Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by Microsoft Corporation
Building Secure Microsoft® ASP.NET Applications
Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
A Note Regarding Supplemental Files
Acknowledgements
Preface
Why We Wrote This Book
Who Should Read This Book?
How You Should Read This Book
Organization of this Book
Part I, Security Models
Part II, Application Scenarios
Part III, Securing the Tiers
Part IV, Reference
System Requirements
Installing the Sample Files
Building Secure ASP.NET Applications—Online Version
Support
1. Introduction
The Connected Landscape
The Foundations
Authentication
Authorization
Secure Communication
Tying the Technologies Together
Design Principles
Summary
2. Security Model for ASP.NET Applications
.NET Web Applications
Logical Tiers
Physical Deployment Models
The Web Server as an Application Server
Remote Application Tier
Implementation Technologies
Security Architecture
Security Across the Tiers
Authentication
ASP.NET Authentication Modes
More Information
Enterprise Services Authentication
More Information
SQL Server Authentication
More Information
Authorization
ASP.NET Authorization Options
More Information
Enterprise Services Authorization
More Information
SQL Server Authorization
More Information
Gatekeepers and Gates
Introducing .NET Framework Security
Code Access Security
Evidence and Security Policy
CAS and ASP.NET Web Applications
Principals and Identities
The IPrincipal and IIdentity Interfaces
WindowsPrincipal and WindowsIdentity
GenericPrincipal and Associated Identity Objects
ASP.NET and HttpContext.User
ASP.NET Identities
More Information
Remoting and Web Services
Summary
3. Authentication and Authorization Design
Designing an Authentication and Authorization Strategy
Identify Resources
Choose an Authorization Strategy
More Information
Choose the Identities Used for Resource Access
Consider Identity Flow
Choose an Authentication Approach
More Information
Decide How to Flow Identity
More Information
Authorization Approaches
Role Based Authorization
Resource Based Authorization
Resource Access Models
The Trusted Subsystem Model
Fixed Identities
Using Multiple Trusted Identities
The Impersonation / Delegation Model
Choosing a Resource Access Model
Advantage of the Impersonation / Delegation Model
Disadvantages of the Impersonation / Delegation Model
Advantages of the Trusted Subsystem Model
Disadvantages of the Trusted Subsystem Model
Flowing Identity
Application vs. Operating System Identity Flow
Impersonation and Delegation
Impersonation
Delegation
Role-Based Authorization
.NET Roles
.NET Roles with Windows Authentication
.NET Roles with non-Windows Authentication
Custom IPrincipal Objects
More Information
Enterprise Services (COM+) Roles
SQL Server User Defined Database Roles
SQL Server Application Roles
More Information
.NET Roles versus Enterprise Services (COM+) Roles
Using .NET Roles
More Information
Checking Role Membership
Role Checking Examples
Choosing an Authentication Mechanism
Internet Scenarios
Forms / Passport Comparison
Advantages of Forms Authentication
Advantages of Passport Authentication
More Information
Intranet / Extranet Scenarios
Authentication Mechanism Comparison
Summary
4. Secure Communication
Know What to Secure
SSL/TLS
Using SSL
IPSec
Using IPSec
RPC Encryption
Using RPC Encryption
More Information
Point to Point Security
Browser to Web Server
Web Server to Remote Application Server
Application Server to Database Server
Using SSL to SQL Server
More Information
Choosing Between IPSec and SSL
Farming and Load Balancing
More Information
Summary
5. Intranet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring SQL Server
Configuring Secure Communication
Analysis
Q&A
Related Scenarios
Non-Internet Explorer Browsers
SQL Authentication to the Database
Flowing the Original Caller to the Database
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring Enterprise Services
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
ASP.NET to Web Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server (that Hosts the Web Application)
Configuring the Application Server (that Hosts the Web Service)
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
ASP.NET to Remoting to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server
Configure the Application Server
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Flowing the Original Caller to the Database
ASP.NET to SQL Server
Using Basic Authentication at the Web Server
Using Integrated Windows Authentication at the Web Server
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Analysis
Pitfalls
Summary
6. Extranet Security
Exposing a Web Service
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Partner Application
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
More Information
Exposing a Web Application
Scenario Characteristics
Secure the Scenario
The Result
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
No Connectivity from Extranet to Corporate Network
More Information
Summary
7. Internet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication against Active Directory
More Information
.NET Roles for Authorization
More Information
Using a Domain Anonymous Account at the Web Server
More Information
ASP.NET to Remote Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configure the Application Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication Against Active Directory
More Information
Using DCOM
More Information
Using .NET Remoting
More Information
Summary
8. ASP.NET Security
ASP.NET Security Architecture
Gatekeepers
IIS
ASP.NET
UrlAuthorizationModule
FileAuthorizationModule
Principal Permission Demands and Explicit Role Checks
More Information
Authentication and Authorization Strategies
Available Authorization Options
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
Forms Authentication
Configurable Security
Programmatic Security
When to Use
More Information
Passport Authentication
When to Use
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
URL Authorization Notes
URL Authorization Examples
Secure Resources
Locking Configuration Settings
Preventing Files from Being Downloaded
Secure Communication
More information
Programming Security
An Authorization Pattern
Retrieve Credentials
Validate Credentials
Put Users in Roles
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize Based on the User Identity and/or Role Membership
More Information
Creating a Custom IPrincipal class
More Information
Windows Authentication
Identifying the Authenticated User
Forms Authentication
Development Steps for Forms Authentication
Configure IIS for Anonymous Access
Configure ASP.NET for Forms Authentication
Create a Logon Web Form and Validate the Supplied Credentials
More Information
Retrieve a Role List from the Custom Data Store
Create a Forms Authentication Ticket
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize the User Based on User Name or Role Membership
Forms Implementation Guidelines
More Information
Hosting Multiple Applications Using Forms Authentication
More Information
Cookieless Forms Authentication
More Information
Passport Authentication
Configure ASP.NET for Passport authentication
Map a Passport Identity into Roles in Global.asax
Test Role Membership
Custom Authentication
More Information
Process Identity for ASP.NET
Use a Least Privileged Account
Avoid Running as SYSTEM
More Information
Domain Controllers and the ASP.NET Process Account
Using the Default ASPNET Account
The <processModel> Element
Storing Encrypted <processModel> Credentials
More Information
Impersonation
Impersonation and Local Resources
Impersonation and Remote Resources
More Information
Impersonation and Threading
Accessing System Resources
Accessing the Event Log
Accessing the Registry
More Information
Accessing COM Objects
Apartment Model Objects
The AspCompat Directive is Required
More Information
Don’t Create COM Objects Outside of Specific Page Events
More Information
C# and VB .NET Objects in COM+
Accessing Network Resources
Using the ASP.NET Process Identity
More Information
Using a Serviced Component
Using the Anonymous Internet User Account
Hosting Multiple Web Applications
Using LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller
More Information
Accessing Files on a UNC File Share
Accessing Non-Windows Network Resources
Secure Communication
More Information
Storing Secrets
Options for Storing Secrets in ASP.NET
More Information
Consider Storing Secrets in Files on Separate Logical Volumes
Securing Session and View State
Securing View State
Securing Cookies
Securing SQL Session State
Securing the Database Connection String
Securing Session State Across the Network
More Information
Web Farm Considerations
Session State
DPAPI
More Information
Using Forms Authentication in a Web Farm
The <machineKey> Element
The validationKey Attribute
The decryptionKey Attribute
The Validation Attribute
More Information
Summary
9. Enterprise Services Security
Security Architecture
Gatekeepers and Gates
Use Server Applications for Increased Security
Security for Server and Library Applications
Assign Roles to Classes, Interfaces, or Methods
Code Access Security Requirements
Configuring Security
Configuring a Server Application
Development Time vs. Deployment Time Configuration
Configure Authentication
Configure Authorization (Component-Level Access Checks)
Create and Assign Roles
Adding Roles to an Application
Adding Roles to a Component (Class)
Adding Roles to an Interface
Adding Roles to a Method
Register Serviced Components
Populate Roles
Use Windows Groups
More Information
Configure Identity
More Information
Configuring an ASP.NET Client Application
Configure Authentication
More Information
Configure Impersonation
More Information
Configuring Impersonation Levels for an Enterprise Services Application
Programming Security
Programmatic Role-Based Security
Identifying Callers
Choosing a Process Identity
Avoid Running as the Interactive User
Use a Least-Privileged Custom Account
Accessing Network Resources
Using the Original Caller
More Information
Using the Current Process Identity
Using a Specific Service Account
Flowing the Original Caller
Calling CoImpersonateClient
More Information
RPC Encryption
More Information
Building Serviced Components
DLL Locking Problems
Versioning
More Information
QueryInterface Exceptions
DCOM and Firewalls
More Information
Calling Serviced Components from ASP.NET
Caller’s Identity
Use Windows Authentication and Impersonation Within the Web-based Application
Configure Authentication and Impersonation within Machine.config
Configuring Interface Proxies
More Information
Security Concepts
Enterprise Services (COM+) Roles and .NET Roles
Authentication
Authentication Level Promotion
Authentication Level Negotiation
More Information
Impersonation
Cloaking
More Information
Summary
10. Web Services Security
Web Service Security Model
Platform/Transport Level (Point-to-Point) Security
When to Use
Application Level Security
When to Use
Message Level (End-to-End) Security
When to Use
The Web Services Development Kit
More Information
Platform/Transport Security Architecture
Gatekeepers
More Information
Authentication and Authorization Strategies
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
More Information
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
More Information
Secure Resources
Disable HTTP-GET, HTTP-POST
More Information
Secure Communication
More information
Passing Credentials for Authentication to Web Services
Specifying Client Credentials for Windows Authentication
Using DefaultCredentials
Using Specific Credentials
Request a Specific Authentication Type
Set the PreAuthenticate Property
Using the ConnectionGroupName Property
Calling Web Services from Non-Windows Clients
Proxy Server Authentication
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Accessing System Resources
Accessing Network Resources
Accessing COM Objects
More Information
Using Client Certificates with Web Services
Authenticating Web Browser Clients with Certificates
Using the Trusted Subsystem Model
Solution Implementation
Why Use an Additional Process?
More Information
Secure Communication
Transport Level Options
Message Level Options
More Information
Summary
11. .NET Remoting Security
.NET Remoting Architecture
Remoting Sinks
Transport Channel Sinks
Comparing Transport Channel Sinks
Custom Sinks
Formatter Sinks
Anatomy of a Request When Hosting in ASP.NET
ASP.NET and the HTTP Channel
More Information
.NET Remoting Gatekeepers
Authentication
Hosting in ASP.NET
Hosting in a Windows Service
Custom Authentication
More Information
Authorization
Using File Authorization
More Information
Authentication and Authorization Strategies
More Information
Accessing System Resources
Accessing Network Resources
Passing Credentials for Authentication to Remote Objects
Specifying Client Credentials
Using DefaultCredentials
Explicit Configuration
Programmatic Configuration
Using Specific Credentials
Request a Specific Authentication Type
Set the preauthenticate Property
Using the connectiongroupname Property
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Choosing a Host
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Using a Windows Service Host
Secure Communication
Platform Level Options
Message Level Options
More Information
Choosing a Host Process
Recommendation
Hosting in ASP.NET
Advantages
Disadvantages
Hosting in a Windows Service
Advantages
Disadvantages
Hosting in a Console Application
Advantages
Disadvantages
Remoting vs. Web Services
Summary
12. Data Access Security
Introducing Data Access Security
SQL Server Gatekeepers
Trusted Subsystem vs. Impersonation/Delegation
Authentication
Windows Authentication
More Information
Using Windows Authentication
Recommendation
Using the ASP.NET Process Identity
Use Mirrored ASPNET Local Accounts
Use Mirrored, Custom Local Accounts
Use a Custom Domain Account
Implementing Mirrored ASPNET Process Identity
Connecting to SQL Server Using Windows Authentication
Using Fixed Identities within ASP.NET
Using Serviced Components
Calling LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller’s Identity
Using the Anonymous Internet User Account
More Information
When Can’t You Use Windows Authentication?
SQL Authentication
Connection String Types
More Information
Choosing a SQL Account for Your Connections
Passing Credentials over the Network
Securing SQL Connection Strings
Authenticating Against Non-SQL Server Databases
Authorization
Using Multiple Database Roles
Secure Communication
The Options
Choosing an Approach
More Information
Connecting with Least Privilege
The Database Trusts the Application
The Database Trusts Different Roles
The Database Trusts the Original Caller
Creating a Least Privilege Database Account
Storing Database Connection Strings Securely
The Options
Using DPAPI
Why Not LSA?
Machine Store vs. User Store
DPAPI Implementation Solutions
Using DPAPI from Enterprise Services
Using DPAPI Directly from ASP.NET
More Information
Using Web.config and Machine.config
Using UDL Files
ACL Granularity
More Information
Using Custom Text Files
Using the Registry
More Information
Using the COM+ Catalog
More Information
Authenticating Users against a Database
Store One-way Password Hashes (with Salt)
Creating a Salt Value
Creating a Hash Value (with Salt)
More Information
SQL Injection Attacks
The Problem
Anatomy of a SQL Script Injection Attack
The Solution
Additional Best Practices
Protecting Pattern Matching Statements
Auditing
Process Identity for SQL Server
Summary
13. Troubleshooting Security Issues
Process for Troubleshooting
Searching for Implementation Solutions
Troubleshooting Authentication Issues
IIS Authentication Issues
Using Windows Authentication
Using Forms Authentication
Kerberos Troubleshooting
Troubleshooting Authorization Issues
Check Windows ACLs
Check Identity
More Information
Check the <authorization> Element
ASP.NET
Enable Tracing
More Information
Configuration Settings
Determining Identity
Determining Identity in a Web Page
Determining Identity in a Web service
More Information
Determining Identity in a Visual Basic 6 COM Object
.NET Remoting
More Information
SSL
More Information
IPSec
Auditing and Logging
Windows Security Logs
More Information
SQL Server Auditing
Sample Log Entries
IIS Logging
Troubleshooting Tools
File Monitor (FileMon.exe)
More Information
Fusion Log Viewer (Fuslogvw.exe)
ISQL.exe
Connecting Using SQL Authentication
Connecting Using Windows Authentication
Running a Simple Query
Windows Task Manager
Network Monitor (NetMon.exe)
More Information
Registry Monitor (regmon.exe)
WFetch.exe
More Information
Visual Studio .NET Tools
More Information
WebServiceStudio
Windows 2000 Resource Kit
Index of How Tos
ASP.NET
Authentication and Authorization
Cryptography
Enterprise Services Security
Web Services Security
Remoting Security
Secure Communication
How To: Create a Custom Account to Run ASP.NET
ASP.NET Worker Process Identity
Impersonating Fixed Identities
Notes
Summary
1. Create a New Local Account
2. Assign Minimum Privileges
3. Assign NTFS Permissions
4. Configure ASP.NET to Run Using the New Account
How To: Use Forms Authentication with Active Directory
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop LDAP Authentication Code to Look Up the User in Active Directory
4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
5. Authenticate the User and Create a Forms Authentication Ticket
6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
7. Test the Application
How To: Use Forms Authentication with SQL Server 2000
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop Functions to Generate a Hash and Salt value
4. Create a User Account Database
5. Use ADO.NET to Store Account Details in the Database
6. Authenticate User Credentials Against the Database
7. Test the Application
Additional Resources
How To: Create GenericPrincipal Objects with Forms Authentication
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Construct GenericPrincipal and FormsIdentity Objects
5. Test the Application
Additional Resources
How To: Implement Kerberos Delegation for Windows 2000
Notes
Requirements
Summary
1. Confirm that the Client Account is Configured for Delegation
2. Confirm that the Server Process Account is Trusted for Delegation
References
How To: Implement IPrincipal
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Create a Class that Implements and Extends IPrincipal
5. Create the CustomPrincipal Object
5. Test the Application
Additional Resources
How To: Create a DPAPI Library
Notes
Requirements
Summary
1. Create a C# Class Library
2. Strong Name the Assembly (Optional)
References
How To: Use DPAPI (Machine Store) from ASP.NET
Notes
Requirements
Summary
1. Create an ASP.NET Client Web Application
2. Test the Application
3. Modify the Web Application to Read an Encrypted Connection String from Web.Config
References
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
Notes
Why Use Enterprise Services?
Why Use a Windows Service?
Requirements
Summary
1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
2. Call the Managed DPAPI Class Library
3. Create a Dummy Class that will Launch the Serviced Component
4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
5. Configure, Strong Name, and Register the Serviced Component
6. Create a Windows Service Application that will Launch the Serviced Component
7. Install and Start the Windows Service Application
8. Write a Web Application to Test the Encryption and Decryption Routines
9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
References
How To: Create an Encryption Library
Requirements
Summary
1. Create a C# Class Library
2. Create a Console Test Application
References
How To: Store an Encrypted Connection String in the Registry
Notes
Requirements
Summary
1. Store the Encrypted Data in the Registry
2. Create an ASP.NET Web Application
References
How To: Use Role-based Security with Enterprise Services
Notes
Requirements
Summary
1. Create a C# Class Library Application to Host the Serviced Component
2. Create the Serviced Component
3. Configure the Serviced Component
4. Generate a Strong Name for the Assembly
5. Build the Assembly and Add it to the Global Assembly Cache
6. Manually Register the Serviced Component
7. Examine the Configured Application
8. Create a Test Client Application
How To: Call a Web Service Using Client Certificates from ASP.NET
Why Use a Serviced Component?
Why is a User Profile Required?
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require Client Certificates
3. Create a Custom Account for Running the Serviced Component
4. Request a Client Certificate for the Custom Account
5. Test the Client Certificate Using a Browser
6. Export the Client Certificate to a File
7. Develop the Serviced Component Used to Call the Web Service
8. Configure and Install the Serviced Component
9. Develop a Web Application to Call the Serviced Component
Additional Resources
How To: Call a Web Service Using SSL
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require SSL
3. Test the Web Service Using a Browser
4. Install the Certificate Authority’s Certificate on the Client Computer
5. Develop a Web Application to Call the Web Service
Additional Resources
How To: Host a Remote Object in a Windows Service
Notes
Requirements
Summary
1. Create the Remote Object Class
2. Create a Windows Service Host Application
3. Create a Windows Account to Run the Service
4. Install the Windows Service
5. Create a Test Client Application
References
How To: Set Up SSL on a Web Server
Requirements
Summary
1. Generate a Certificate Request
2. Submit a Certificate Request
3. Issue the Certificate
4. Install the Certificate on the Web Server
5. Configure Resources to Require SSL Access
How To: Set Up Client Certificates
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application to Require Client Certificates
3. Request and Install a Client Certificate
4. Verify Client Certificate Operation
Additional Resources
How To: Use IPSec to Provide Secure Communication Between Two Servers
Notes
Requirements
Summary
1. Create an IP Filter
2. Create Filter Actions
3. Create Rules
4. Export the IPSec Policy to the Remote Computer
5. Assign Policies
6. Verify that it Works
Additional Resources
How To: Use SSL to Secure Communication with SQL Server 2000
Notes
Requirements
Summary
1. Install a Server Authentication Certificate
2. Verify that the Certificate Has Been Installed
3. Install the Issuing CA’s Certificate on the Client
4. Force All Clients to Use SSL
5. Allow Clients to Determine Whether to Use SSL
6. Verify that Communication is Encrypted
Additional Resources
Base Configuration
Configuration Stores and Tools
Reference Hub
Searching the Knowledge Base
Tips
.NET Security
Hubs
Active Directory
Hubs
Key Notes
Articles
ADO.NET
Roadmaps and Overviews
Seminars and WebCasts
ASP.NET
Hubs
Roadmaps and Overviews
Knowledge Base
Articles
How Tos
Seminars and WebCasts
Enterprise Services
Knowledge Base
Roadmaps and Overviews
How Tos
FAQs
Seminars and WebCasts
IIS (Internet Information Server)
Hubs
Remoting
Roadmaps and Overviews
How Tos
Seminars and WebCasts
SQL Server
Hubs
Seminars and WebCasts
Visual Studio .NET
Hubs
Roadmaps and Overviews:
Web Services
Hubs
Roadmaps and Overviews
How Tos
Seminars and WebCasts
Windows 2000
Hubs
How Does It Work?
IIS and ASP.NET Processing
Application Isolation
The ASP.NET ISAPI Extension
IIS 6.0 and Windows .NET Server
More Information
ASP.NET Pipeline Processing
The Anatomy of a Web Request
Forms Authentication Processing
Windows Authentication Processing
Event Handling
Implementing a Custom HTTP Module
Implementing a Custom HTTP Handler
ASP.NET Identity Matrix
Cryptography and Certificates
Keys and Certificates
X.509 Digital Certificates
Certificate Stores
More Information
Cryptography
Technical Choices
Cryptography in .NET
Symmetric Algorithm Support
Asymmetric Algorithm Support
Hashing Algorithm Support
Summary
.NET Web Application Security
Glossary
Microsoft® patterns & practices
Index
About the Author
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
I
identities,
Gatekeepers and Gates
,
Evidence and Security Policy
,
WindowsPrincipal and WindowsIdentity
,
WindowsPrincipal and WindowsIdentity
,
ASP.NET and HttpContext.User
,
Choose an Authorization Strategy
,
The Trusted Subsystem Model
,
Disadvantages of the Trusted Subsystem Model
,
Role Checking Examples
,
Create an IPrincipal Object
,
Passport Authentication
,
Accessing Network Resources
,
Identifying Callers
,
Calling Serviced Components from ASP.NET
,
Security Concepts
,
Introducing Data Access Security
,
Trusted Subsystem vs. Impersonation/Delegation
,
Connecting to SQL Server Using Windows Authentication
,
Auditing
,
Troubleshooting Security Issues
,
Using Forms Authentication
,
Determining Identity
,
Determining Identity in a Web service
,
Determining Identity in a Web service
,
Fusion Log Viewer (Fuslogvw.exe)
,
ASP.NET Identity Matrix
.NET Framework security and,
Gatekeepers and Gates
ASP.NET,
ASP.NET and HttpContext.User
,
ASP.NET Identity Matrix
authentication and,
Role Checking Examples
authorization and,
Create an IPrincipal Object
choosing, for resource access,
Choose an Authorization Strategy
data access,
Introducing Data Access Security
,
Trusted Subsystem vs. Impersonation/Delegation
determining, in Visual Basic 6 COM objects,
Determining Identity in a Web service
determining, in Web pages,
Determining Identity
determining, in Web services,
Determining Identity in a Web service
Enterprise Services,
Identifying Callers
,
Calling Serviced Components from ASP.NET
,
Security Concepts
fixed.,
Connecting to SQL Server Using Windows Authentication
(see )
flowing.,
Disadvantages of the Trusted Subsystem Model
(see )
GenericPrincipal objects,
WindowsPrincipal and WindowsIdentity
(see also )
multiple trusted,
The Trusted Subsystem Model
Passport authentication,
Passport Authentication
principals and,
Evidence and Security Policy
(see also )
process.,
Accessing Network Resources
(see )
SQL Server process,
Auditing
troubleshooting,
Troubleshooting Security Issues
,
Using Forms Authentication
,
Fusion Log Viewer (Fuslogvw.exe)
WindowsIdentity,
WindowsPrincipal and WindowsIdentity
identity flow,
Design Principles
,
Choose the Identities Used for Resource Access
,
Choose an Authentication Approach
,
Disadvantages of the Trusted Subsystem Model
,
Disadvantages of the Trusted Subsystem Model
,
Choosing an Authentication Mechanism
,
Using Integrated Windows Authentication at the Web Server
,
Flowing the Caller’s Identity
.NET remoting and,
Flowing the Caller’s Identity
application vs. operating system,
Disadvantages of the Trusted Subsystem Model
authentication and,
Choosing an Authentication Mechanism
gatekeepers and,
Design Principles
impersonation and delegation for,
Disadvantages of the Trusted Subsystem Model
(see also )
original caller.,
Using Integrated Windows Authentication at the Web Server
(see )
strategies for,
Choose the Identities Used for Resource Access
,
Choose an Authentication Approach
identity matrix, ASP.NET,
ASP.NET Identity Matrix
IIdentity interface,
The IPrincipal and IIdentity Interfaces
,
Choose the Identities Used for Resource Access
,
.NET Roles with Windows Authentication
IIS (Internet Information Services),
Design Principles
,
Security Across the Tiers
,
Authentication
,
More Information
,
Impersonation
,
Impersonation
,
Security Configuration Steps
,
Security Configuration Steps
,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
Security Configuration Steps
,
Security Configuration Steps
,
The Result
,
The Result
,
Configure the Web Server
,
Configure the Web Server
,
ASP.NET Security
,
ASP.NET Security Architecture
,
Configuring Security
,
Configure IIS Settings
,
Creating a Custom IPrincipal class
,
Development Steps for Forms Authentication
,
Platform/Transport Security Architecture
,
Configuring Security
,
Flowing the Original Caller
,
Forms Authentication
,
Configuring the Web Server
,
Flowing the Caller’s Identity
,
Configuring the Web Server
,
ASP.NET and the HTTP Channel
,
Flowing the Original Caller
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
,
Choosing a Host
,
Configuring the Web Server
,
Searching for Implementation Solutions
,
SQL Server Auditing
,
Windows Task Manager
,
Configuration Stores and Tools
,
How Tos
,
How Does It Work?
,
ASP.NET Identity Matrix
,
.NET Web Application Security
ASP.NET processing and,
ASP.NET Security
,
How Does It Work?
authentication settings,
ASP.NET Identity Matrix
configuration stores and tools,
Configuration Stores and Tools
configuring security,
Configuring Security
,
Configure IIS Settings
configuring, for .NET remoting,
Flowing the Original Caller
,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
,
Choosing a Host
,
Configuring the Web Server
configuring, for anonymous access,
Development Steps for Forms Authentication
configuring, for Web services,
Configuring Security
,
Flowing the Original Caller
,
Forms Authentication
,
Configuring the Web Server
,
Flowing the Caller’s Identity
,
Configuring the Web Server
delegation,
Impersonation
extranet settings,
Security Configuration Steps
,
The Result
gatekeepers and gates,
More Information
,
ASP.NET Security Architecture
,
Platform/Transport Security Architecture
,
ASP.NET and the HTTP Channel
Internet settings,
The Result
,
Configure the Web Server
,
Configure the Web Server
intranet settings,
Security Configuration Steps
,
Security Configuration Steps
,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
Security Configuration Steps
logging,
SQL Server Auditing
reference information,
How Tos
security options,
Design Principles
,
Security Across the Tiers
,
.NET Web Application Security
troubleshooting,
Searching for Implementation Solutions
,
Windows Task Manager
Windows authentication and,
Authentication
,
Impersonation
,
Creating a Custom IPrincipal class
imperative principal permission demands,
Programmatic Security
,
Configurable Security
,
Configurable Security
,
Configurable Security
,
Configurable Security
imperative role checks,
Checking Role Membership
impersonation.,
Disadvantages of the Trusted Subsystem Model
,
Disadvantages of the Trusted Subsystem Model
,
Analysis
,
Available Authorization Options
,
Windows Authentication with Impersonation
,
When to Use
,
More Information
,
Configure IIS Settings
,
More Information
,
Using the Anonymous Internet User Account
,
Hosting Multiple Web Applications
,
Security Architecture
,
Security for Server and Library Applications
,
Security for Server and Library Applications
,
Configure Authentication
,
Configure Authentication
,
Calling Serviced Components from ASP.NET
,
Calling Serviced Components from ASP.NET
,
Security Concepts
,
Authentication Level Negotiation
,
More Information
,
When to Use
,
Configure ASP.NET Settings
,
Connecting to SQL Server Using Windows Authentication
,
Using the Anonymous Internet User Account
,
ASP.NET Worker Process Identity
(see also )
ASP.NET security and,
More Information
authorization options and,
Available Authorization Options
configuring,
Configure IIS Settings
,
Configure Authentication
delegation and,
Disadvantages of the Trusted Subsystem Model
(see also )
Enterprise Services,
Security Architecture
,
Security for Server and Library Applications
,
Configure Authentication
,
Security Concepts
,
Authentication Level Negotiation
intranet security and,
Analysis
library applications and,
Security for Server and Library Applications
of anonymous accounts,
Using the Anonymous Internet User Account
of fixed identities,
More Information
,
Connecting to SQL Server Using Windows Authentication
,
ASP.NET Worker Process Identity
of specific Windows identity using LogonUser API,
Hosting Multiple Web Applications
,
Using the Anonymous Internet User Account
serviced components and,
Calling Serviced Components from ASP.NET
Web services,
Configure ASP.NET Settings
Windows authentication with,
Windows Authentication with Impersonation
,
Calling Serviced Components from ASP.NET
,
More Information
Windows authentication without,
When to Use
,
When to Use
impersonation/delegation model,
Choose the Identities Used for Resource Access
,
Choose an Authentication Approach
,
Using Multiple Trusted Identities
,
The Impersonation / Delegation Model
,
Authentication and Authorization Strategies
,
SQL Server Gatekeepers
(see also , )
.NET remoting and,
Authentication and Authorization Strategies
advantages and disadvantages,
The Impersonation / Delegation Model
authentication and,
Choose the Identities Used for Resource Access
identity flow and,
Choose an Authentication Approach
trusted subsystem model vs.,
SQL Server Gatekeepers
implementation solutions,
Process for Troubleshooting
(see also , )
implementation technologies,
Implementation Technologies
(see also )
input, user,
Design Principles
,
SQL Injection Attacks
,
How To: Use Forms Authentication with SQL Server 2000
filtering,
Design Principles
,
SQL Injection Attacks
validating,
How To: Use Forms Authentication with SQL Server 2000
installing,
Accessing System Resources
,
Install the Certificate Authority’s Certificate on the Client Computer
,
Create a Windows Service Host Application
,
Create a Windows Account to Run the Service
,
Submit a Certificate Request
,
Configure the Web Application to Require Client Certificates
,
Requirements
,
Verify that the Certificate Has Been Installed
,
Verify that the Certificate Has Been Installed
applications,
Accessing System Resources
client certificates,
Install the Certificate Authority’s Certificate on the Client Computer
,
Configure the Web Application to Require Client Certificates
,
Verify that the Certificate Has Been Installed
server certificates,
Submit a Certificate Request
,
Requirements
,
Verify that the Certificate Has Been Installed
Windows services,
Create a Windows Service Host Application
,
Create a Windows Account to Run the Service
InstallUtil.exe tool,
Accessing System Resources
,
Create a Windows Service Application that will Launch the Serviced Component
,
Create a Windows Service Host Application
,
Create a Windows Account to Run the Service
Integrated Windows authentication,
Authentication
,
ASP.NET to SQL Server
,
Searching for Implementation Solutions
,
ASP.NET Identity Matrix
intranet original caller identity flow and,
ASP.NET to SQL Server
troubleshooting,
Searching for Implementation Solutions
Web.config settings,
ASP.NET Identity Matrix
Windows authentication and,
Authentication
integrity,
Authorization
,
Secure Communication
,
Using Multiple Database Roles
,
How To: Call a Web Service Using SSL
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
,
Certificate Stores
(see also )
interactive user, Enterprise Services and,
Identifying Callers
interfaces,
The IPrincipal and IIdentity Interfaces
,
Choose the Identities Used for Resource Access
,
.NET Roles with Windows Authentication
,
Security for Server and Library Applications
,
Adding Roles to an Application
,
Calling Serviced Components from ASP.NET
adding roles to,
Adding Roles to an Application
assigning roles to,
Security for Server and Library Applications
configuring proxies for,
Calling Serviced Components from ASP.NET
IPrincipal and IIdentity,
The IPrincipal and IIdentity Interfaces
,
Choose the Identities Used for Resource Access
,
.NET Roles with Windows Authentication
(see also )
Internet Explorer,
Authentication
,
Choosing an Authentication Mechanism
,
Test the Client Certificate Using a Browser
,
Configure the Web Service Virtual Directory to Require SSL
(see also )
Internet Information Services.,
SQL Server Auditing
(see )
Internet Protocol Security.,
How To: Use IPSec to Provide Secure Communication Between Two Servers
(see )
Internet security,
Introduction
,
Internet Scenarios
,
Internet Security
,
Internet Security
,
Internet Security
,
More Information
,
Programmatic Security
,
Using a Serviced Component
,
Using Fixed Identities within ASP.NET
anonymous user account,
Using a Serviced Component
,
Using Fixed Identities within ASP.NET
ASP.NET to Remote Enterprise Services to SQL Server,
More Information
ASP.NET to SQL Server,
Internet Security
authentication,
Internet Scenarios
connected landscape and,
Introduction
Forms authentication,
Programmatic Security
scenarios,
Internet Security
Intranet security,
Introduction
,
Advantages of Passport Authentication
,
Intranet Security
,
Intranet Security
,
Intranet Security
,
SQL Authentication to the Database
,
Pitfalls
,
Related Scenarios
,
Related Scenarios
,
Disadvantages
.NET remoting vs. Web services,
Disadvantages
ASP.NET to Enterprise Services to SQL Server,
SQL Authentication to the Database
ASP.NET to Remoting to SQL Server,
Related Scenarios
ASP.NET to SQL Server,
Intranet Security
ASP.NET to Web Services to SQL Server,
Pitfalls
authentication,
Advantages of Passport Authentication
connected landscape and,
Introduction
flowing original callers to database,
Related Scenarios
scenarios,
Intranet Security
IPrincipal interface implementations,
The IPrincipal and IIdentity Interfaces
,
Choose the Identities Used for Resource Access
,
Delegation
,
.NET Roles with Windows Authentication
,
Checking Role Membership
,
Principal Permission Demands and Explicit Role Checks
,
Principal Permission Demands and Explicit Role Checks
,
An Authorization Pattern
,
Create an IPrincipal Object
,
More Information
,
Create an IPrincipal Object
,
Create an IPrincipal Object
,
Using the connectiongroupname Property
,
Hosting in a Windows Service
,
Check Identity
,
How To: Implement IPrincipal
,
How To: Implement IPrincipal
,
How To: Implement IPrincipal
,
How To: Implement IPrincipal
,
Create a Simple Web Application
,
Generate an Authentication Ticket for Authenticated Users
,
Generate an Authentication Ticket for Authenticated Users
,
Create a Class that Implements and Extends IPrincipal
,
Create the CustomPrincipal Object
,
ASP.NET Identity Matrix
.NET remoting and,
Using the connectiongroupname Property
,
Hosting in a Windows Service
.NET roles and,
Delegation
,
Checking Role Membership
configuring Forms authentication,
Create a Simple Web Application
creating,
An Authorization Pattern
,
Create an IPrincipal Object
,
Generate an Authentication Ticket for Authenticated Users
creating custom,
.NET Roles with Windows Authentication
,
More Information
,
Create a Class that Implements and Extends IPrincipal
creating simple Web application,
How To: Implement IPrincipal
custom identities and,
Choose the Identities Used for Resource Access
generating authentication ticket,
Generate an Authentication Ticket for Authenticated Users
identity and,
ASP.NET Identity Matrix
IIdentity interface and,
The IPrincipal and IIdentity Interfaces
principal permission demands and,
Principal Permission Demands and Explicit Role Checks
(see also )
putting, into current HTTP context,
Principal Permission Demands and Explicit Role Checks
,
Create an IPrincipal Object
,
Create an IPrincipal Object
,
Check Identity
reasons for,
How To: Implement IPrincipal
requirements,
How To: Implement IPrincipal
testing,
Create the CustomPrincipal Object
IPSec (Internet Protocol Security),
Implementation Technologies
,
Security Architecture
,
Secure Communication
,
IPSec
,
Choosing Between IPSec and SSL
,
Preventing Files from Being Downloaded
,
Accessing Non-Windows Network Resources
,
Secure Communication
,
SSL
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
,
Notes
,
Notes
,
Summary
,
Create Filter Actions
,
Create Rules
,
Create Rules
,
Create Rules
,
Verify that it Works
,
How To: Use SSL to Secure Communication with SQL Server 2000
(see also )
as implementation technology,
Implementation Technologies
,
Security Architecture
ASP.NET security and,
Accessing Non-Windows Network Resources
assigning policies,
Create Rules
configuration for,
How To: Use IPSec to Provide Secure Communication Between Two Servers
configuring,
Preventing Files from Being Downloaded
creating filter actions,
Create Filter Actions
creating IP filter,
Summary
creating rules,
Create Rules
exporting policy to remote computer,
Create Rules
issues,
IPSec
,
Secure Communication
,
Notes
requirements,
Notes
SSL vs.,
Secure Communication
,
Choosing Between IPSec and SSL
,
How To: Use SSL to Secure Communication with SQL Server 2000
troubleshooting,
SSL
verifying,
Verify that it Works
IPSec Monitor (Ipsecmon.exe),
IPSec
ISAPI extension,
Configure ASP.NET Settings
,
Locking Configuration Settings
,
Using the Default ASPNET Account
,
Formatter Sinks
,
How Does It Work?
isolation, application,
IIS and ASP.NET Processing
ISQL.exe,
Fusion Log Viewer (Fuslogvw.exe)
IUSR_MACHINENAME account,
ASP.NET Authentication Modes
,
ASP.NET and HttpContext.User
,
IIS Authentication Issues
,
Check Identity
,
ASP.NET Worker Process Identity
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset