Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Chapter 13 – Site SecuritySecurity

InternetInformation

Server

ASP.NETApplications

.NETFramework

Windows NT/2000Operating System

FormsPassportWindowsCertificates

AnonymousStandardWindowsDigest

Code Access Security

Active DirectoryFile Permissions

WebClients

SSL

WebClients

Get Default.aspx

SecurityAuthority

WindowsForms

PassportCustom

user id=GlennJ password=hi2u2!

Who are you? Provide proof.

Ok, here is Default.aspx

AuthenticationAuthentication

WebClients

GlennJ says: Select * from Orders

Is GlennJAuthorized to

retrieve theOrders?

Here are the Orders.

AuthorizationAuthorization

WorkgroupClient

WorkgroupClient

WorkgroupClient

WorkgroupClient

Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers

Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers

Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers

Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers

Local User Account CreationLocal User Account Creation

DomainWorkstation

DomainWorkstation

DomainWorkstation

DomainWorkstation

Active Directory UsersAdministratorRandyGarySueActive Directory GroupsDomain UsersManagers

DomainController

Directory GroupsUsersPrinter Users

Directory GroupsUsersScanner Users

Directory GroupsUsersFile System Users

Directory GroupsUsersHR Users

Discretionary Access Control List (DACL)Discretionary Access Control List (DACL)ManagersManagers Read and Execute, WriteRead and Execute, Write

UsersUsers Read and ExecuteRead and Execute

SueSue Full Control, Member of UsersFull Control, Member of Users

GlennGlenn Deny Write, Member of Users, ManagersDeny Write, Member of Users, Managers

SalesData.xml

Glenn

Sue

Effective Permissions

Read and Execute

Effective PermissionsFull Control

Access Control Entries(ACEs)

IIS SecurityIIS Security

BrowserClient

Web SiteServer

Initiate Conversation - Can we talk?

Here is an encrypted session key

Hi - here's my certificate containing the public key, signed by CA's private key

Communication with session key

ValidateDigital

Certificate

IIS Certificate WizardIIS Certificate Wizard

Certificate BackupCertificate Backup

Certificate RestoreCertificate Restore

SSL ConfigurationSSL Configuration

ASP.NETAuthentication

Run asUser Account

or IUSR

Run Using<processModel>

Account (ASPNET)

Internet Information Server

Authentication

IP and DomainAcceptable?

UserAuthentication

ImpersonationEnabled?

Yes

No

PerformASP.NET

Security Checks

Check WindowsDACL forResource

Permissions

Request is Authorized - Respond to User

BrowserClient

Web SiteServer1. Request protected resource

GET mydoc.aspx

3. Get login page - login.aspx?RETURNURL=/mydoc.aspx

5. POST login.aspx?RETURNURL=/mydoc.aspx

2. Redirect to login page http://www.site.com/login.aspx?RETURNURL=/mydoc.aspx

4. login.aspx

7. Redirect to mydoc.aspx with authentication cookie

6.Authenticate User

8. Request protected resource with authentication cookieGET mydoc.aspx

9. mydoc.asmx

Login PageLogin Page

machine.configmachine.config

allow users="*"allow users="*"

Web.config at / ( root )Web.config at / ( root )

( no entries )( no entries )

Web.config at /customersWeb.config at /customers

allow users="Joe"allow users="Joe"

deny users="*"deny users="*"

Web.config at /customers/salesWeb.config at /customers/sales

allow users="Mary"allow users="Mary"

Web.config at Web.config at /customers/sales/reports/customers/sales/reports

allow users="Mary,Joe"allow users="Mary,Joe"

deny users="*"deny users="*"

AuthenticationTypeNameIsAuthenticated

IIdentity

AuthenticationTypeNameIsAuthenticatedTicket

FormsIdentityAuthenticationTypeNameIsAuthenticatedIsGuestIsSystemTokenGetAnonymous( )GetCurrent( )Impersonate( )

WindowsIdentityAuthenticationTypeNameIsAuthenticatedHasTicketGetProfileObject( )

PassportIdentityAuthenticationTypeNameIsAuthenticated

GenericIdentity

IdentityIsInRole( )

IPrincipal

IdentityIsInRole( )

WindowsPrincipalIdentityIsInRole( )

GenericPrincipal

Forms Authentication UsingForms Authentication UsingDatabase AccessDatabase Access

Populated DatabasePopulated Database

Database AccessDatabase Access

Permissions

Permissions

Permissions

Retrieve EvidenceFrom Assembly

Retrieve EvidenceFrom Assembly

Code Groups 3

Strong Name

My_Computer_Zone

Assign into Code Groups

UNIONed Permissions

Intersect Policy Permissions

• Enterprise• Machine• User• Application Domain

Code Access SecurityCode Access Security

Security Policy AdministrationSecurity Policy Administration

Testing Code Access SecurityTesting Code Access Security

Testing Code Access SecurityTesting Code Access Security

LabLab

Require Login to Customer siteRequire Login to Customer site