The combined authentication, authorization, and secure communication services available to .NET Web applications are summarized in the following tables. The tables show the various security services available to each of the core .NET Web application technologies and for each one indicates where the related security configuration settings are maintained and what tools are available to edit the settings.
Note
Settings within the Internet Information Services (IIS) metabase are configured using the IIS MMC snap-in, or programmatically via script. Settings maintained within machine.config or web.config can be edited with any text editor (such as Notepad) or XML editor (such as the Microsoft Visual Studio® .NET XML editor).
Table 1. IIS security configuration
Authentication | Configuration | Tools |
|---|---|---|
Anonymous Basic Digest Windows Integrated Client Certificates | IIS metabase | IIS MMC snap-in Script Makecert.exe can be used to create test certificates |
Authorization | Configuration | Tools |
NTFS permissions (Windows ACLs) IP and DNS restrictions | Windows (NTFS) file system IIS metabase | Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy |
Secure Communication | Configuration | Tools |
SSL | Windows (NTFS) file system | IIS MMC snap-in Script |
IPSec | Machine’s local policy (registry) or Microsoft Active Directory® directory service | Local Security Policy MMC snap-in Domain security Policy MMC snap-in Ipsecpol.exe |
Configuration | Tools | |
IP address and domain name restrictions | IIS metabase | IIS MMC snap-in Script |
Table 2. ASP.NET security configuration
Authentication | Configuration | Tools |
|---|---|---|
Windows Forms Passport None (Custom) | <authentication> element of machine.config or web.config | Notepad.exe Visual Studio .NET Any XML editor |
Authorization | Configuration | Tools |
URL authorization | <authorization> element of Machine.config or Web.config | Notepad.exe Visual Studio .NET Any XML editor |
File authorization | Windows (NTFS) file system Active Directory –or– SAM database –or– Custom data store (for example, SQL Server) | Windows Explorer Calcs.exe Security templates Secedit.exe Group Policy For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool |
.NET roles | ADSI script Net.exe For custom groups–depends on custom data store |
Table 3. Enterprise Services security configuration[*]
Authentication | Configuration | Tools |
|---|---|---|
DCOM/RPC authentication | COM+ Catalog Note: Computer-wide settings for serviced component (and regular DCOM) proxies is maintained in Machine.config. | Component Services MMC snap-in Script (Catalog automation objects) |
Configuration | Tools | |
Enterprise Services (COM+) roles | COM+ Catalog | Component Services MMC snap-in Script (Catalog automation objects) |
Windows ACLs (when using impersonation in serviced component) | Windows (NTFS) file system | Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy |
Secure Communication | Configuration | Tools |
RPC encryption (packet privacy) | COM+ Catalog Note: Computer-wide settings for serviced component (and regular DCOM) proxies is maintained in Machine.config. | Component Services Script (Catalog automation objects) |
IPSec | Machine’s local policy (registry) or Active Directory | Local Security Policy MMC snap-in Ipsecpol.exe |
[*] The security services for Enterprise Service components apply both to components hosted by server and library applications. However, certain restrictions apply for library applications because many of the security defaults are inherited from the host process and as a result are not directly configurable. Process-wide authentication may also be explicitly switched off by library applications. For more details, see Chapter 9. | ||
Table 4. Web Services (Implemented using ASP.NET) security configuration
Authentication | Configuration | Tools |
|---|---|---|
Windows | <authentication> element of Machine.config or Web.config | Notepad Visual Studio .NET Any XML editor |
Custom | Custom data store (for example. SQL Server or Active Directory) | Depends on custom store. |
Configuration | Tools | |
URL Authorization | Web.config | Notepad Visual Studio .NET Any XML editor |
File Authorization | Windows (NTFS) file system | Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy |
.NET roles | Active Directory –or– SAM database –or– Custom data store (for example, SQL Server) | For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool ADSI script Net.exe For custom groups–depends on custom store |
Secure Communication | Configuration | Tools |
SSL | IIS metabase | IIS MMC snap-in Script |
IPSec | Machine’s local policy (registry) or Active Directory | Local Security Policy MMC snap-in Ipsecpol.exe |
Table 5. .NET Remoting security configuration[**] (When hosted by ASP.NET using HTTP Channel)
Authentication | Configuration | Tools |
|---|---|---|
Windows | IIS metabase | IIS MMC snap-in Script |
Custom | Custom data store (for example SQL Server) | Depends on custom store |
Authorization | Configuration | Tools |
URL authorization | Web.config | Notepad Visual Studio .NET Any XML editor |
File authorization | Windows (NTFS) file system | Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy |
.NET roles | Active Directory –or– SAM database –or– Custom data store (for example, SQL Server | For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool ADSI script, Net.exe For custom groups–depends on custom store |
Secure Communication | Configuration | Tools |
SSL | IIS metabase | IIS MMC snap-in Script |
IPSec | Machine’s local policy (registry) or Active Directory | Local Security Policy MMC snap-in Ipsecpol.exe |
[**] The security services shown for .NET Remoting assumes that the .NET remote component is hosted within ASP.NET and is using the HTTP channel. No default security services are available to .NET remote components hosted outside of IIS (for example, in a custom Win32 process or Win32 service) using the TCP channel. For more details, see Chapter 11. | ||
Table 6. .SQL Server security configuration
Configuration | Tools | |
|---|---|---|
Integrated Windows | SQL Server | SQL Server Enterprise Manager SQL Server Enterprise Manager |
SQL Server standard authentication | SQL Server | |
Authorization | Configuration | Tools |
Object permissions Database roles Server roles User defined database roles Application roles | SQL Server | SQL Server Enterprise Manager Osql.exe (Database script) |
Secure Communication | Configuration | Tools |
SSL | Server’s machine certificate store Client and server registry settings Connection string | Certificates MMC snap-in Server Network Utility Client Network Utility |
IPSec | Machine’s local policy (registry) or Active Directory | Local Security Policy snap-in Ipsecpol.exe |