonymous users but use ASP.NET’s forms

authentication model to secure parts of your site. Forbid anonymous users, and use IIS authentication to

force every user to log in using Basic, Digest, or Integrated Windows authentication. This system requires all users have Windows user accounts on the server (although users could share accounts).

Certificatescertificates and SSL (Secure Sockets Layer)

Forms AuthenticationA common approach was to insert a little snippet of

code at the beginning of every secure page. This code would check for the existence of a custom cookie.

ASP.NET uses the same approach in its forms authentication model

The three steps:Set the authentication mode in the web.config file (or

use the WAT).Restrict anonymous users from a specific page or

directory in your application.Create the login page.

Web.config Settings

Authorization Rules

?????????????

Controlling Access to Specific Directories

İn the <configuration>

Controlling Access for Specific Users

The WAT website administration toolselect Website ASP.NET Configuration from the ➤

menu.

The Login PageASP.NET provides a special FormsAuthentication

class in the System.Web.Security namespace, which provides static methods that help manage the process

The secret

The first sets the name of the user

the second is a Boolean variable that creates a persistent forms authentication cookie when set to true or an ordinary forms authentication cookie when set to false. A persistent cookie will be stored on the user’s hard drive with an expiration date set to 50 years in the future.

Windows AuthenticationIf your virtual directory uses the default settings, users will

be authenticated under the anonymous IUSER_[ServerName] account.

To implement Windows-based security with known users, you need to follow three steps:Set the authentication mode in the web.config file (or use the

WAT).Disable anonymous access for a directory by using an

authorization rule (or by disabling access in IIS Manager). You can also choose the protocol that will be used to transmit the user name and password information with IIS Manager.

3. Configure the Windows user accounts on your web server (if they aren’t already present)

IIS Settingsdisable anonymous access

Then right-click a virtual directory or a subdirectory inside a virtual directory, and choose Properties. Select the Directory Security tab

Web config setting

Programmatical role controlSystem.Security.Principal.WindowsBuiltInRole

A Windows Authentication Test

Impersination

Programmatic Impersonation To use programmatic impersonation, you need to use Windows

authentication by disabling anonymous access for the virtual directory. You also need to make sure impersonation is disabled for your web application.

MembershipUser record managementSecurity controls:Role-based security:

The Membership Data Store

Membership with SQL Server 2005 Express