- Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
- A Note Regarding Supplemental Files
- Acknowledgements
- Preface
- 1. Introduction
- 2. Security Model for ASP.NET Applications
- .NET Web Applications
- Implementation Technologies
- Security Architecture
- Introducing .NET Framework Security
- Summary
- 3. Authentication and Authorization Design
- Designing an Authentication and Authorization Strategy
- Authorization Approaches
- Flowing Identity
- Role-Based Authorization
- Choosing an Authentication Mechanism
- Summary
- 4. Secure Communication
- 5. Intranet Security
- 6. Extranet Security
- 7. Internet Security
- ASP.NET to SQL Server
- ASP.NET to Remote Enterprise Services to SQL Server
- Summary
- 8. ASP.NET Security
- ASP.NET Security Architecture
- Authentication and Authorization Strategies
- Configuring Security
- Programming Security
- Windows Authentication
- Forms Authentication
- Development Steps for Forms Authentication
- Configure IIS for Anonymous Access
- Configure ASP.NET for Forms Authentication
- Create a Logon Web Form and Validate the Supplied Credentials
- Retrieve a Role List from the Custom Data Store
- Create a Forms Authentication Ticket
- Create an IPrincipal Object
- Put the IPrincipal Object into the Current HTTP Context
- Authorize the User Based on User Name or Role Membership
- Forms Implementation Guidelines
- Hosting Multiple Applications Using Forms Authentication
- Cookieless Forms Authentication
- Development Steps for Forms Authentication
- Passport Authentication
- Custom Authentication
- Process Identity for ASP.NET
- Impersonation
- Accessing System Resources
- Accessing COM Objects
- Accessing Network Resources
- Secure Communication
- Storing Secrets
- Securing Session and View State
- Web Farm Considerations
- Summary
- 9. Enterprise Services Security
- Security Architecture
- Configuring Security
- Configuring a Server Application
- Configuring an ASP.NET Client Application
- Configuring Impersonation Levels for an Enterprise Services Application
- Programming Security
- Choosing a Process Identity
- Accessing Network Resources
- Flowing the Original Caller
- RPC Encryption
- Building Serviced Components
- DCOM and Firewalls
- Calling Serviced Components from ASP.NET
- Security Concepts
- Summary
- 10. Web Services Security
- Web Service Security Model
- Platform/Transport Security Architecture
- Authentication and Authorization Strategies
- Configuring Security
- Passing Credentials for Authentication to Web Services
- Flowing the Original Caller
- Trusted Subsystem
- Accessing System Resources
- Accessing Network Resources
- Accessing COM Objects
- Using Client Certificates with Web Services
- Secure Communication
- Summary
- 11. .NET Remoting Security
- .NET Remoting Architecture
- .NET Remoting Gatekeepers
- Authentication
- Authorization
- Authentication and Authorization Strategies
- Accessing System Resources
- Accessing Network Resources
- Passing Credentials for Authentication to Remote Objects
- Flowing the Original Caller
- Trusted Subsystem
- Secure Communication
- Choosing a Host Process
- Remoting vs. Web Services
- Summary
- 12. Data Access Security
- Introducing Data Access Security
- Authentication
- Windows Authentication
- More Information
- Using Windows Authentication
- Recommendation
- Using the ASP.NET Process Identity
- Using Fixed Identities within ASP.NET
- Using Serviced Components
- Calling LogonUser and Impersonating a Specific Windows Identity
- Using the Original Caller’s Identity
- Using the Anonymous Internet User Account
- When Can’t You Use Windows Authentication?
- SQL Authentication
- Authenticating Against Non-SQL Server Databases
- Windows Authentication
- Authorization
- Secure Communication
- Connecting with Least Privilege
- Creating a Least Privilege Database Account
- Storing Database Connection Strings Securely
- Authenticating Users against a Database
- SQL Injection Attacks
- Auditing
- Process Identity for SQL Server
- Summary
- 13. Troubleshooting Security Issues
- Process for Troubleshooting
- Troubleshooting Authentication Issues
- Troubleshooting Authorization Issues
- ASP.NET
- Determining Identity
- .NET Remoting
- SSL
- IPSec
- Auditing and Logging
- Troubleshooting Tools
- Index of How Tos
- How To: Create a Custom Account to Run ASP.NET
- How To: Use Forms Authentication with Active Directory
- Requirements
- Summary
- 1. Create a Web Application with a Logon Page
- 2. Configure the Web Application for Forms Authentication
- 3. Develop LDAP Authentication Code to Look Up the User in Active Directory
- 4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
- 5. Authenticate the User and Create a Forms Authentication Ticket
- 6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
- 7. Test the Application
- How To: Use Forms Authentication with SQL Server 2000
- Requirements
- Summary
- 1. Create a Web Application with a Logon Page
- 2. Configure the Web Application for Forms Authentication
- 3. Develop Functions to Generate a Hash and Salt value
- 4. Create a User Account Database
- 5. Use ADO.NET to Store Account Details in the Database
- 6. Authenticate User Credentials Against the Database
- 7. Test the Application
- Additional Resources
- How To: Create GenericPrincipal Objects with Forms Authentication
- How To: Implement Kerberos Delegation for Windows 2000
- How To: Implement IPrincipal
- Requirements
- Summary
- 1. Create a Simple Web Application
- 2. Configure the Web Application for Forms Authentication
- 3. Generate an Authentication Ticket for Authenticated Users
- 4. Create a Class that Implements and Extends IPrincipal
- 5. Create the CustomPrincipal Object
- 5. Test the Application
- Additional Resources
- How To: Create a DPAPI Library
- How To: Use DPAPI (Machine Store) from ASP.NET
- How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
- Notes
- Requirements
- Summary
- 1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
- 2. Call the Managed DPAPI Class Library
- 3. Create a Dummy Class that will Launch the Serviced Component
- 4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
- 5. Configure, Strong Name, and Register the Serviced Component
- 6. Create a Windows Service Application that will Launch the Serviced Component
- 7. Install and Start the Windows Service Application
- 8. Write a Web Application to Test the Encryption and Decryption Routines
- 9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
- References
- How To: Create an Encryption Library
- How To: Store an Encrypted Connection String in the Registry
- How To: Use Role-based Security with Enterprise Services
- Notes
- Requirements
- Summary
- 1. Create a C# Class Library Application to Host the Serviced Component
- 2. Create the Serviced Component
- 3. Configure the Serviced Component
- 4. Generate a Strong Name for the Assembly
- 5. Build the Assembly and Add it to the Global Assembly Cache
- 6. Manually Register the Serviced Component
- 7. Examine the Configured Application
- 8. Create a Test Client Application
- How To: Call a Web Service Using Client Certificates from ASP.NET
- Why Use a Serviced Component?
- Requirements
- Summary
- 1. Create a Simple Web Service
- 2. Configure the Web Service Virtual Directory to Require Client Certificates
- 3. Create a Custom Account for Running the Serviced Component
- 4. Request a Client Certificate for the Custom Account
- 5. Test the Client Certificate Using a Browser
- 6. Export the Client Certificate to a File
- 7. Develop the Serviced Component Used to Call the Web Service
- 8. Configure and Install the Serviced Component
- 9. Develop a Web Application to Call the Serviced Component
- Additional Resources
- How To: Call a Web Service Using SSL
- Requirements
- Summary
- 1. Create a Simple Web Service
- 2. Configure the Web Service Virtual Directory to Require SSL
- 3. Test the Web Service Using a Browser
- 4. Install the Certificate Authority’s Certificate on the Client Computer
- 5. Develop a Web Application to Call the Web Service
- Additional Resources
- How To: Host a Remote Object in a Windows Service
- How To: Set Up SSL on a Web Server
- How To: Set Up Client Certificates
- How To: Use IPSec to Provide Secure Communication Between Two Servers
- How To: Use SSL to Secure Communication with SQL Server 2000
- Notes
- Requirements
- Summary
- 1. Install a Server Authentication Certificate
- 2. Verify that the Certificate Has Been Installed
- 3. Install the Issuing CA’s Certificate on the Client
- 4. Force All Clients to Use SSL
- 5. Allow Clients to Determine Whether to Use SSL
- 6. Verify that Communication is Encrypted
- Additional Resources
- Base Configuration
- Configuration Stores and Tools
- Reference Hub
- How Does It Work?
- ASP.NET Identity Matrix
- Cryptography and Certificates
- .NET Web Application Security
- Glossary
- Microsoft® patterns & practices
- Index
- About the Author
- Copyright
H
- handlers, custom HTTP, Custom Authentication, Implementing a Custom HTTP Module
- hash values, Storing Secrets, Using the COM+ Catalog, Configure the Web Application for Forms Authentication, Certificate Stores, Asymmetric Algorithm Support
- .NET Framework support, Asymmetric Algorithm Support
- cryptography and, Certificate Stores
- generating, Configure the Web Application for Forms Authentication
- one-way password, Storing Secrets, Using the COM+ Catalog
- help., Reference Hub (see )
- homogenous intranets, Intranet Security
- hosting remote objects., Formatter Sinks (see )
- Hotfix Rollup, How To: Implement Kerberos Delegation for Windows 2000, Confirm that the Server Process Account is Trusted for Delegation
- How To articles., Reference Hub (see )
- HTML forms., Development Steps for Forms Authentication (see , )
- HTTP (Hypertext Transport Protocol), Introduction, Secure Resources, Custom Authentication, Configure ASP.NET Settings, .NET Remoting Security, Anatomy of a Request When Hosting in ASP.NET, .NET Remoting Gatekeepers, Flowing the Caller’s Identity, Configuration Stores and Tools, IIS 6.0 and Windows .NET Server, Implementing a Custom HTTP Module
- channel and .NET remoting, .NET Remoting Security, Anatomy of a Request When Hosting in ASP.NET, .NET Remoting Gatekeepers, Flowing the Caller’s Identity, Configuration Stores and Tools
- disabling HTTP-GET and HTTP-POST, Configure ASP.NET Settings
- implementing custom HTTP modules and HTTP handlers, Custom Authentication, Implementing a Custom HTTP Module
- modules, Secure Resources
- pipeline processing, IIS 6.0 and Windows .NET Server
- HttpContext.User property, ASP.NET and HttpContext.User, .NET Roles with Windows Authentication, Checking Role Membership, Principal Permission Demands and Explicit Role Checks, Create an IPrincipal Object, Create an IPrincipal Object, Check Identity, ASP.NET Identity Matrix
- .NET roles and, .NET Roles with Windows Authentication, Checking Role Membership
- ASP.NET and, ASP.NET and HttpContext.User, ASP.NET Identity Matrix
- putting IPrincipal objects into, Principal Permission Demands and Explicit Role Checks, Create an IPrincipal Object, Create an IPrincipal Object, Check Identity
- (see also )
- HttpForbiddenHandler class, Locking Configuration Settings
- hubs., Reference Hub (see )
- Hypertext Transport Protocol., Introduction (see )
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.