- Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
- A Note Regarding Supplemental Files
- Acknowledgements
- Preface
- 1. Introduction
- 2. Security Model for ASP.NET Applications
- .NET Web Applications
- Implementation Technologies
- Security Architecture
- Introducing .NET Framework Security
- Summary
- 3. Authentication and Authorization Design
- Designing an Authentication and Authorization Strategy
- Authorization Approaches
- Flowing Identity
- Role-Based Authorization
- Choosing an Authentication Mechanism
- Summary
- 4. Secure Communication
- 5. Intranet Security
- 6. Extranet Security
- 7. Internet Security
- ASP.NET to SQL Server
- ASP.NET to Remote Enterprise Services to SQL Server
- Summary
- 8. ASP.NET Security
- ASP.NET Security Architecture
- Authentication and Authorization Strategies
- Configuring Security
- Programming Security
- Windows Authentication
- Forms Authentication
- Development Steps for Forms Authentication
- Configure IIS for Anonymous Access
- Configure ASP.NET for Forms Authentication
- Create a Logon Web Form and Validate the Supplied Credentials
- Retrieve a Role List from the Custom Data Store
- Create a Forms Authentication Ticket
- Create an IPrincipal Object
- Put the IPrincipal Object into the Current HTTP Context
- Authorize the User Based on User Name or Role Membership
- Forms Implementation Guidelines
- Hosting Multiple Applications Using Forms Authentication
- Cookieless Forms Authentication
- Development Steps for Forms Authentication
- Passport Authentication
- Custom Authentication
- Process Identity for ASP.NET
- Impersonation
- Accessing System Resources
- Accessing COM Objects
- Accessing Network Resources
- Secure Communication
- Storing Secrets
- Securing Session and View State
- Web Farm Considerations
- Summary
- 9. Enterprise Services Security
- Security Architecture
- Configuring Security
- Configuring a Server Application
- Configuring an ASP.NET Client Application
- Configuring Impersonation Levels for an Enterprise Services Application
- Programming Security
- Choosing a Process Identity
- Accessing Network Resources
- Flowing the Original Caller
- RPC Encryption
- Building Serviced Components
- DCOM and Firewalls
- Calling Serviced Components from ASP.NET
- Security Concepts
- Summary
- 10. Web Services Security
- Web Service Security Model
- Platform/Transport Security Architecture
- Authentication and Authorization Strategies
- Configuring Security
- Passing Credentials for Authentication to Web Services
- Flowing the Original Caller
- Trusted Subsystem
- Accessing System Resources
- Accessing Network Resources
- Accessing COM Objects
- Using Client Certificates with Web Services
- Secure Communication
- Summary
- 11. .NET Remoting Security
- .NET Remoting Architecture
- .NET Remoting Gatekeepers
- Authentication
- Authorization
- Authentication and Authorization Strategies
- Accessing System Resources
- Accessing Network Resources
- Passing Credentials for Authentication to Remote Objects
- Flowing the Original Caller
- Trusted Subsystem
- Secure Communication
- Choosing a Host Process
- Remoting vs. Web Services
- Summary
- 12. Data Access Security
- Introducing Data Access Security
- Authentication
- Windows Authentication
- More Information
- Using Windows Authentication
- Recommendation
- Using the ASP.NET Process Identity
- Using Fixed Identities within ASP.NET
- Using Serviced Components
- Calling LogonUser and Impersonating a Specific Windows Identity
- Using the Original Caller’s Identity
- Using the Anonymous Internet User Account
- When Can’t You Use Windows Authentication?
- SQL Authentication
- Authenticating Against Non-SQL Server Databases
- Windows Authentication
- Authorization
- Secure Communication
- Connecting with Least Privilege
- Creating a Least Privilege Database Account
- Storing Database Connection Strings Securely
- Authenticating Users against a Database
- SQL Injection Attacks
- Auditing
- Process Identity for SQL Server
- Summary
- 13. Troubleshooting Security Issues
- Process for Troubleshooting
- Troubleshooting Authentication Issues
- Troubleshooting Authorization Issues
- ASP.NET
- Determining Identity
- .NET Remoting
- SSL
- IPSec
- Auditing and Logging
- Troubleshooting Tools
- Index of How Tos
- How To: Create a Custom Account to Run ASP.NET
- How To: Use Forms Authentication with Active Directory
- Requirements
- Summary
- 1. Create a Web Application with a Logon Page
- 2. Configure the Web Application for Forms Authentication
- 3. Develop LDAP Authentication Code to Look Up the User in Active Directory
- 4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
- 5. Authenticate the User and Create a Forms Authentication Ticket
- 6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
- 7. Test the Application
- How To: Use Forms Authentication with SQL Server 2000
- Requirements
- Summary
- 1. Create a Web Application with a Logon Page
- 2. Configure the Web Application for Forms Authentication
- 3. Develop Functions to Generate a Hash and Salt value
- 4. Create a User Account Database
- 5. Use ADO.NET to Store Account Details in the Database
- 6. Authenticate User Credentials Against the Database
- 7. Test the Application
- Additional Resources
- How To: Create GenericPrincipal Objects with Forms Authentication
- How To: Implement Kerberos Delegation for Windows 2000
- How To: Implement IPrincipal
- Requirements
- Summary
- 1. Create a Simple Web Application
- 2. Configure the Web Application for Forms Authentication
- 3. Generate an Authentication Ticket for Authenticated Users
- 4. Create a Class that Implements and Extends IPrincipal
- 5. Create the CustomPrincipal Object
- 5. Test the Application
- Additional Resources
- How To: Create a DPAPI Library
- How To: Use DPAPI (Machine Store) from ASP.NET
- How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
- Notes
- Requirements
- Summary
- 1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
- 2. Call the Managed DPAPI Class Library
- 3. Create a Dummy Class that will Launch the Serviced Component
- 4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
- 5. Configure, Strong Name, and Register the Serviced Component
- 6. Create a Windows Service Application that will Launch the Serviced Component
- 7. Install and Start the Windows Service Application
- 8. Write a Web Application to Test the Encryption and Decryption Routines
- 9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
- References
- How To: Create an Encryption Library
- How To: Store an Encrypted Connection String in the Registry
- How To: Use Role-based Security with Enterprise Services
- Notes
- Requirements
- Summary
- 1. Create a C# Class Library Application to Host the Serviced Component
- 2. Create the Serviced Component
- 3. Configure the Serviced Component
- 4. Generate a Strong Name for the Assembly
- 5. Build the Assembly and Add it to the Global Assembly Cache
- 6. Manually Register the Serviced Component
- 7. Examine the Configured Application
- 8. Create a Test Client Application
- How To: Call a Web Service Using Client Certificates from ASP.NET
- Why Use a Serviced Component?
- Requirements
- Summary
- 1. Create a Simple Web Service
- 2. Configure the Web Service Virtual Directory to Require Client Certificates
- 3. Create a Custom Account for Running the Serviced Component
- 4. Request a Client Certificate for the Custom Account
- 5. Test the Client Certificate Using a Browser
- 6. Export the Client Certificate to a File
- 7. Develop the Serviced Component Used to Call the Web Service
- 8. Configure and Install the Serviced Component
- 9. Develop a Web Application to Call the Serviced Component
- Additional Resources
- How To: Call a Web Service Using SSL
- Requirements
- Summary
- 1. Create a Simple Web Service
- 2. Configure the Web Service Virtual Directory to Require SSL
- 3. Test the Web Service Using a Browser
- 4. Install the Certificate Authority’s Certificate on the Client Computer
- 5. Develop a Web Application to Call the Web Service
- Additional Resources
- How To: Host a Remote Object in a Windows Service
- How To: Set Up SSL on a Web Server
- How To: Set Up Client Certificates
- How To: Use IPSec to Provide Secure Communication Between Two Servers
- How To: Use SSL to Secure Communication with SQL Server 2000
- Notes
- Requirements
- Summary
- 1. Install a Server Authentication Certificate
- 2. Verify that the Certificate Has Been Installed
- 3. Install the Issuing CA’s Certificate on the Client
- 4. Force All Clients to Use SSL
- 5. Allow Clients to Determine Whether to Use SSL
- 6. Verify that Communication is Encrypted
- Additional Resources
- Base Configuration
- Configuration Stores and Tools
- Reference Hub
- How Does It Work?
- ASP.NET Identity Matrix
- Cryptography and Certificates
- .NET Web Application Security
- Glossary
- Microsoft® patterns & practices
- Index
- About the Author
- Copyright
L
- LDAP (Lightweight Directory Access Protocol), How To: Use Forms Authentication with Active Directory, Configure the Web Application for Forms Authentication, Develop LDAP Authentication Code to Look Up the User in Active Directory
- (see also )
- authentication code, Configure the Web Application for Forms Authentication
- group retrieval code, Develop LDAP Authentication Code to Look Up the User in Active Directory
- least privileged accounts, Design Principles, Custom Authentication, Using the ASP.NET Process Identity, Use a Least-Privileged Custom Account, Using the ASP.NET Process Identity, The Database Trusts Different Roles, Additional Best Practices, How To: Create a Custom Account to Run ASP.NET, How To: Create a Custom Account to Run ASP.NET, ASP.NET Worker Process Identity, ASP.NET Worker Process Identity, Summary, Assign NTFS Permissions, Configure ASP.NET to Run Using the New Account
- ASP.NET worker process identity and, Custom Authentication, How To: Create a Custom Account to Run ASP.NET
- assigning minimum privileges, Summary
- assigning NTFS permissions, Assign NTFS Permissions
- configuring ASP.NET for, Configure ASP.NET to Run Using the New Account
- creating custom, Using the ASP.NET Process Identity, Using the ASP.NET Process Identity, How To: Create a Custom Account to Run ASP.NET
- creating custom database, The Database Trusts Different Roles
- Enterprise Services and custom, Use a Least-Privileged Custom Account
- impersonating fixed identities, ASP.NET Worker Process Identity
- issues, ASP.NET Worker Process Identity
- principle of, Design Principles
- SQL code and, Additional Best Practices
- libraries., How To: Create a DPAPI Library (see , )
- library applications, Enterprise Services, More Information, More Information, Gatekeepers and Gates, Gatekeepers and Gates, Security for Server and Library Applications, Configure Authorization (Component-Level Access Checks), Security Concepts, Security Concepts
- authentication and, More Information, Gatekeepers and Gates, Security Concepts
- authorization and, Configure Authorization (Component-Level Access Checks)
- security for, Security for Server and Library Applications
- server applications vs., More Information, Gatekeepers and Gates, Security Concepts
- Lightweight Directory Access Protocol., How To: Use Forms Authentication with Active Directory (see )
- load balancing, Choosing Between IPSec and SSL, Disadvantages
- local accounts, Avoid Running as SYSTEM, Using the ASP.NET Process Identity, Summary
- ASPNET as, Avoid Running as SYSTEM
- (see also )
- creating, Summary
- mirrored, Using the ASP.NET Process Identity
- local resources, impersonation and, More Information
- Local Security Authority (LSA), Avoid Running as SYSTEM, Implementing Mirrored ASPNET Process Identity, Storing Database Connection Strings Securely
- Local Security Policy tool, IPSec, Summary, Summary
- locking configuration settings, Secure Resources
- logging., Design Principles, Choose the Identities Used for Resource Access, Accessing System Resources, Windows Security Logs, SQL Server Auditing
- (see also )
- event logs, Design Principles, Accessing System Resources
- IIS, SQL Server Auditing
- troubleshooting with, Windows Security Logs
- logical tiers, Logical Tiers
- logical volumes, storing files on, Options for Storing Secrets in ASP.NET
- Login method, Hosting in a Windows Service
- logon auditing, Auditing, Windows Security Logs
- logon credentials., Authentication (see )
- logon Web forms, ASP.NET Authentication Modes, Development Steps for Forms Authentication, Authorize the User Based on User Name or Role Membership, Using Forms Authentication, Create a Web Application with a Logon Page, Requirements, Requirements
- creating, Development Steps for Forms Authentication, Create a Web Application with a Logon Page, Requirements, Requirements
- Forms authentication and, ASP.NET Authentication Modes
- implementation guidelines, Authorize the User Based on User Name or Role Membership
- troubleshooting, Using Forms Authentication
- LogonUser API, Avoid Running as SYSTEM, Using a Serviced Component, Using the Current Process Identity, More Information, Accessing Network Resources, Connecting to SQL Server Using Windows Authentication
- LSA (Local Security Authority), Avoid Running as SYSTEM, Implementing Mirrored ASPNET Process Identity, Storing Database Connection Strings Securely
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.