Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by Microsoft Corporation
Building Secure Microsoft® ASP.NET Applications
Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
A Note Regarding Supplemental Files
Acknowledgements
Preface
Why We Wrote This Book
Who Should Read This Book?
How You Should Read This Book
Organization of this Book
Part I, Security Models
Part II, Application Scenarios
Part III, Securing the Tiers
Part IV, Reference
System Requirements
Installing the Sample Files
Building Secure ASP.NET Applications—Online Version
Support
1. Introduction
The Connected Landscape
The Foundations
Authentication
Authorization
Secure Communication
Tying the Technologies Together
Design Principles
Summary
2. Security Model for ASP.NET Applications
.NET Web Applications
Logical Tiers
Physical Deployment Models
The Web Server as an Application Server
Remote Application Tier
Implementation Technologies
Security Architecture
Security Across the Tiers
Authentication
ASP.NET Authentication Modes
More Information
Enterprise Services Authentication
More Information
SQL Server Authentication
More Information
Authorization
ASP.NET Authorization Options
More Information
Enterprise Services Authorization
More Information
SQL Server Authorization
More Information
Gatekeepers and Gates
Introducing .NET Framework Security
Code Access Security
Evidence and Security Policy
CAS and ASP.NET Web Applications
Principals and Identities
The IPrincipal and IIdentity Interfaces
WindowsPrincipal and WindowsIdentity
GenericPrincipal and Associated Identity Objects
ASP.NET and HttpContext.User
ASP.NET Identities
More Information
Remoting and Web Services
Summary
3. Authentication and Authorization Design
Designing an Authentication and Authorization Strategy
Identify Resources
Choose an Authorization Strategy
More Information
Choose the Identities Used for Resource Access
Consider Identity Flow
Choose an Authentication Approach
More Information
Decide How to Flow Identity
More Information
Authorization Approaches
Role Based Authorization
Resource Based Authorization
Resource Access Models
The Trusted Subsystem Model
Fixed Identities
Using Multiple Trusted Identities
The Impersonation / Delegation Model
Choosing a Resource Access Model
Advantage of the Impersonation / Delegation Model
Disadvantages of the Impersonation / Delegation Model
Advantages of the Trusted Subsystem Model
Disadvantages of the Trusted Subsystem Model
Flowing Identity
Application vs. Operating System Identity Flow
Impersonation and Delegation
Impersonation
Delegation
Role-Based Authorization
.NET Roles
.NET Roles with Windows Authentication
.NET Roles with non-Windows Authentication
Custom IPrincipal Objects
More Information
Enterprise Services (COM+) Roles
SQL Server User Defined Database Roles
SQL Server Application Roles
More Information
.NET Roles versus Enterprise Services (COM+) Roles
Using .NET Roles
More Information
Checking Role Membership
Role Checking Examples
Choosing an Authentication Mechanism
Internet Scenarios
Forms / Passport Comparison
Advantages of Forms Authentication
Advantages of Passport Authentication
More Information
Intranet / Extranet Scenarios
Authentication Mechanism Comparison
Summary
4. Secure Communication
Know What to Secure
SSL/TLS
Using SSL
IPSec
Using IPSec
RPC Encryption
Using RPC Encryption
More Information
Point to Point Security
Browser to Web Server
Web Server to Remote Application Server
Application Server to Database Server
Using SSL to SQL Server
More Information
Choosing Between IPSec and SSL
Farming and Load Balancing
More Information
Summary
5. Intranet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring SQL Server
Configuring Secure Communication
Analysis
Q&A
Related Scenarios
Non-Internet Explorer Browsers
SQL Authentication to the Database
Flowing the Original Caller to the Database
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring Enterprise Services
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
ASP.NET to Web Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server (that Hosts the Web Application)
Configuring the Application Server (that Hosts the Web Service)
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
ASP.NET to Remoting to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server
Configure the Application Server
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Flowing the Original Caller to the Database
ASP.NET to SQL Server
Using Basic Authentication at the Web Server
Using Integrated Windows Authentication at the Web Server
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Analysis
Pitfalls
Summary
6. Extranet Security
Exposing a Web Service
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Partner Application
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
More Information
Exposing a Web Application
Scenario Characteristics
Secure the Scenario
The Result
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
No Connectivity from Extranet to Corporate Network
More Information
Summary
7. Internet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication against Active Directory
More Information
.NET Roles for Authorization
More Information
Using a Domain Anonymous Account at the Web Server
More Information
ASP.NET to Remote Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configure the Application Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication Against Active Directory
More Information
Using DCOM
More Information
Using .NET Remoting
More Information
Summary
8. ASP.NET Security
ASP.NET Security Architecture
Gatekeepers
IIS
ASP.NET
UrlAuthorizationModule
FileAuthorizationModule
Principal Permission Demands and Explicit Role Checks
More Information
Authentication and Authorization Strategies
Available Authorization Options
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
Forms Authentication
Configurable Security
Programmatic Security
When to Use
More Information
Passport Authentication
When to Use
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
URL Authorization Notes
URL Authorization Examples
Secure Resources
Locking Configuration Settings
Preventing Files from Being Downloaded
Secure Communication
More information
Programming Security
An Authorization Pattern
Retrieve Credentials
Validate Credentials
Put Users in Roles
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize Based on the User Identity and/or Role Membership
More Information
Creating a Custom IPrincipal class
More Information
Windows Authentication
Identifying the Authenticated User
Forms Authentication
Development Steps for Forms Authentication
Configure IIS for Anonymous Access
Configure ASP.NET for Forms Authentication
Create a Logon Web Form and Validate the Supplied Credentials
More Information
Retrieve a Role List from the Custom Data Store
Create a Forms Authentication Ticket
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize the User Based on User Name or Role Membership
Forms Implementation Guidelines
More Information
Hosting Multiple Applications Using Forms Authentication
More Information
Cookieless Forms Authentication
More Information
Passport Authentication
Configure ASP.NET for Passport authentication
Map a Passport Identity into Roles in Global.asax
Test Role Membership
Custom Authentication
More Information
Process Identity for ASP.NET
Use a Least Privileged Account
Avoid Running as SYSTEM
More Information
Domain Controllers and the ASP.NET Process Account
Using the Default ASPNET Account
The <processModel> Element
Storing Encrypted <processModel> Credentials
More Information
Impersonation
Impersonation and Local Resources
Impersonation and Remote Resources
More Information
Impersonation and Threading
Accessing System Resources
Accessing the Event Log
Accessing the Registry
More Information
Accessing COM Objects
Apartment Model Objects
The AspCompat Directive is Required
More Information
Don’t Create COM Objects Outside of Specific Page Events
More Information
C# and VB .NET Objects in COM+
Accessing Network Resources
Using the ASP.NET Process Identity
More Information
Using a Serviced Component
Using the Anonymous Internet User Account
Hosting Multiple Web Applications
Using LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller
More Information
Accessing Files on a UNC File Share
Accessing Non-Windows Network Resources
Secure Communication
More Information
Storing Secrets
Options for Storing Secrets in ASP.NET
More Information
Consider Storing Secrets in Files on Separate Logical Volumes
Securing Session and View State
Securing View State
Securing Cookies
Securing SQL Session State
Securing the Database Connection String
Securing Session State Across the Network
More Information
Web Farm Considerations
Session State
DPAPI
More Information
Using Forms Authentication in a Web Farm
The <machineKey> Element
The validationKey Attribute
The decryptionKey Attribute
The Validation Attribute
More Information
Summary
9. Enterprise Services Security
Security Architecture
Gatekeepers and Gates
Use Server Applications for Increased Security
Security for Server and Library Applications
Assign Roles to Classes, Interfaces, or Methods
Code Access Security Requirements
Configuring Security
Configuring a Server Application
Development Time vs. Deployment Time Configuration
Configure Authentication
Configure Authorization (Component-Level Access Checks)
Create and Assign Roles
Adding Roles to an Application
Adding Roles to a Component (Class)
Adding Roles to an Interface
Adding Roles to a Method
Register Serviced Components
Populate Roles
Use Windows Groups
More Information
Configure Identity
More Information
Configuring an ASP.NET Client Application
Configure Authentication
More Information
Configure Impersonation
More Information
Configuring Impersonation Levels for an Enterprise Services Application
Programming Security
Programmatic Role-Based Security
Identifying Callers
Choosing a Process Identity
Avoid Running as the Interactive User
Use a Least-Privileged Custom Account
Accessing Network Resources
Using the Original Caller
More Information
Using the Current Process Identity
Using a Specific Service Account
Flowing the Original Caller
Calling CoImpersonateClient
More Information
RPC Encryption
More Information
Building Serviced Components
DLL Locking Problems
Versioning
More Information
QueryInterface Exceptions
DCOM and Firewalls
More Information
Calling Serviced Components from ASP.NET
Caller’s Identity
Use Windows Authentication and Impersonation Within the Web-based Application
Configure Authentication and Impersonation within Machine.config
Configuring Interface Proxies
More Information
Security Concepts
Enterprise Services (COM+) Roles and .NET Roles
Authentication
Authentication Level Promotion
Authentication Level Negotiation
More Information
Impersonation
Cloaking
More Information
Summary
10. Web Services Security
Web Service Security Model
Platform/Transport Level (Point-to-Point) Security
When to Use
Application Level Security
When to Use
Message Level (End-to-End) Security
When to Use
The Web Services Development Kit
More Information
Platform/Transport Security Architecture
Gatekeepers
More Information
Authentication and Authorization Strategies
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
More Information
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
More Information
Secure Resources
Disable HTTP-GET, HTTP-POST
More Information
Secure Communication
More information
Passing Credentials for Authentication to Web Services
Specifying Client Credentials for Windows Authentication
Using DefaultCredentials
Using Specific Credentials
Request a Specific Authentication Type
Set the PreAuthenticate Property
Using the ConnectionGroupName Property
Calling Web Services from Non-Windows Clients
Proxy Server Authentication
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Accessing System Resources
Accessing Network Resources
Accessing COM Objects
More Information
Using Client Certificates with Web Services
Authenticating Web Browser Clients with Certificates
Using the Trusted Subsystem Model
Solution Implementation
Why Use an Additional Process?
More Information
Secure Communication
Transport Level Options
Message Level Options
More Information
Summary
11. .NET Remoting Security
.NET Remoting Architecture
Remoting Sinks
Transport Channel Sinks
Comparing Transport Channel Sinks
Custom Sinks
Formatter Sinks
Anatomy of a Request When Hosting in ASP.NET
ASP.NET and the HTTP Channel
More Information
.NET Remoting Gatekeepers
Authentication
Hosting in ASP.NET
Hosting in a Windows Service
Custom Authentication
More Information
Authorization
Using File Authorization
More Information
Authentication and Authorization Strategies
More Information
Accessing System Resources
Accessing Network Resources
Passing Credentials for Authentication to Remote Objects
Specifying Client Credentials
Using DefaultCredentials
Explicit Configuration
Programmatic Configuration
Using Specific Credentials
Request a Specific Authentication Type
Set the preauthenticate Property
Using the connectiongroupname Property
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Choosing a Host
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Using a Windows Service Host
Secure Communication
Platform Level Options
Message Level Options
More Information
Choosing a Host Process
Recommendation
Hosting in ASP.NET
Advantages
Disadvantages
Hosting in a Windows Service
Advantages
Disadvantages
Hosting in a Console Application
Advantages
Disadvantages
Remoting vs. Web Services
Summary
12. Data Access Security
Introducing Data Access Security
SQL Server Gatekeepers
Trusted Subsystem vs. Impersonation/Delegation
Authentication
Windows Authentication
More Information
Using Windows Authentication
Recommendation
Using the ASP.NET Process Identity
Use Mirrored ASPNET Local Accounts
Use Mirrored, Custom Local Accounts
Use a Custom Domain Account
Implementing Mirrored ASPNET Process Identity
Connecting to SQL Server Using Windows Authentication
Using Fixed Identities within ASP.NET
Using Serviced Components
Calling LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller’s Identity
Using the Anonymous Internet User Account
More Information
When Can’t You Use Windows Authentication?
SQL Authentication
Connection String Types
More Information
Choosing a SQL Account for Your Connections
Passing Credentials over the Network
Securing SQL Connection Strings
Authenticating Against Non-SQL Server Databases
Authorization
Using Multiple Database Roles
Secure Communication
The Options
Choosing an Approach
More Information
Connecting with Least Privilege
The Database Trusts the Application
The Database Trusts Different Roles
The Database Trusts the Original Caller
Creating a Least Privilege Database Account
Storing Database Connection Strings Securely
The Options
Using DPAPI
Why Not LSA?
Machine Store vs. User Store
DPAPI Implementation Solutions
Using DPAPI from Enterprise Services
Using DPAPI Directly from ASP.NET
More Information
Using Web.config and Machine.config
Using UDL Files
ACL Granularity
More Information
Using Custom Text Files
Using the Registry
More Information
Using the COM+ Catalog
More Information
Authenticating Users against a Database
Store One-way Password Hashes (with Salt)
Creating a Salt Value
Creating a Hash Value (with Salt)
More Information
SQL Injection Attacks
The Problem
Anatomy of a SQL Script Injection Attack
The Solution
Additional Best Practices
Protecting Pattern Matching Statements
Auditing
Process Identity for SQL Server
Summary
13. Troubleshooting Security Issues
Process for Troubleshooting
Searching for Implementation Solutions
Troubleshooting Authentication Issues
IIS Authentication Issues
Using Windows Authentication
Using Forms Authentication
Kerberos Troubleshooting
Troubleshooting Authorization Issues
Check Windows ACLs
Check Identity
More Information
Check the <authorization> Element
ASP.NET
Enable Tracing
More Information
Configuration Settings
Determining Identity
Determining Identity in a Web Page
Determining Identity in a Web service
More Information
Determining Identity in a Visual Basic 6 COM Object
.NET Remoting
More Information
SSL
More Information
IPSec
Auditing and Logging
Windows Security Logs
More Information
SQL Server Auditing
Sample Log Entries
IIS Logging
Troubleshooting Tools
File Monitor (FileMon.exe)
More Information
Fusion Log Viewer (Fuslogvw.exe)
ISQL.exe
Connecting Using SQL Authentication
Connecting Using Windows Authentication
Running a Simple Query
Windows Task Manager
Network Monitor (NetMon.exe)
More Information
Registry Monitor (regmon.exe)
WFetch.exe
More Information
Visual Studio .NET Tools
More Information
WebServiceStudio
Windows 2000 Resource Kit
Index of How Tos
ASP.NET
Authentication and Authorization
Cryptography
Enterprise Services Security
Web Services Security
Remoting Security
Secure Communication
How To: Create a Custom Account to Run ASP.NET
ASP.NET Worker Process Identity
Impersonating Fixed Identities
Notes
Summary
1. Create a New Local Account
2. Assign Minimum Privileges
3. Assign NTFS Permissions
4. Configure ASP.NET to Run Using the New Account
How To: Use Forms Authentication with Active Directory
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop LDAP Authentication Code to Look Up the User in Active Directory
4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
5. Authenticate the User and Create a Forms Authentication Ticket
6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
7. Test the Application
How To: Use Forms Authentication with SQL Server 2000
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop Functions to Generate a Hash and Salt value
4. Create a User Account Database
5. Use ADO.NET to Store Account Details in the Database
6. Authenticate User Credentials Against the Database
7. Test the Application
Additional Resources
How To: Create GenericPrincipal Objects with Forms Authentication
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Construct GenericPrincipal and FormsIdentity Objects
5. Test the Application
Additional Resources
How To: Implement Kerberos Delegation for Windows 2000
Notes
Requirements
Summary
1. Confirm that the Client Account is Configured for Delegation
2. Confirm that the Server Process Account is Trusted for Delegation
References
How To: Implement IPrincipal
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Create a Class that Implements and Extends IPrincipal
5. Create the CustomPrincipal Object
5. Test the Application
Additional Resources
How To: Create a DPAPI Library
Notes
Requirements
Summary
1. Create a C# Class Library
2. Strong Name the Assembly (Optional)
References
How To: Use DPAPI (Machine Store) from ASP.NET
Notes
Requirements
Summary
1. Create an ASP.NET Client Web Application
2. Test the Application
3. Modify the Web Application to Read an Encrypted Connection String from Web.Config
References
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
Notes
Why Use Enterprise Services?
Why Use a Windows Service?
Requirements
Summary
1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
2. Call the Managed DPAPI Class Library
3. Create a Dummy Class that will Launch the Serviced Component
4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
5. Configure, Strong Name, and Register the Serviced Component
6. Create a Windows Service Application that will Launch the Serviced Component
7. Install and Start the Windows Service Application
8. Write a Web Application to Test the Encryption and Decryption Routines
9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
References
How To: Create an Encryption Library
Requirements
Summary
1. Create a C# Class Library
2. Create a Console Test Application
References
How To: Store an Encrypted Connection String in the Registry
Notes
Requirements
Summary
1. Store the Encrypted Data in the Registry
2. Create an ASP.NET Web Application
References
How To: Use Role-based Security with Enterprise Services
Notes
Requirements
Summary
1. Create a C# Class Library Application to Host the Serviced Component
2. Create the Serviced Component
3. Configure the Serviced Component
4. Generate a Strong Name for the Assembly
5. Build the Assembly and Add it to the Global Assembly Cache
6. Manually Register the Serviced Component
7. Examine the Configured Application
8. Create a Test Client Application
How To: Call a Web Service Using Client Certificates from ASP.NET
Why Use a Serviced Component?
Why is a User Profile Required?
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require Client Certificates
3. Create a Custom Account for Running the Serviced Component
4. Request a Client Certificate for the Custom Account
5. Test the Client Certificate Using a Browser
6. Export the Client Certificate to a File
7. Develop the Serviced Component Used to Call the Web Service
8. Configure and Install the Serviced Component
9. Develop a Web Application to Call the Serviced Component
Additional Resources
How To: Call a Web Service Using SSL
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require SSL
3. Test the Web Service Using a Browser
4. Install the Certificate Authority’s Certificate on the Client Computer
5. Develop a Web Application to Call the Web Service
Additional Resources
How To: Host a Remote Object in a Windows Service
Notes
Requirements
Summary
1. Create the Remote Object Class
2. Create a Windows Service Host Application
3. Create a Windows Account to Run the Service
4. Install the Windows Service
5. Create a Test Client Application
References
How To: Set Up SSL on a Web Server
Requirements
Summary
1. Generate a Certificate Request
2. Submit a Certificate Request
3. Issue the Certificate
4. Install the Certificate on the Web Server
5. Configure Resources to Require SSL Access
How To: Set Up Client Certificates
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application to Require Client Certificates
3. Request and Install a Client Certificate
4. Verify Client Certificate Operation
Additional Resources
How To: Use IPSec to Provide Secure Communication Between Two Servers
Notes
Requirements
Summary
1. Create an IP Filter
2. Create Filter Actions
3. Create Rules
4. Export the IPSec Policy to the Remote Computer
5. Assign Policies
6. Verify that it Works
Additional Resources
How To: Use SSL to Secure Communication with SQL Server 2000
Notes
Requirements
Summary
1. Install a Server Authentication Certificate
2. Verify that the Certificate Has Been Installed
3. Install the Issuing CA’s Certificate on the Client
4. Force All Clients to Use SSL
5. Allow Clients to Determine Whether to Use SSL
6. Verify that Communication is Encrypted
Additional Resources
Base Configuration
Configuration Stores and Tools
Reference Hub
Searching the Knowledge Base
Tips
.NET Security
Hubs
Active Directory
Hubs
Key Notes
Articles
ADO.NET
Roadmaps and Overviews
Seminars and WebCasts
ASP.NET
Hubs
Roadmaps and Overviews
Knowledge Base
Articles
How Tos
Seminars and WebCasts
Enterprise Services
Knowledge Base
Roadmaps and Overviews
How Tos
FAQs
Seminars and WebCasts
IIS (Internet Information Server)
Hubs
Remoting
Roadmaps and Overviews
How Tos
Seminars and WebCasts
SQL Server
Hubs
Seminars and WebCasts
Visual Studio .NET
Hubs
Roadmaps and Overviews:
Web Services
Hubs
Roadmaps and Overviews
How Tos
Seminars and WebCasts
Windows 2000
Hubs
How Does It Work?
IIS and ASP.NET Processing
Application Isolation
The ASP.NET ISAPI Extension
IIS 6.0 and Windows .NET Server
More Information
ASP.NET Pipeline Processing
The Anatomy of a Web Request
Forms Authentication Processing
Windows Authentication Processing
Event Handling
Implementing a Custom HTTP Module
Implementing a Custom HTTP Handler
ASP.NET Identity Matrix
Cryptography and Certificates
Keys and Certificates
X.509 Digital Certificates
Certificate Stores
More Information
Cryptography
Technical Choices
Cryptography in .NET
Symmetric Algorithm Support
Asymmetric Algorithm Support
Hashing Algorithm Support
Summary
.NET Web Application Security
Glossary
Microsoft® patterns & practices
Index
About the Author
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
W
W3C Extended Logging,
SQL Server Auditing
Web applications,
Introduction
,
Authorization
,
Security Model for ASP.NET Applications
,
Logical Tiers
,
Physical Deployment Models
,
Implementation Technologies
,
Security Architecture
,
Security Across the Tiers
,
Security Configuration Steps
,
Forms Implementation Guidelines
,
Using the Anonymous Internet User Account
,
Configure Authorization (Component-Level Access Checks)
,
Formatter Sinks
,
.NET Remoting Gatekeepers
,
Configuring the Web Server
,
Configuring the Remote Application Server
,
Configuring the Application Server
,
Configuring the Web Server
,
Choosing a Host Process
,
Connecting with Least Privilege
,
Create a Web Application with a Logon Page
,
Requirements
,
Requirements
,
How To: Implement IPrincipal
,
Create a Windows Service Application that will Launch the Serviced Component
,
Store the Encrypted Data in the Registry
,
Examine the Configured Application
,
Configure and Install the Serviced Component
,
Install the Certificate Authority’s Certificate on the Client Computer
,
Create a Simple Web Application
,
Force All Clients to Use SSL
adding roles to,
Configure Authorization (Component-Level Access Checks)
client.,
Force All Clients to Use SSL
(see )
connected landscape of distributed,
Introduction
creating simple, for client certificates,
Create a Simple Web Application
creating simple, for IPrincipal implementation,
How To: Implement IPrincipal
creating, to call Web services,
Configure and Install the Serviced Component
,
Install the Certificate Authority’s Certificate on the Client Computer
creating, to retrieve encrypted connection string from registry,
Store the Encrypted Data in the Registry
creating, to test encryption and decryption,
Create a Windows Service Application that will Launch the Serviced Component
creating, to test serviced component security,
Examine the Configured Application
creating, with logon page,
Create a Web Application with a Logon Page
,
Requirements
,
Requirements
database trust of,
Connecting with Least Privilege
hosting multiple,
Forms Implementation Guidelines
,
Using the Anonymous Internet User Account
logical tiers,
Logical Tiers
physical deployment models,
Physical Deployment Models
(see also , )
remote object hosting,
Formatter Sinks
,
.NET Remoting Gatekeepers
,
Configuring the Remote Application Server
,
Configuring the Application Server
,
Configuring the Web Server
,
Choosing a Host Process
security.,
Security Architecture
(see )
servers.,
Configuring the Web Server
(see , , )
technologies,
Authorization
,
Implementation Technologies
,
Security Across the Tiers
Web services partner applications,
Security Configuration Steps
Web applications security.,
Introduction
,
The Foundations
,
The Foundations
,
Authorization
,
Design Principles
,
Security Model for ASP.NET Applications
,
Security Model for ASP.NET Applications
,
Implementation Technologies
,
Security Architecture
,
Security Architecture
,
Authentication
,
Authentication
,
More Information
,
More Information
,
More Information
,
More Information
,
More Information
,
More Information
,
More Information
,
Gatekeepers and Gates
,
Gatekeepers and Gates
,
Gatekeepers and Gates
,
Gatekeepers and Gates
,
Gatekeepers and Gates
,
Gatekeepers and Gates
,
Gatekeepers and Gates
,
ASP.NET and HttpContext.User
,
ASP.NET and HttpContext.User
,
ASP.NET and HttpContext.User
,
ASP.NET and HttpContext.User
,
Authentication and Authorization Design
,
Secure Communication
,
Secure Communication
,
Intranet Security
,
Intranet Security
,
Intranet Security
,
Intranet Security
,
Extranet Security
,
Internet Security
,
Data Access Security
,
Troubleshooting Security Issues
,
Reference Hub
,
.NET Web Application Security
(see also )
.NET Framework security,
Gatekeepers and Gates
(see also )
.NET remoting security,
ASP.NET and HttpContext.User
,
ASP.NET and HttpContext.User
(see also )
architecture,
Security Architecture
ASP.NET security,
Authentication
,
More Information
,
Gatekeepers and Gates
,
ASP.NET and HttpContext.User
(see also )
authentication,
The Foundations
,
Authentication
(see also )
authentication and authorization strategies.,
Authentication and Authorization Design
(see )
authorization,
The Foundations
,
More Information
(see also )
Code Access Security,
Gatekeepers and Gates
configurable.,
Intranet Security
(see )
configuration.,
Intranet Security
(see )
connected landscape and,
Introduction
data access security.,
Data Access Security
(see )
design principles,
Design Principles
Enterprise Services security,
More Information
,
More Information
,
Gatekeepers and Gates
(see also )
extranet security.,
Extranet Security
(see )
gatekeepers and gates,
More Information
(see also )
Internet security.,
Internet Security
(see )
intranet security.,
Intranet Security
(see )
programmatic.,
Intranet Security
(see )
reference hub,
Reference Hub
secure communication,
Secure Communication
,
Secure Communication
(see also )
SQL Server security,
More Information
,
More Information
,
Gatekeepers and Gates
(see also )
technologies,
Authorization
,
Implementation Technologies
,
Security Architecture
,
.NET Web Application Security
troubleshooting.,
Troubleshooting Security Issues
(see )
Web application characteristics,
Security Model for ASP.NET Applications
(see also )
Web services security,
Gatekeepers and Gates
,
ASP.NET and HttpContext.User
(see also )
Windows security,
Gatekeepers and Gates
(see also )
Web browsers.,
Choose the Identities Used for Resource Access
(see )
Web farms,
Choosing Between IPSec and SSL
,
Web Farm Considerations
,
Web Farm Considerations
,
Web Farm Considerations
,
Web Farm Considerations
DPAPI and,
Web Farm Considerations
session state and,
Web Farm Considerations
SSL, load balancing, and,
Choosing Between IPSec and SSL
using Forms authentication in,
Web Farm Considerations
Web gardens,
Web Farm Considerations
Web pages,
Development Steps for Forms Authentication
,
More Information
,
Determining Identity
creating COM objects in,
More Information
determining identity in,
Determining Identity
logon.,
Development Steps for Forms Authentication
(see )
Web requests.,
IIS 6.0 and Windows .NET Server
(see )
Web Server Certificate Wizard,
Generate a Certificate Request
Web servers,
Physical Deployment Models
,
Authentication and Authorization Design
,
Using RPC Encryption
,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
ASP.NET to SQL Server
,
Security Configuration Steps
,
Security Configuration Steps
,
The Result
,
The Result
,
More Information
,
Configure the Web Server
,
Proxy Server Authentication
,
Flowing the Original Caller
,
Forms Authentication
,
Flowing the Caller’s Identity
,
Flowing the Original Caller
,
Configuring the Web Server
,
Choosing a Host
,
How To: Set Up SSL on a Web Server
.NET remoting settings,
Flowing the Original Caller
,
Configuring the Web Server
,
Choosing a Host
anonymous domain accounts at,
More Information
as application servers,
Physical Deployment Models
extranet settings,
Security Configuration Steps
,
The Result
Internet settings,
The Result
,
Configure the Web Server
intranet settings,
Configuring the Web Server (that Hosts the Web Application)
,
Security Configuration Steps
,
Security Configuration Steps
original caller identity flow and,
ASP.NET to SQL Server
proxy server authentication,
Proxy Server Authentication
resources and,
Authentication and Authorization Design
secure communication and,
Using RPC Encryption
setting up SSL on,
How To: Set Up SSL on a Web Server
Web services settings,
Flowing the Original Caller
,
Forms Authentication
,
Flowing the Caller’s Identity
Web services,
Implementation Technologies
,
Web Server to Remote Application Server
,
More Information
,
Web Services Security
,
Web Services Security
,
Message Level (End-to-End) Security
,
Summary
,
Install the Certificate Authority’s Certificate on the Client Computer
,
Hubs
as implementation technology,
Implementation Technologies
creating application to call,
Install the Certificate Authority’s Certificate on the Client Computer
creating simple,
Summary
Development Toolkit,
Web Server to Remote Application Server
,
Web Services Security
,
Message Level (End-to-End) Security
Enterprise Services and,
More Information
reference information,
Hubs
security.,
Web Services Security
(see )
Web services security,
Introduction
,
Security Across the Tiers
,
Gatekeepers and Gates
,
ASP.NET and HttpContext.User
,
Web Server to Remote Application Server
,
Pitfalls
,
Exposing a Web Service
,
Accessing the Registry
,
Web Services Security
,
Web Services Security
,
Platform/Transport Level (Point-to-Point) Security
,
Platform/Transport Security Architecture
,
More Information
,
Configuring Security
,
Disable HTTP-GET, HTTP-POST
,
Using the ConnectionGroupName Property
,
Proxy Server Authentication
,
Configuring the Application Server
,
Configuring the Web Server
,
Configuring the Web Server
,
Accessing Network Resources
,
Accessing Network Resources
,
Solution Implementation
,
Disadvantages
,
Determining Identity in a Web service
,
Visual Studio .NET Tools
,
How To: Call a Web Service Using Client Certificates from ASP.NET
,
How To: Call a Web Service Using SSL
,
How To: Set Up Client Certificates
,
Configuration Stores and Tools
,
.NET Web Application Security
(see also )
.NET remoting security vs.,
Disadvantages
accessing COM objects,
Accessing the Registry
,
Accessing Network Resources
accessing network resources,
Configuring the Web Server
accessing system resources,
Configuring the Web Server
architecture,
Platform/Transport Level (Point-to-Point) Security
,
Platform/Transport Security Architecture
authentication and authorization strategies,
More Information
calling Web services from non-Windows clients,
Using the ConnectionGroupName Property
configuration stores and tools,
Configuration Stores and Tools
configuring,
Configuring Security
connected landscape and,
Introduction
determining identity in,
Determining Identity in a Web service
extranet scenario,
Exposing a Web Service
flowing original callers,
Proxy Server Authentication
gatekeepers and gates,
Gatekeepers and Gates
intranet scenario,
Pitfalls
model,
Web Services Security
options,
Security Across the Tiers
,
ASP.NET and HttpContext.User
,
.NET Web Application Security
passing credentials for authentication,
Disable HTTP-GET, HTTP-POST
secure communication,
Web Server to Remote Application Server
,
Solution Implementation
troubleshooting,
Visual Studio .NET Tools
trusted subsystem model,
Configuring the Application Server
using client certificates,
Accessing Network Resources
,
How To: Call a Web Service Using Client Certificates from ASP.NET
,
How To: Set Up Client Certificates
using SSL,
How To: Call a Web Service Using SSL
Web sites,
Searching for Implementation Solutions
,
Generate a Certificate Request
,
Reference Hub
(see also )
Web.config files,
Enterprise Services (COM+) Roles
,
ASP.NET Security Architecture
,
ASP.NET Security Architecture
,
Windows Authentication with Impersonation
,
When to Use
,
When to Use
,
More Information
,
More Information
,
Configurable Security
,
Programmatic Security
,
Configure IIS Settings
,
Secure Resources
,
Secure Resources
,
Locking Configuration Settings
,
Passport Authentication
,
Custom Authentication
,
Using a Serviced Component
,
Hosting Multiple Web Applications
,
Storing Secrets
,
More Information
,
Disable HTTP-GET, HTTP-POST
,
Using File Authorization
,
Using DPAPI from Enterprise Services
,
Using DPAPI Directly from ASP.NET
,
Process for Troubleshooting
,
Enable Tracing
,
Modify the Web Application to Read an Encrypted Connection String from Web.Config
,
Write a Web Application to Test the Encryption and Decryption Routines
,
ASP.NET Identity Matrix
.NET remoting security,
Using File Authorization
ASP.NET security,
Configure IIS Settings
authorization,
ASP.NET Security Architecture
,
ASP.NET Security Architecture
,
When to Use
,
Configurable Security
connection strings in,
Using DPAPI Directly from ASP.NET
custom authentication,
Custom Authentication
encrypted connection strings,
Using DPAPI from Enterprise Services
,
Modify the Web Application to Read an Encrypted Connection String from Web.Config
,
Write a Web Application to Test the Encryption and Decryption Routines
Enterprise Services (COM+) roles,
Enterprise Services (COM+) Roles
fixed identities,
Storing Secrets
Forms authentication,
More Information
HTTP-GET and HTTP-POST support,
Disable HTTP-GET, HTTP-POST
IIS security,
ASP.NET Identity Matrix
impersonation,
Using a Serviced Component
,
Hosting Multiple Web Applications
locking settings in,
Secure Resources
Passport authentication,
Programmatic Security
,
Passport Authentication
preventing download of files,
Locking Configuration Settings
securing,
Secure Resources
troubleshooting and,
Process for Troubleshooting
,
Enable Tracing
Windows authentication,
Windows Authentication with Impersonation
,
When to Use
,
More Information
,
More Information
WebCasts.,
Reference Hub
(see )
WebServiceStudio,
Visual Studio .NET Tools
WFetch.exe,
Windows Task Manager
Windows .NET Server 2003,
Hosting Multiple Web Applications
,
IIS and ASP.NET Processing
Windows 2000,
Design Principles
,
Security Across the Tiers
,
Authentication
,
More Information
,
More Information
,
Gatekeepers and Gates
,
Evidence and Security Policy
,
Disadvantages of the Trusted Subsystem Model
,
IPSec
,
ASP.NET to SQL Server
,
Accessing System Resources
,
Using Forms Authentication in a Web Farm
,
Register Serviced Components
,
Authentication
,
Using the ConnectionGroupName Property
,
Using a Windows Service Host
,
Advantages
,
Using Forms Authentication
,
Windows Security Logs
,
Fusion Log Viewer (Fuslogvw.exe)
,
Visual Studio .NET Tools
,
Develop LDAP Authentication Code to Look Up the User in Active Directory
,
Call the Managed DPAPI Class Library
,
Configure, Strong Name, and Register the Serviced Component
,
How To: Use Role-based Security with Enterprise Services
,
Create a Windows Account to Run the Service
,
Base Configuration
,
Seminars and WebCasts
,
Keys and Certificates
.NET remoting and,
Using a Windows Service Host
accounts,
Call the Managed DPAPI Class Library
,
How To: Use Role-based Security with Enterprise Services
,
Create a Windows Account to Run the Service
(see also )
authentication.,
ASP.NET to SQL Server
(see , )
base configuration,
Base Configuration
calling Web services from non-Windows clients,
Using the ConnectionGroupName Property
certificate stores,
Keys and Certificates
event log,
Design Principles
gatekeepers and gates,
Gatekeepers and Gates
groups,
Register Serviced Components
,
Develop LDAP Authentication Code to Look Up the User in Active Directory
groups vs. .NET roles,
More Information
High Encryption Pack,
Using Forms Authentication in a Web Farm
identities vs. .NET Framework identities,
Evidence and Security Policy
identity flow,
Disadvantages of the Trusted Subsystem Model
Installer,
Accessing System Resources
IPSec and,
IPSec
Kerberos.,
Authentication
(see )
reference information,
Seminars and WebCasts
Resource Kit,
Using Forms Authentication
,
Visual Studio .NET Tools
RPC for DCOM,
Authentication
security logs,
Windows Security Logs
security options,
Security Across the Tiers
services.,
Configure, Strong Name, and Register the Serviced Component
(see )
SSPI,
More Information
,
Advantages
Task Manager,
Fusion Log Viewer (Fuslogvw.exe)
Windows ACLs,
The Foundations
,
Choose an Authorization Strategy
,
Authorization Approaches
,
Disadvantages of the Impersonation / Delegation Model
,
Windows Authentication with Impersonation
,
When to Use
,
Configurable Security
,
URL Authorization Examples
,
Security Architecture
,
More Information
,
When to Use
,
Using UDL Files
,
Using Custom Text Files
,
Using Forms Authentication
authorization and,
The Foundations
,
Disadvantages of the Impersonation / Delegation Model
configuring, for secure resources,
URL Authorization Examples
Enterprise Services and,
Security Architecture
Forms authentication and,
Configurable Security
registry keys and,
Using Custom Text Files
resource-based authorization and,
Choose an Authorization Strategy
,
Authorization Approaches
troubleshooting,
Using Forms Authentication
UDL files and granularity of,
Using UDL Files
Windows authentication with impersonation,
Windows Authentication with Impersonation
,
More Information
Windows authentication without impersonation,
When to Use
,
When to Use
Windows authentication,
Authentication
,
Authentication
,
More Information
,
WindowsPrincipal and WindowsIdentity
,
Impersonation
,
.NET Roles with Windows Authentication
,
Using .NET Roles
,
Application Server to Database Server
,
Available Authorization Options
,
Windows Authentication with Impersonation
,
When to Use
,
More Information
,
Creating a Custom IPrincipal class
,
Securing the Database Connection String
,
Calling Serviced Components from ASP.NET
,
Calling Serviced Components from ASP.NET
,
More Information
,
More Information
,
When to Use
,
More Information
,
Passing Credentials for Authentication to Web Services
,
Anatomy of a Request When Hosting in ASP.NET
,
Trusted Subsystem vs. Impersonation/Delegation
,
Trusted Subsystem vs. Impersonation/Delegation
,
Windows Authentication
,
Implementing Mirrored ASPNET Process Identity
,
Connecting to SQL Server Using Windows Authentication
,
Using Fixed Identities within ASP.NET
,
Using Fixed Identities within ASP.NET
,
Using the Anonymous Internet User Account
,
Using the Anonymous Internet User Account
,
Using the Anonymous Internet User Account
,
IIS Authentication Issues
,
Fusion Log Viewer (Fuslogvw.exe)
,
Forms Authentication Processing
.NET remoting and,
Anatomy of a Request When Hosting in ASP.NET
.NET roles with and without,
.NET Roles with Windows Authentication
,
Using .NET Roles
ASP.NET process identity and,
Securing the Database Connection String
,
Windows Authentication
ASP.NET security and,
Authentication
,
Creating a Custom IPrincipal class
authorization options and,
Available Authorization Options
data access security and,
Trusted Subsystem vs. Impersonation/Delegation
delegation and,
Impersonation
ISQL.exe and,
Fusion Log Viewer (Fuslogvw.exe)
mechanisms,
Authentication
(see also , , , , )
original caller identity and,
Using the Anonymous Internet User Account
principals and identities,
WindowsPrincipal and WindowsIdentity
processing,
Forms Authentication Processing
scenarios that prevent,
Using the Anonymous Internet User Account
serviced components and,
Calling Serviced Components from ASP.NET
,
Using Fixed Identities within ASP.NET
SQL authentication vs.,
Trusted Subsystem vs. Impersonation/Delegation
SQL Server and,
More Information
,
Application Server to Database Server
,
Implementing Mirrored ASPNET Process Identity
troubleshooting,
IIS Authentication Issues
Web services and,
More Information
,
Passing Credentials for Authentication to Web Services
with anonymous Internet user account,
Using Fixed Identities within ASP.NET
with fixed identities,
More Information
,
More Information
,
Connecting to SQL Server Using Windows Authentication
with impersonation,
Windows Authentication with Impersonation
,
Calling Serviced Components from ASP.NET
,
More Information
,
Using the Anonymous Internet User Account
without impersonation,
When to Use
,
When to Use
Windows services,
Solution Implementation
,
Hosting in a Windows Service
,
Choosing a Host
,
Advantages
,
Why Use Enterprise Services?
,
Call the Managed DPAPI Class Library
,
Configure, Strong Name, and Register the Serviced Component
,
Create a Windows Service Application that will Launch the Serviced Component
,
How To: Host a Remote Object in a Windows Service
,
How To: Host a Remote Object in a Windows Service
creating Windows account for,
Call the Managed DPAPI Class Library
creating, to launch serviced component,
Configure, Strong Name, and Register the Serviced Component
installing and starting,
Create a Windows Service Application that will Launch the Serviced Component
passing Web services client certificates using,
Solution Implementation
remote object hosting in,
Hosting in a Windows Service
,
Choosing a Host
,
Advantages
,
How To: Host a Remote Object in a Windows Service
TCP channel and,
How To: Host a Remote Object in a Windows Service
using, with DPAPI,
Why Use Enterprise Services?
WindowsIdentity objects,
WindowsPrincipal and WindowsIdentity
,
Authentication and Authorization Design
,
ASP.NET Identity Matrix
WindowsPrincipal objects,
WindowsPrincipal and WindowsIdentity
,
.NET Roles with Windows Authentication
,
Principal Permission Demands and Explicit Role Checks
,
Create an IPrincipal Object
,
How To: Implement IPrincipal
,
ASP.NET Identity Matrix
WS-Security specification,
Web Server to Remote Application Server
,
Web Services Security
,
Application Level Security
Wsdl.exe tool,
Passing Credentials for Authentication to Web Services
,
Proxy Server Authentication
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset