Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by Microsoft Corporation
Building Secure Microsoft® ASP.NET Applications
Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
A Note Regarding Supplemental Files
Acknowledgements
Preface
Why We Wrote This Book
Who Should Read This Book?
How You Should Read This Book
Organization of this Book
Part I, Security Models
Part II, Application Scenarios
Part III, Securing the Tiers
Part IV, Reference
System Requirements
Installing the Sample Files
Building Secure ASP.NET Applications—Online Version
Support
1. Introduction
The Connected Landscape
The Foundations
Authentication
Authorization
Secure Communication
Tying the Technologies Together
Design Principles
Summary
2. Security Model for ASP.NET Applications
.NET Web Applications
Logical Tiers
Physical Deployment Models
The Web Server as an Application Server
Remote Application Tier
Implementation Technologies
Security Architecture
Security Across the Tiers
Authentication
ASP.NET Authentication Modes
More Information
Enterprise Services Authentication
More Information
SQL Server Authentication
More Information
Authorization
ASP.NET Authorization Options
More Information
Enterprise Services Authorization
More Information
SQL Server Authorization
More Information
Gatekeepers and Gates
Introducing .NET Framework Security
Code Access Security
Evidence and Security Policy
CAS and ASP.NET Web Applications
Principals and Identities
The IPrincipal and IIdentity Interfaces
WindowsPrincipal and WindowsIdentity
GenericPrincipal and Associated Identity Objects
ASP.NET and HttpContext.User
ASP.NET Identities
More Information
Remoting and Web Services
Summary
3. Authentication and Authorization Design
Designing an Authentication and Authorization Strategy
Identify Resources
Choose an Authorization Strategy
More Information
Choose the Identities Used for Resource Access
Consider Identity Flow
Choose an Authentication Approach
More Information
Decide How to Flow Identity
More Information
Authorization Approaches
Role Based Authorization
Resource Based Authorization
Resource Access Models
The Trusted Subsystem Model
Fixed Identities
Using Multiple Trusted Identities
The Impersonation / Delegation Model
Choosing a Resource Access Model
Advantage of the Impersonation / Delegation Model
Disadvantages of the Impersonation / Delegation Model
Advantages of the Trusted Subsystem Model
Disadvantages of the Trusted Subsystem Model
Flowing Identity
Application vs. Operating System Identity Flow
Impersonation and Delegation
Impersonation
Delegation
Role-Based Authorization
.NET Roles
.NET Roles with Windows Authentication
.NET Roles with non-Windows Authentication
Custom IPrincipal Objects
More Information
Enterprise Services (COM+) Roles
SQL Server User Defined Database Roles
SQL Server Application Roles
More Information
.NET Roles versus Enterprise Services (COM+) Roles
Using .NET Roles
More Information
Checking Role Membership
Role Checking Examples
Choosing an Authentication Mechanism
Internet Scenarios
Forms / Passport Comparison
Advantages of Forms Authentication
Advantages of Passport Authentication
More Information
Intranet / Extranet Scenarios
Authentication Mechanism Comparison
Summary
4. Secure Communication
Know What to Secure
SSL/TLS
Using SSL
IPSec
Using IPSec
RPC Encryption
Using RPC Encryption
More Information
Point to Point Security
Browser to Web Server
Web Server to Remote Application Server
Application Server to Database Server
Using SSL to SQL Server
More Information
Choosing Between IPSec and SSL
Farming and Load Balancing
More Information
Summary
5. Intranet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring SQL Server
Configuring Secure Communication
Analysis
Q&A
Related Scenarios
Non-Internet Explorer Browsers
SQL Authentication to the Database
Flowing the Original Caller to the Database
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring Enterprise Services
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
ASP.NET to Web Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server (that Hosts the Web Application)
Configuring the Application Server (that Hosts the Web Service)
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
ASP.NET to Remoting to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server
Configure the Application Server
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Flowing the Original Caller to the Database
ASP.NET to SQL Server
Using Basic Authentication at the Web Server
Using Integrated Windows Authentication at the Web Server
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Analysis
Pitfalls
Summary
6. Extranet Security
Exposing a Web Service
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Partner Application
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
More Information
Exposing a Web Application
Scenario Characteristics
Secure the Scenario
The Result
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
No Connectivity from Extranet to Corporate Network
More Information
Summary
7. Internet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication against Active Directory
More Information
.NET Roles for Authorization
More Information
Using a Domain Anonymous Account at the Web Server
More Information
ASP.NET to Remote Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configure the Application Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication Against Active Directory
More Information
Using DCOM
More Information
Using .NET Remoting
More Information
Summary
8. ASP.NET Security
ASP.NET Security Architecture
Gatekeepers
IIS
ASP.NET
UrlAuthorizationModule
FileAuthorizationModule
Principal Permission Demands and Explicit Role Checks
More Information
Authentication and Authorization Strategies
Available Authorization Options
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
Forms Authentication
Configurable Security
Programmatic Security
When to Use
More Information
Passport Authentication
When to Use
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
URL Authorization Notes
URL Authorization Examples
Secure Resources
Locking Configuration Settings
Preventing Files from Being Downloaded
Secure Communication
More information
Programming Security
An Authorization Pattern
Retrieve Credentials
Validate Credentials
Put Users in Roles
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize Based on the User Identity and/or Role Membership
More Information
Creating a Custom IPrincipal class
More Information
Windows Authentication
Identifying the Authenticated User
Forms Authentication
Development Steps for Forms Authentication
Configure IIS for Anonymous Access
Configure ASP.NET for Forms Authentication
Create a Logon Web Form and Validate the Supplied Credentials
More Information
Retrieve a Role List from the Custom Data Store
Create a Forms Authentication Ticket
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize the User Based on User Name or Role Membership
Forms Implementation Guidelines
More Information
Hosting Multiple Applications Using Forms Authentication
More Information
Cookieless Forms Authentication
More Information
Passport Authentication
Configure ASP.NET for Passport authentication
Map a Passport Identity into Roles in Global.asax
Test Role Membership
Custom Authentication
More Information
Process Identity for ASP.NET
Use a Least Privileged Account
Avoid Running as SYSTEM
More Information
Domain Controllers and the ASP.NET Process Account
Using the Default ASPNET Account
The <processModel> Element
Storing Encrypted <processModel> Credentials
More Information
Impersonation
Impersonation and Local Resources
Impersonation and Remote Resources
More Information
Impersonation and Threading
Accessing System Resources
Accessing the Event Log
Accessing the Registry
More Information
Accessing COM Objects
Apartment Model Objects
The AspCompat Directive is Required
More Information
Don’t Create COM Objects Outside of Specific Page Events
More Information
C# and VB .NET Objects in COM+
Accessing Network Resources
Using the ASP.NET Process Identity
More Information
Using a Serviced Component
Using the Anonymous Internet User Account
Hosting Multiple Web Applications
Using LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller
More Information
Accessing Files on a UNC File Share
Accessing Non-Windows Network Resources
Secure Communication
More Information
Storing Secrets
Options for Storing Secrets in ASP.NET
More Information
Consider Storing Secrets in Files on Separate Logical Volumes
Securing Session and View State
Securing View State
Securing Cookies
Securing SQL Session State
Securing the Database Connection String
Securing Session State Across the Network
More Information
Web Farm Considerations
Session State
DPAPI
More Information
Using Forms Authentication in a Web Farm
The <machineKey> Element
The validationKey Attribute
The decryptionKey Attribute
The Validation Attribute
More Information
Summary
9. Enterprise Services Security
Security Architecture
Gatekeepers and Gates
Use Server Applications for Increased Security
Security for Server and Library Applications
Assign Roles to Classes, Interfaces, or Methods
Code Access Security Requirements
Configuring Security
Configuring a Server Application
Development Time vs. Deployment Time Configuration
Configure Authentication
Configure Authorization (Component-Level Access Checks)
Create and Assign Roles
Adding Roles to an Application
Adding Roles to a Component (Class)
Adding Roles to an Interface
Adding Roles to a Method
Register Serviced Components
Populate Roles
Use Windows Groups
More Information
Configure Identity
More Information
Configuring an ASP.NET Client Application
Configure Authentication
More Information
Configure Impersonation
More Information
Configuring Impersonation Levels for an Enterprise Services Application
Programming Security
Programmatic Role-Based Security
Identifying Callers
Choosing a Process Identity
Avoid Running as the Interactive User
Use a Least-Privileged Custom Account
Accessing Network Resources
Using the Original Caller
More Information
Using the Current Process Identity
Using a Specific Service Account
Flowing the Original Caller
Calling CoImpersonateClient
More Information
RPC Encryption
More Information
Building Serviced Components
DLL Locking Problems
Versioning
More Information
QueryInterface Exceptions
DCOM and Firewalls
More Information
Calling Serviced Components from ASP.NET
Caller’s Identity
Use Windows Authentication and Impersonation Within the Web-based Application
Configure Authentication and Impersonation within Machine.config
Configuring Interface Proxies
More Information
Security Concepts
Enterprise Services (COM+) Roles and .NET Roles
Authentication
Authentication Level Promotion
Authentication Level Negotiation
More Information
Impersonation
Cloaking
More Information
Summary
10. Web Services Security
Web Service Security Model
Platform/Transport Level (Point-to-Point) Security
When to Use
Application Level Security
When to Use
Message Level (End-to-End) Security
When to Use
The Web Services Development Kit
More Information
Platform/Transport Security Architecture
Gatekeepers
More Information
Authentication and Authorization Strategies
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
More Information
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
More Information
Secure Resources
Disable HTTP-GET, HTTP-POST
More Information
Secure Communication
More information
Passing Credentials for Authentication to Web Services
Specifying Client Credentials for Windows Authentication
Using DefaultCredentials
Using Specific Credentials
Request a Specific Authentication Type
Set the PreAuthenticate Property
Using the ConnectionGroupName Property
Calling Web Services from Non-Windows Clients
Proxy Server Authentication
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Accessing System Resources
Accessing Network Resources
Accessing COM Objects
More Information
Using Client Certificates with Web Services
Authenticating Web Browser Clients with Certificates
Using the Trusted Subsystem Model
Solution Implementation
Why Use an Additional Process?
More Information
Secure Communication
Transport Level Options
Message Level Options
More Information
Summary
11. .NET Remoting Security
.NET Remoting Architecture
Remoting Sinks
Transport Channel Sinks
Comparing Transport Channel Sinks
Custom Sinks
Formatter Sinks
Anatomy of a Request When Hosting in ASP.NET
ASP.NET and the HTTP Channel
More Information
.NET Remoting Gatekeepers
Authentication
Hosting in ASP.NET
Hosting in a Windows Service
Custom Authentication
More Information
Authorization
Using File Authorization
More Information
Authentication and Authorization Strategies
More Information
Accessing System Resources
Accessing Network Resources
Passing Credentials for Authentication to Remote Objects
Specifying Client Credentials
Using DefaultCredentials
Explicit Configuration
Programmatic Configuration
Using Specific Credentials
Request a Specific Authentication Type
Set the preauthenticate Property
Using the connectiongroupname Property
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Choosing a Host
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Using a Windows Service Host
Secure Communication
Platform Level Options
Message Level Options
More Information
Choosing a Host Process
Recommendation
Hosting in ASP.NET
Advantages
Disadvantages
Hosting in a Windows Service
Advantages
Disadvantages
Hosting in a Console Application
Advantages
Disadvantages
Remoting vs. Web Services
Summary
12. Data Access Security
Introducing Data Access Security
SQL Server Gatekeepers
Trusted Subsystem vs. Impersonation/Delegation
Authentication
Windows Authentication
More Information
Using Windows Authentication
Recommendation
Using the ASP.NET Process Identity
Use Mirrored ASPNET Local Accounts
Use Mirrored, Custom Local Accounts
Use a Custom Domain Account
Implementing Mirrored ASPNET Process Identity
Connecting to SQL Server Using Windows Authentication
Using Fixed Identities within ASP.NET
Using Serviced Components
Calling LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller’s Identity
Using the Anonymous Internet User Account
More Information
When Can’t You Use Windows Authentication?
SQL Authentication
Connection String Types
More Information
Choosing a SQL Account for Your Connections
Passing Credentials over the Network
Securing SQL Connection Strings
Authenticating Against Non-SQL Server Databases
Authorization
Using Multiple Database Roles
Secure Communication
The Options
Choosing an Approach
More Information
Connecting with Least Privilege
The Database Trusts the Application
The Database Trusts Different Roles
The Database Trusts the Original Caller
Creating a Least Privilege Database Account
Storing Database Connection Strings Securely
The Options
Using DPAPI
Why Not LSA?
Machine Store vs. User Store
DPAPI Implementation Solutions
Using DPAPI from Enterprise Services
Using DPAPI Directly from ASP.NET
More Information
Using Web.config and Machine.config
Using UDL Files
ACL Granularity
More Information
Using Custom Text Files
Using the Registry
More Information
Using the COM+ Catalog
More Information
Authenticating Users against a Database
Store One-way Password Hashes (with Salt)
Creating a Salt Value
Creating a Hash Value (with Salt)
More Information
SQL Injection Attacks
The Problem
Anatomy of a SQL Script Injection Attack
The Solution
Additional Best Practices
Protecting Pattern Matching Statements
Auditing
Process Identity for SQL Server
Summary
13. Troubleshooting Security Issues
Process for Troubleshooting
Searching for Implementation Solutions
Troubleshooting Authentication Issues
IIS Authentication Issues
Using Windows Authentication
Using Forms Authentication
Kerberos Troubleshooting
Troubleshooting Authorization Issues
Check Windows ACLs
Check Identity
More Information
Check the <authorization> Element
ASP.NET
Enable Tracing
More Information
Configuration Settings
Determining Identity
Determining Identity in a Web Page
Determining Identity in a Web service
More Information
Determining Identity in a Visual Basic 6 COM Object
.NET Remoting
More Information
SSL
More Information
IPSec
Auditing and Logging
Windows Security Logs
More Information
SQL Server Auditing
Sample Log Entries
IIS Logging
Troubleshooting Tools
File Monitor (FileMon.exe)
More Information
Fusion Log Viewer (Fuslogvw.exe)
ISQL.exe
Connecting Using SQL Authentication
Connecting Using Windows Authentication
Running a Simple Query
Windows Task Manager
Network Monitor (NetMon.exe)
More Information
Registry Monitor (regmon.exe)
WFetch.exe
More Information
Visual Studio .NET Tools
More Information
WebServiceStudio
Windows 2000 Resource Kit
Index of How Tos
ASP.NET
Authentication and Authorization
Cryptography
Enterprise Services Security
Web Services Security
Remoting Security
Secure Communication
How To: Create a Custom Account to Run ASP.NET
ASP.NET Worker Process Identity
Impersonating Fixed Identities
Notes
Summary
1. Create a New Local Account
2. Assign Minimum Privileges
3. Assign NTFS Permissions
4. Configure ASP.NET to Run Using the New Account
How To: Use Forms Authentication with Active Directory
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop LDAP Authentication Code to Look Up the User in Active Directory
4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
5. Authenticate the User and Create a Forms Authentication Ticket
6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
7. Test the Application
How To: Use Forms Authentication with SQL Server 2000
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop Functions to Generate a Hash and Salt value
4. Create a User Account Database
5. Use ADO.NET to Store Account Details in the Database
6. Authenticate User Credentials Against the Database
7. Test the Application
Additional Resources
How To: Create GenericPrincipal Objects with Forms Authentication
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Construct GenericPrincipal and FormsIdentity Objects
5. Test the Application
Additional Resources
How To: Implement Kerberos Delegation for Windows 2000
Notes
Requirements
Summary
1. Confirm that the Client Account is Configured for Delegation
2. Confirm that the Server Process Account is Trusted for Delegation
References
How To: Implement IPrincipal
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Create a Class that Implements and Extends IPrincipal
5. Create the CustomPrincipal Object
5. Test the Application
Additional Resources
How To: Create a DPAPI Library
Notes
Requirements
Summary
1. Create a C# Class Library
2. Strong Name the Assembly (Optional)
References
How To: Use DPAPI (Machine Store) from ASP.NET
Notes
Requirements
Summary
1. Create an ASP.NET Client Web Application
2. Test the Application
3. Modify the Web Application to Read an Encrypted Connection String from Web.Config
References
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
Notes
Why Use Enterprise Services?
Why Use a Windows Service?
Requirements
Summary
1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
2. Call the Managed DPAPI Class Library
3. Create a Dummy Class that will Launch the Serviced Component
4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
5. Configure, Strong Name, and Register the Serviced Component
6. Create a Windows Service Application that will Launch the Serviced Component
7. Install and Start the Windows Service Application
8. Write a Web Application to Test the Encryption and Decryption Routines
9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
References
How To: Create an Encryption Library
Requirements
Summary
1. Create a C# Class Library
2. Create a Console Test Application
References
How To: Store an Encrypted Connection String in the Registry
Notes
Requirements
Summary
1. Store the Encrypted Data in the Registry
2. Create an ASP.NET Web Application
References
How To: Use Role-based Security with Enterprise Services
Notes
Requirements
Summary
1. Create a C# Class Library Application to Host the Serviced Component
2. Create the Serviced Component
3. Configure the Serviced Component
4. Generate a Strong Name for the Assembly
5. Build the Assembly and Add it to the Global Assembly Cache
6. Manually Register the Serviced Component
7. Examine the Configured Application
8. Create a Test Client Application
How To: Call a Web Service Using Client Certificates from ASP.NET
Why Use a Serviced Component?
Why is a User Profile Required?
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require Client Certificates
3. Create a Custom Account for Running the Serviced Component
4. Request a Client Certificate for the Custom Account
5. Test the Client Certificate Using a Browser
6. Export the Client Certificate to a File
7. Develop the Serviced Component Used to Call the Web Service
8. Configure and Install the Serviced Component
9. Develop a Web Application to Call the Serviced Component
Additional Resources
How To: Call a Web Service Using SSL
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require SSL
3. Test the Web Service Using a Browser
4. Install the Certificate Authority’s Certificate on the Client Computer
5. Develop a Web Application to Call the Web Service
Additional Resources
How To: Host a Remote Object in a Windows Service
Notes
Requirements
Summary
1. Create the Remote Object Class
2. Create a Windows Service Host Application
3. Create a Windows Account to Run the Service
4. Install the Windows Service
5. Create a Test Client Application
References
How To: Set Up SSL on a Web Server
Requirements
Summary
1. Generate a Certificate Request
2. Submit a Certificate Request
3. Issue the Certificate
4. Install the Certificate on the Web Server
5. Configure Resources to Require SSL Access
How To: Set Up Client Certificates
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application to Require Client Certificates
3. Request and Install a Client Certificate
4. Verify Client Certificate Operation
Additional Resources
How To: Use IPSec to Provide Secure Communication Between Two Servers
Notes
Requirements
Summary
1. Create an IP Filter
2. Create Filter Actions
3. Create Rules
4. Export the IPSec Policy to the Remote Computer
5. Assign Policies
6. Verify that it Works
Additional Resources
How To: Use SSL to Secure Communication with SQL Server 2000
Notes
Requirements
Summary
1. Install a Server Authentication Certificate
2. Verify that the Certificate Has Been Installed
3. Install the Issuing CA’s Certificate on the Client
4. Force All Clients to Use SSL
5. Allow Clients to Determine Whether to Use SSL
6. Verify that Communication is Encrypted
Additional Resources
Base Configuration
Configuration Stores and Tools
Reference Hub
Searching the Knowledge Base
Tips
.NET Security
Hubs
Active Directory
Hubs
Key Notes
Articles
ADO.NET
Roadmaps and Overviews
Seminars and WebCasts
ASP.NET
Hubs
Roadmaps and Overviews
Knowledge Base
Articles
How Tos
Seminars and WebCasts
Enterprise Services
Knowledge Base
Roadmaps and Overviews
How Tos
FAQs
Seminars and WebCasts
IIS (Internet Information Server)
Hubs
Remoting
Roadmaps and Overviews
How Tos
Seminars and WebCasts
SQL Server
Hubs
Seminars and WebCasts
Visual Studio .NET
Hubs
Roadmaps and Overviews:
Web Services
Hubs
Roadmaps and Overviews
How Tos
Seminars and WebCasts
Windows 2000
Hubs
How Does It Work?
IIS and ASP.NET Processing
Application Isolation
The ASP.NET ISAPI Extension
IIS 6.0 and Windows .NET Server
More Information
ASP.NET Pipeline Processing
The Anatomy of a Web Request
Forms Authentication Processing
Windows Authentication Processing
Event Handling
Implementing a Custom HTTP Module
Implementing a Custom HTTP Handler
ASP.NET Identity Matrix
Cryptography and Certificates
Keys and Certificates
X.509 Digital Certificates
Certificate Stores
More Information
Cryptography
Technical Choices
Cryptography in .NET
Symmetric Algorithm Support
Asymmetric Algorithm Support
Hashing Algorithm Support
Summary
.NET Web Application Security
Glossary
Microsoft® patterns & practices
Index
About the Author
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
A
access checks.,
Choose an Authentication Approach
(see )
accounts.,
Design Principles
,
ASP.NET Authentication Modes
,
More Information
,
ASP.NET and HttpContext.User
,
ASP.NET and HttpContext.User
,
Intranet Security
,
Intranet Security
,
Extranet Security
,
Internet Security
,
More Information
,
Custom Authentication
,
Accessing Network Resources
,
Using a Serviced Component
,
Register Serviced Components
,
Solution Implementation
,
Windows Authentication
,
Using Fixed Identities within ASP.NET
,
Connection String Types
,
Connection String Types
,
Auditing
,
IIS Authentication Issues
,
Check Identity
,
How To: Create a Custom Account to Run ASP.NET
,
Develop LDAP Authentication Code to Look Up the User in Active Directory
,
Requirements
,
Call the Managed DPAPI Class Library
,
How To: Use Role-based Security with Enterprise Services
,
Create a Custom Account for Running the Serviced Component
,
Create a Windows Account to Run the Service
(see also )
anonymous domain, at Web servers,
More Information
anonymous Internet,
Using a Serviced Component
,
Using Fixed Identities within ASP.NET
creating custom, for serviced component,
Create a Custom Account for Running the Serviced Component
creating database for.,
Connection String Types
(see )
default ASPNET.,
Intranet Security
(see )
duplicate,
Intranet Security
,
Extranet Security
,
Internet Security
IUSR_MACHINENAME,
ASP.NET Authentication Modes
,
ASP.NET and HttpContext.User
,
IIS Authentication Issues
,
Check Identity
Kerberos delegation and,
Requirements
least privileged,
Design Principles
,
Custom Authentication
(see also )
mirrored,
Accessing Network Resources
,
Windows Authentication
,
How To: Create a Custom Account to Run ASP.NET
SQL Server,
Connection String Types
,
Auditing
Web services client certificates and,
Solution Implementation
Windows,
Call the Managed DPAPI Class Library
,
How To: Use Role-based Security with Enterprise Services
,
Create a Windows Account to Run the Service
(see also )
Windows group,
More Information
,
Register Serviced Components
,
Develop LDAP Authentication Code to Look Up the User in Active Directory
ACLs.,
The Foundations
(see )
Active Directory,
Configuring the Extranet Web Server
,
Configuring the Extranet Web Server
,
Analysis
,
Using Forms Authentication
,
How To: Implement Kerberos Delegation for Windows 2000
,
Tips
delegation and,
How To: Implement Kerberos Delegation for Windows 2000
extranet settings,
Configuring the Extranet Web Server
,
Configuring the Extranet Web Server
Forms authentication with.,
Analysis
(see )
reference information,
Tips
SPNs,
Using Forms Authentication
Active Directory, Forms Authentication with,
Analysis
,
Analysis
,
Configurable Security
,
How To: Use Forms Authentication with Active Directory
,
How To: Use Forms Authentication with Active Directory
,
Create a Web Application with a Logon Page
,
Configure the Web Application for Forms Authentication
,
Configure the Web Application for Forms Authentication
,
Develop LDAP Authentication Code to Look Up the User in Active Directory
,
Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
,
Implement an Authentication Request Handler to Construct a GenericPrincipal Object
,
Test the Application
authenticating users and creating authentication ticket,
Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
configuring Web application for,
Configure the Web Application for Forms Authentication
creating Web application with logon page,
Create a Web Application with a Logon Page
developing LDAP authentication code,
Configure the Web Application for Forms Authentication
developing LDAP group retrieval code,
Develop LDAP Authentication Code to Look Up the User in Active Directory
implementing authentication request handler to construct GenericPrincipal object,
Implement an Authentication Request Handler to Construct a GenericPrincipal Object
requirements,
How To: Use Forms Authentication with Active Directory
testing,
Test the Application
administration effort,
Disadvantages of the Impersonation / Delegation Model
administrators, rogue,
Accessing Non-Windows Network Resources
ADO.NET,
Implementation Technologies
,
Gatekeepers and Gates
,
Create a User Account Database
,
Key Notes
as implementation technology,
Implementation Technologies
gates,
Gatekeepers and Gates
reference information,
Key Notes
user account database and,
Create a User Account Database
algorithms,
How To: Create an Encryption Library
,
Technical Choices
(see also , )
Anonymous authentication,
ASP.NET Authentication Modes
,
Gatekeepers and Gates
,
Configure IIS Settings
,
Development Steps for Forms Authentication
,
Using a Serviced Component
,
Using Fixed Identities within ASP.NET
,
IIS Authentication Issues
,
ASP.NET Identity Matrix
configuring IIS,
Development Steps for Forms Authentication
configuring impersonation,
Configure IIS Settings
data access security and,
Using Fixed Identities within ASP.NET
disabling,
Gatekeepers and Gates
network resources and,
Using a Serviced Component
troubleshooting,
IIS Authentication Issues
Web.config settings,
ASP.NET Identity Matrix
Windows authentication and,
ASP.NET Authentication Modes
anonymous domain accounts at Web servers,
More Information
apartment model objects,
Accessing the Registry
application isolation,
IIS and ASP.NET Processing
application level identity flow,
Choose an Authentication Approach
,
Disadvantages of the Trusted Subsystem Model
application level security,
IPSec
,
Application Level Security
,
Secure Communication
IPSec,
IPSec
,
Secure Communication
Web services,
Application Level Security
application roles,
Authorization
application servers,
Physical Deployment Models
,
Web Server to Remote Application Server
,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
Security Configuration Steps
,
Configure the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
configuring, for .NET remoting,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
configuring, for Web services,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
Internet settings,
Configure the Web Server
intranet settings,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
Security Configuration Steps
secure communication,
Web Server to Remote Application Server
Web servers as,
Physical Deployment Models
application tiers, remote,
Physical Deployment Models
applications, Web.,
Security Model for ASP.NET Applications
(see )
articles.,
Reference Hub
(see )
ASP.NET,
Security Model for ASP.NET Applications
,
Implementation Technologies
,
Security Architecture
,
ASP.NET Security
,
Key Notes
applications,
Security Model for ASP.NET Applications
(see also )
as implementation technology,
Implementation Technologies
,
Security Architecture
reference information,
Key Notes
security.,
ASP.NET Security
(see )
ASP.NET security,
Design Principles
,
Design Principles
,
Design Principles
,
Security Across the Tiers
,
Authentication
,
More Information
,
Gatekeepers and Gates
,
ASP.NET and HttpContext.User
,
Security Configuration Steps
,
Security Configuration Steps
,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
Security Configuration Steps
,
Configuring the Extranet Web Server
,
Configuring the Extranet Web Server
,
Configure the Web Server
,
Configure the Web Server
,
ASP.NET Security
,
ASP.NET Security
,
ASP.NET Security Architecture
,
Principal Permission Demands and Explicit Role Checks
,
Programmatic Security
,
Configure IIS Settings
,
Configure IIS Settings
,
Configure ASP.NET Settings
,
URL Authorization Examples
,
Locking Configuration Settings
,
Preventing Files from Being Downloaded
,
Preventing Files from Being Downloaded
,
Creating a Custom IPrincipal class
,
Windows Authentication
,
Development Steps for Forms Authentication
,
Passport Authentication
,
Passport Authentication
,
Custom Authentication
,
Custom Authentication
,
Avoid Running as SYSTEM
,
Using the Default ASPNET Account
,
More Information
,
Accessing System Resources
,
Accessing the Registry
,
Accessing Network Resources
,
Accessing Non-Windows Network Resources
,
Accessing Non-Windows Network Resources
,
Securing Session and View State
,
Securing the Database Connection String
,
Web Farm Considerations
,
Platform/Transport Security Architecture
,
Configure ASP.NET Settings
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Application Server
,
Flowing the Caller’s Identity
,
Configuring the Web Server
,
Formatter Sinks
,
Formatter Sinks
,
Formatter Sinks
,
Anatomy of a Request When Hosting in ASP.NET
,
ASP.NET and the HTTP Channel
,
.NET Remoting Gatekeepers
,
Configuring the Web Server
,
Configuring the Remote Application Server
,
Configuring the Remote Application Server
,
Configuring the Web Server
,
Configuring the Application Server
,
Configuring the Application Server
,
Choosing a Host
,
Configuring the Web Server
,
Configuring the Web Server
,
Choosing a Host Process
,
Implementing Mirrored ASPNET Process Identity
,
Using DPAPI from Enterprise Services
,
Enable Tracing
,
How To: Create a Custom Account to Run ASP.NET
,
Configure ASP.NET to Run Using the New Account
,
Base Configuration
,
Configuration Stores and Tools
,
How Does It Work?
,
How Does It Work?
,
IIS 6.0 and Windows .NET Server
,
ASP.NET Identity Matrix
,
.NET Web Application Security
(see also , )
.NET remoting requests and,
Formatter Sinks
accessing COM objects,
Accessing the Registry
accessing network resources,
Accessing Network Resources
accessing system resources,
Accessing System Resources
architecture,
ASP.NET Security
ASP.NET settings,
Configure IIS Settings
authentication and authorization strategies,
Principal Permission Demands and Explicit Role Checks
authentication modes,
Authentication
authorization options,
More Information
(see also , , , , )
base configuration,
Base Configuration
configuration stores and tools,
Configuration Stores and Tools
configuring,
Programmatic Security
configuring for .NET remoting,
Configuring the Web Server
,
Configuring the Remote Application Server
,
Configuring the Web Server
,
Configuring the Application Server
,
Choosing a Host
,
Configuring the Web Server
configuring for custom accounts,
Configure ASP.NET to Run Using the New Account
configuring for Forms authentication,
Development Steps for Forms Authentication
configuring for Passport authentication,
Passport Authentication
configuring for Web services,
Configure ASP.NET Settings
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Application Server
,
Flowing the Caller’s Identity
,
Configuring the Web Server
creating custom accounts,
How To: Create a Custom Account to Run ASP.NET
custom authentication,
Custom Authentication
(see also )
default account,
Design Principles
,
Avoid Running as SYSTEM
(see also )
extranet settings,
Configuring the Extranet Web Server
,
Configuring the Extranet Web Server
Forms authentication,
Windows Authentication
(see also )
gatekeepers and gates,
Gatekeepers and Gates
,
ASP.NET Security Architecture
,
Platform/Transport Security Architecture
,
ASP.NET and the HTTP Channel
HTTP channel and,
Anatomy of a Request When Hosting in ASP.NET
identity matrix,
ASP.NET and HttpContext.User
,
ASP.NET Identity Matrix
IIS settings,
Configure IIS Settings
impersonation,
More Information
Internet settings,
Configure the Web Server
,
Configure the Web Server
(see also )
intranet settings,
Security Configuration Steps
,
Security Configuration Steps
,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
Security Configuration Steps
(see also )
ISAPI extension,
Configure ASP.NET Settings
,
Locking Configuration Settings
,
Using the Default ASPNET Account
,
Formatter Sinks
,
How Does It Work?
least privileged accounts,
Design Principles
(see also )
options,
Design Principles
,
Security Across the Tiers
,
.NET Web Application Security
Passport authentication,
Passport Authentication
(see also )
pipeline processing,
IIS 6.0 and Windows .NET Server
process identity,
Custom Authentication
(see also )
processing and IIS,
How Does It Work?
programming,
Preventing Files from Being Downloaded
remote object hosting,
Formatter Sinks
,
.NET Remoting Gatekeepers
,
Configuring the Remote Application Server
,
Configuring the Application Server
,
Configuring the Web Server
,
Choosing a Host Process
resetting default configuration,
Implementing Mirrored ASPNET Process Identity
secure communication,
Preventing Files from Being Downloaded
,
Accessing Non-Windows Network Resources
securing resources,
URL Authorization Examples
securing session and view state,
Securing Session and View State
storing secrets,
Accessing Non-Windows Network Resources
troubleshooting,
Enable Tracing
using DPAPI directly,
Using DPAPI from Enterprise Services
Web farm considerations,
Web Farm Considerations
Windows authentication,
Creating a Custom IPrincipal class
,
Securing the Database Connection String
(see also )
AspCompat directive,
Accessing the Registry
,
Accessing Network Resources
ASPNET default account,
Design Principles
,
Intranet Security
,
Extranet Security
,
Internet Security
,
Avoid Running as SYSTEM
,
Solution Implementation
,
Using the ASP.NET Process Identity
,
Check Identity
,
Check Identity
,
How To: Create a Custom Account to Run ASP.NET
,
Why Use a Serviced Component?
as interactive user account,
Solution Implementation
as least privileged account,
Design Principles
,
Why Use a Serviced Component?
duplicated,
Intranet Security
,
Extranet Security
,
Internet Security
mirrored,
Using the ASP.NET Process Identity
process identity and,
Avoid Running as SYSTEM
,
Check Identity
,
How To: Create a Custom Account to Run ASP.NET
(see also )
troubleshooting,
Check Identity
aspnet_regiis.exe tool,
Implementing Mirrored ASPNET Process Identity
aspnet_setreg.exe tool,
Intranet Security
,
Extranet Security
,
The <processModel> Element
,
Securing SQL Session State
,
Implementing Mirrored ASPNET Process Identity
,
Configure ASP.NET to Run Using the New Account
Aspnet_wp.exe worker process,
Custom Authentication
,
Using the Default ASPNET Account
(see also )
assemblies,
Versioning
,
Create a C# Class Library
,
Configure the Serviced Component
,
Build the Assembly and Add it to the Global Assembly Cache
building and adding, to global assembly cache,
Build the Assembly and Add it to the Global Assembly Cache
strong names for,
Create a C# Class Library
,
Configure the Serviced Component
versioning,
Versioning
asymmetric encryption,
SSL/TLS
,
Keys and Certificates
,
Technical Choices
,
Symmetric Algorithm Support
auditing,
Choose the Identities Used for Resource Access
,
Using Multiple Trusted Identities
,
Disadvantages of the Impersonation / Delegation Model
,
Analysis
,
Analysis
,
Analysis
,
Programmatic Security
,
Flowing the Original Caller
,
Auditing
,
IIS Authentication Issues
,
Windows Security Logs
,
Windows Security Logs
authentication and,
Choose the Identities Used for Resource Access
Enterprise Services,
Flowing the Original Caller
extranet scenario,
Analysis
IIS authentication and,
IIS Authentication Issues
impersonation/delegation model and,
Using Multiple Trusted Identities
intranet scenarios,
Analysis
,
Analysis
logon,
Auditing
,
Windows Security Logs
troubleshooting with logging and,
Windows Security Logs
trusted subsystem model and,
Disadvantages of the Impersonation / Delegation Model
Windows authentication and,
Programmatic Security
authenticated clients.,
The Foundations
(see )
authentication,
The Foundations
,
Authorization
,
Security Across the Tiers
,
Authentication
,
Choose the Identities Used for Resource Access
,
Impersonation
,
Role Checking Examples
,
Authentication Mechanism Comparison
,
IPSec
,
Choosing Between IPSec and SSL
,
Intranet Security
,
Extranet Security
,
Internet Security
,
ASP.NET Security
,
Configure IIS Settings
,
URL Authorization Notes
,
An Authorization Pattern
,
Hosting Multiple Web Applications
,
Enterprise Services Security
,
Security for Server and Library Applications
,
Development Time vs. Deployment Time Configuration
,
Development Time vs. Deployment Time Configuration
,
Development Time vs. Deployment Time Configuration
,
Configure Authentication
,
Configure Authentication
,
Configure Authentication
,
Calling Serviced Components from ASP.NET
,
Security Concepts
,
Authentication
,
Authentication
,
Authentication
,
Platform/Transport Level (Point-to-Point) Security
,
Platform/Transport Security Architecture
,
Configure ASP.NET Settings
,
Disable HTTP-GET, HTTP-POST
,
Proxy Server Authentication
,
Configuring the Remote Application Server
,
Anatomy of a Request When Hosting in ASP.NET
,
.NET Remoting Gatekeepers
,
Accessing Network Resources
,
Configuring the Remote Application Server
,
Advantages
,
Advantages
,
Introducing Data Access Security
,
Trusted Subsystem vs. Impersonation/Delegation
,
Trusted Subsystem vs. Impersonation/Delegation
,
Connection String Types
,
Choosing a SQL Account for Your Connections
,
Using the COM+ Catalog
,
Searching for Implementation Solutions
,
Configuration Stores and Tools
,
ASP.NET Identity Matrix
,
Certificate Stores
.NET remoting,
Anatomy of a Request When Hosting in ASP.NET
,
.NET Remoting Gatekeepers
,
Accessing Network Resources
,
Configuring the Remote Application Server
,
Advantages
ASP.NET modes,
Authentication
(see also , , , )
ASP.NET processing,
ASP.NET Security
authorization pattern and,
An Authorization Pattern
choosing mechanisms for,
Choose the Identities Used for Resource Access
,
Role Checking Examples
client application,
Configure Authentication
comparison of mechanisms,
Authentication Mechanism Comparison
configuration stores and tools,
Configuration Stores and Tools
configuring,
Configure IIS Settings
,
Development Time vs. Deployment Time Configuration
,
Configure Authentication
credentials.,
Introducing Data Access Security
(see )
cryptography and,
Certificate Stores
data access security and,
Trusted Subsystem vs. Impersonation/Delegation
,
Trusted Subsystem vs. Impersonation/Delegation
database stores and,
Using the COM+ Catalog
delegation and,
Impersonation
,
Hosting Multiple Web Applications
(see also , )
Enterprise Services,
Enterprise Services Security
,
Development Time vs. Deployment Time Configuration
,
Configure Authentication
,
Security Concepts
,
Authentication
extranet.,
Extranet Security
(see )
Internet.,
Internet Security
(see )
intranet.,
Intranet Security
(see )
IPSec and,
IPSec
,
Choosing Between IPSec and SSL
level negotiation,
Authentication
level promotion,
Authentication
library application,
Security for Server and Library Applications
Machine.config and,
Calling Serviced Components from ASP.NET
non-SQL Server databases and,
Choosing a SQL Account for Your Connections
passing credentials for, to Web services,
Disable HTTP-GET, HTTP-POST
proxy server,
Proxy Server Authentication
server application,
Development Time vs. Deployment Time Configuration
SQL.,
Connection String Types
(see )
strategies,
The Foundations
(see also )
technologies and principles,
Authorization
,
Security Across the Tiers
troubleshooting,
Searching for Implementation Solutions
URL authorization and,
URL Authorization Notes
Web services,
Platform/Transport Level (Point-to-Point) Security
,
Platform/Transport Security Architecture
,
Configure ASP.NET Settings
,
Configuring the Remote Application Server
Web.config settings,
ASP.NET Identity Matrix
Windows service features,
Advantages
authentication and authorization strategies,
The Foundations
,
Logical Tiers
,
Authentication and Authorization Design
,
Authentication and Authorization Design
,
Choose an Authentication Approach
,
Disadvantages of the Trusted Subsystem Model
,
Delegation
,
Role Checking Examples
,
Principal Permission Demands and Explicit Role Checks
,
Available Authorization Options
,
Windows Authentication with Impersonation
,
More Information
,
Programmatic Security
,
More Information
,
Using File Authorization
,
How To: Implement Kerberos Delegation for Windows 2000
(see also )
.NET remoting,
Using File Authorization
authentication mechanisms,
Role Checking Examples
authorization approaches,
Choose an Authentication Approach
authorization options,
Available Authorization Options
designing,
Authentication and Authorization Design
flowing identity,
Disadvantages of the Trusted Subsystem Model
(see also )
Forms authentication,
More Information
implementing Kerberos delegation,
How To: Implement Kerberos Delegation for Windows 2000
Passport authentication,
Programmatic Security
role-based authorization,
Delegation
User Services layer and,
Logical Tiers
Web services,
More Information
Windows authentication,
Windows Authentication with Impersonation
authorization,
The Foundations
,
Authorization
,
Security Across the Tiers
,
More Information
,
Authentication and Authorization Design
,
Choose an Authentication Approach
,
Choose an Authentication Approach
,
Authorization Approaches
,
Resource Based Authorization
,
Intranet Security
,
Extranet Security
,
Internet Security
,
Analysis
,
Available Authorization Options
,
Configure ASP.NET Settings
,
Preventing Files from Being Downloaded
,
An Authorization Pattern
,
Enterprise Services Security
,
Development Time vs. Deployment Time Configuration
,
Development Time vs. Deployment Time Configuration
,
Security Concepts
,
ASP.NET and the HTTP Channel
,
Authorization
,
Advantages
,
Advantages
,
Authorization
,
Using Forms Authentication
,
Configuration Stores and Tools
.NET remoting,
ASP.NET and the HTTP Channel
,
Authorization
,
Advantages
.NET roles for Internet,
Analysis
approaches,
Choose an Authentication Approach
configuration stores and tools,
Configuration Stores and Tools
configuring,
Configure ASP.NET Settings
,
Development Time vs. Deployment Time Configuration
data access security and,
Authorization
Enterprise Services,
Enterprise Services Security
,
Development Time vs. Deployment Time Configuration
,
Security Concepts
(see also )
extranet.,
Extranet Security
(see )
Internet.,
Internet Security
(see )
intranet.,
Intranet Security
(see )
options,
More Information
,
Available Authorization Options
pattern,
An Authorization Pattern
programming,
Preventing Files from Being Downloaded
resource access models and,
Resource Based Authorization
resource-based,
Authorization Approaches
role-based,
Choose an Authentication Approach
(see also )
strategies,
The Foundations
,
Authentication and Authorization Design
(see also )
technologies and principles,
Authorization
,
Security Across the Tiers
troubleshooting,
Using Forms Authentication
Windows service features,
Advantages
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset