|
Building Secure ASP.NET Application
Building secure distributed Web applications can be challenging. It usually involves integrating several different technologies and products - yet your complete application will only be as secure as its weakest link. This guide presents a practical, scenario-driven approach to designing and building security-enhanced ASP.NET applications for Microsoft
Windows 2000 and version 1.1 of the Microsoft .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications.
This guide focuses on:
* Authentication - to identify the clients of your application
* Authorization - to provide access controls for those clients
* Secure communication - to help ensure that messages remain private and are not altered by unauthorized parties
Who should read this guide:
Middleware developers and architects who build or plan to build .NET Web applications using ASP.NET, XML Web Services, Enterprise Services (COM+), .NET Remoting, or Microsoft ADO.NET
About Patterns and Practices:
Patterns & Practices contain specific recommendations illustrating how to design, build, deploy, and operate architecturally sound solutions to challenging business and technical scenarios. The technical guidance is reviewed and approved by Microsoft engineering teams, consultants, and Product Support Services, and by partners and customers.
Note: Includes complete sample on the Web.
Contents:
Acknowledgements xxiii
Preface xxv
CHAPTER 1 Introduction 1
The Connected Landscape 1
The Foundations 2
Authentication 2
Authorization 2
Secure Communication 3
Tying the Technologies Together 3
Design Principles 4
Summary 6
CHAPTER 2 Security Model for ASP.NET Applications 7
.NET Web Applications 7
Logical Tiers 8
Physical Deployment Models 9
Implementation Technologies 10
Security Architecture 11
Security Across the Tiers 12
Authentication 13
Authorization 16
Gatekeepers and Gates 17
Introducing .NET Framework Security 20
Code Access Security 20
Principals and Identities 21
WindowsPrincipal and WindowsIdentity 23
GenericPrincipal and Associated Identity Objects 23
ASP.NET and HttpContext.User 24
Remoting and Web Services 24
Summary 25
CHAPTER 3 Authentication and Authorization Design 27
Designing an Authentication and Authorization Strategy 28
Identify Resources 28
Choose an Authorization Strategy 28
Choose the Identities Used for Resource Access 29
Consider Identity Flow 30
Choose an Authentication Approach 31
Decide How to Flow Identity 31
Authorization Approaches 32
Role Based Authorization 32
Resource Based Authorization 33
Resource Access Models 33
The Trusted Subsystem Model 33
The Impersonation / Delegation Model 35
Choosing a Resource Access Model 36
Flowing Identity 38
Application vs. Operating System Identity Flow 38
Impersonation and Delegation 38
Role-Based Authorization 40
.NET Roles 40
Enterprise Services (COM+) Roles 42
SQL Server User Defined Database Roles 42
SQL Server Application Roles 42
.NET Roles versus Enterprise Services (COM+) Roles 43
Using .NET Roles 44
Choosing an Authentication Mechanism 47
Internet Scenarios 49
Intranet / Extranet Scenarios 50
Authentication Mechanism Comparison 51
Summary 51
CHAPTER 4 Secure Communication 53
Know What to Secure 54
SSL/TLS 55
Using SSL 55
IPSec 56
Using IPSec 56
RPC Encryption 57
Using RPC Encryption 57
Point to Point Security 58
Browser to Web Server 58
Web Server to Remote Application Server 59
Application Server to Database Server 59
Choosing Between IPSec and SSL 61
Farming and Load Balancing 61
More Information 61
Summary 61
CHAPTER 5 Intranet Security 63
ASP.NET to SQL Server 64
Characteristics 64
Secure the Scenario 65
The Result 65
Security Configuration Steps 66
Analysis 68
Q&A 69
Related Scenarios 70
ASP.NET to Enterprise Services to SQL Server 71
Characteristics 72
Secure the Scenario 72
The Result 73
Security Configuration Steps 74
Analysis 76
Pitfalls 77
ASP.NET to Web Services to SQL Server 77
Characteristics 78
Secure the Scenario 78
The Result 79
Security Configuration Steps 79
Analysis 82
Pitfalls 84
Q&A 84
ASP.NET to Remoting to SQL Server 85
Characteristics 85
Secure the Scenario 85
The Result 86
Security Configuration Steps 87
Analysis 89
Pitfalls 90
Flowing the Original Caller to the Database 91
ASP.NET to SQL Server 92
ASP.NET to Enterprise Services to SQL Server 93
The Result 94
Analysis 98
Pitfalls 99
Summary 99
CHAPTER 6 Extranet Security 101
Exposing a Web Service 102
Characteristics 102
Secure the Scenario 103
The Result 103
Security Configuration Steps 104
Analysis 107
Pitfalls 108
Q&A 108
Exposing a Web Application 109
Scenario Characteristics 109
Secure the Scenario 110
The Result 111
Analysis 113
Pitfalls 115
Summary 115
CHAPTER 7 Internet Security 117
ASP.NET to SQL Server 118
Characteristics 118
Secure the Scenario 119
The Result 120
Security Configuration Steps 120
Analysis 122
Pitfalls 124
Related Scenarios 124
ASP.NET to Remote Enterprise Services to SQL Server 125
Characteristics 126
Secure the Scenario 127
The Result 128
Security Configuration Steps 128
Analysis 132
Pitfalls 133
Related Scenarios 133
Summary 134
CHAPTER 8 ASP.NET Security 135
ASP.NET Security Architecture 135
Gatekeepers 137
Authentication and Authorization Strategies 139
Available Authorization Options 140
Windows Authentication with Impersonation 141
Windows Authentication without Impersonation 143
Windows Authentication Using a Fixed Identity 145
Forms Authentication 145
Passport Authentication 147
Configuring Security 147
Configure IIS Settings 149
Configure ASP.NET Settings 149
Secure Resources 152
Secure Communication 155
Programming Security 155
An Authorization Pattern 156
Creating a Custom IPrincipal class 158
Windows Authentication 159
Forms Authentication 160
Development Steps for Forms Authentication 162
Forms Implementation Guidelines 165
Hosting Multiple Applications Using Forms Authentication 166
Cookieless Forms Authentication 166
Passport Authentication 167
Custom Authentication 168
Process Identity for ASP.NET 168
Use a Least Privileged Account 168
Avoid Running as SYSTEM 169
Using the Default ASPNET Account 169
Impersonation 172
Impersonation and Local Resources 172
Impersonation and Remote Resources 172
Impersonation and Threading 172
Accessing System Resources 173
Accessing the Event Log 173
Accessing the Registry 174
Accessing COM Objects 174
Apartment Model Objects 174
Accessing Network Resources 176
Using the ASP.NET Process Identity 176
Using a Serviced Component 177
Using the Anonymous Internet User Account 178
Using LogonUser and Impersonating a Specific Windows Identity 180
Using the Original Caller 180
Accessing Files on a UNC File Share 181
Accessing Non-Windows Network Resources 181
Secure Communication 182
Storing Secrets 182
Options for Storing Secrets in ASP.NET 184
Consider Storing Secrets in Files on Separate Logical Volumes 184
Securing Session and View State 185
Securing View State 185
Securing Cookies 185
Securing SQL Session State 185
Web Farm Considerations 188
Session State 188
DPAPI 188
Using Forms Authentication in a Web Farm 188
The Element 189
Summary 190
CHAPTER 9 Enterprise Services Security 193
Security Architecture 193
Gatekeepers and Gates 195
Use Server Applications for Increased Security 196
Security for Server and Library Applications 197
Code Access Security Requirements 197
Configuring Security 198
Configuring a Server Application 198
Configuring an ASP.NET Client Application 205
Configuring Impersonation Levels for an Enterprise Services Application 206
Programming Security 207
Programmatic Role-Based Security 207
Identifying Callers 208
Choosing a Process Identity 208
Avoid Running as the Interactive User 208
Use a Least-Privileged Custom Account 209
Accessing Network Resources 209
Using the Original Caller 210
Using the Current Process Identity 210
Using a Specific Service Account 211
Flowing the Original Caller 211
Calling CoImpersonateClient 212
RPC Encryption 213
More Information 213
Building Serviced Components 213
DLL Locking Problems 213
Versioning 214
QueryInterface Exceptions 215
DCOM and Firewalls 215
More Information 215
Calling Serviced Components from ASP.NET 216
Caller's Identity 216
Use Windows Authentication and Impersonation Within
the Web-based Application 216
Configure Authentication and Impersonation within Machine.config 216
Configuring Interface Proxies 216
Security Concepts 219
Enterprise Services (COM+) Roles and .NET Roles 220
Authentication 221
Impersonation 222
Summary 224
CHAPTER 10 Web Services Security 225
Web Service Security Model 225
Platform/Transport Level (Point-to-Point) Security 226
Application Level Security 227
Message Level (End-to-End) Security 227
Platform/Transport Security Architecture 229
Gatekeepers 230
Authentication and Authorization Strategies 231
Windows Authentication with Impersonation 231
Windows Authentication without Impersonation 233
Windows Authentication Using a Fixed Identity 235
Configuring Security 236
Configure IIS Settings 236
Configure ASP.NET Settings 237
Secure Resources 237
Disable HTTP-GET, HTTP-POST 237
Secure Communication 238
Passing Credentials for Authentication to Web Services 238
Specifying Client Credentials for Windows Authentication 239
Calling Web Services from Non-Windows Clients 241
Proxy Server Authentication 242
Flowing the Original Caller 242
Default Credentials with Kerberos Delegation 243
Explicit Credentials with Basic or Forms Authentication 245
Trusted Subsystem 248
Flowing the Caller's Identity 249
Configuration Steps 249
Accessing System Resources 250
Accessing Network Resources 250
Accessing COM Objects 251
More Information 251
Using Client Certificates with Web Services 251
Authenticating Web Browser Clients with Certificates 252
Using the Trusted Subsystem Model 252
Secure Communication 255
Transport Level Options 256
Message Level Options 256
Summary 256
CHAPTER 11 .NET Remoting Security 259
.NET Remoting Architecture 259
Remoting Sinks 260
Anatomy of a Request When Hosting in ASP.NET 262
ASP.NET and the HTTP Channel 263
.NET Remoting Gatekeepers 264
Authentication 265
Hosting in ASP.NET 265
Hosting in a Windows Service 266
Authorization 267
Using File Authorization 267
Authentication and Authorization Strategies 268
More Information 269
Accessing System Resources 269
Accessing Network Resources 270
Passing Credentials for Authentication to Remote Objects 270
Specifying Client Credentials 270
Flowing the Original Caller 273
Default Credentials with Kerberos Delegation 274
Explicit Credentials with Basic or Forms Authentication 276
Trusted Subsystem 280
Flowing the Caller's Identity 281
Choosing a Host 282
Configuration Steps 282
Secure Communication 284
Platform Level Options 284
Choosing a Host Process 285
Recommendation 285
Hosting in ASP.NET 285
Hosting in a Windows Service 286
Hosting in a Console Application 287
Remoting vs. Web Services 288
Summary 289
CHAPTER 12 Data Access Security 291
Introducing Data Access Security 291
SQL Server Gatekeepers 293
Trusted Subsystem vs. Impersonation/Delegation 293
Authentication 295
Windows Authentication 295
SQL Authentication 301
Authenticating Against Non-SQL Server Databases 303
Authorization 304
Using Multiple Database Roles 304
Secure Communication 305
The Options 306
Choosing an Approach 306
Connecting with Least Privilege 307
The Database Trusts the Application 307
The Database Trusts Different Roles 307
The Database Trusts the Original Caller 308
Creating a Least Privilege Database Account 308
Storing Database Connection Strings Securely 310
The Options 310
Using DPAPI 310
Using Web.config and Machine.config 314
Using UDL Files 314
Using Custom Text Files 316
Using the Registry 316
Using the COM+ Catalog 316
Authenticating Users against a Database 317
Store One-way Password Hashes (with Salt) 317
SQL Injection Attacks 319
Auditing 323
Process Identity for SQL Server 324
Summary 325
CHAPTER 13 Troubleshooting Security Issues 327
Process for Troubleshooting 327
Searching for Implementation Solutions 328
Troubleshooting Authentication Issues 329
IIS Authentication Issues 329
Using Windows Authentication 330
Using Forms Authentication 331
Kerberos Troubleshooting 331
Troubleshooting Authorization Issues 331
Check Windows ACLs 331
Check Identity 331
Check the Element 332
ASP.NET 333
Enable Tracing 333
Configuration Settings 333
Determining Identity 334
Determining Identity in a Web Page 334
Determining Identity in a Web service 336
Determining Identity in a Visual Basic 6 COM Object 336
.NET Remoting 337
More Information 337
SSL 338
More Information 338
IPSec 338
Auditing and Logging 339
Windows Security Logs 339
SQL Server Auditing 339
IIS Logging 340
Troubleshooting Tools 341
File Monitor (FileMon.exe) 341
Fusion Log Viewer (Fuslogvw.exe) 341
ISQL.exe 342
Windows Task Manager 342
Network Monitor (NetMon.exe) 343
Registry Monitor (regmon.exe) 343
WFetch.exe 343
Visual Studio .NET Tools 344
WebServiceStudio 344
Windows 2000 Resource Kit 344
Index of How Tos 345
ASP.NET 345
Authentication and Authorization 345
Cryptography 345
Enterprise Services Security 345
Web Services Security 346
Remoting Security 346
Secure Communication 346
How To: Create a Custom Account to Run ASP.NET 347
ASP.NET Worker Process Identity 347
Impersonating Fixed Identities 348
Notes 348
Summary 349
1. Create a New Local Account 349
2. Assign Minimum Privileges 349
3. Assign NTFS Permissions 350
4. Configure ASP.NET to Run Using the New Account 352
How To: Use Forms Authentication with Active Directory 353
Requirements 353
Summary 353
1. Create a Web Application with a Logon Page 354
2. Configure the Web Application for Forms Authentication 355
3. Develop LDAP Authentication Code to Look Up the User in Active Directory 356
4. Develop LDAP Group Retrieval Code to Look Up the User's Group Membership 357
5. Authenticate the User and Create a Forms Authentication Ticket 358
6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object 360
7. Test the Application 362
How To: Use Forms Authentication with SQL Server 2000 363
Requirements 364
Summary 364
1. Create a Web Application with a Logon Page 364
2. Configure the Web Application for Forms Authentication 365
3. Develop Functions to Generate a Hash and Salt value 366
4. Create a User Account Database 367
5. Use ADO.NET to Store Account Details in the Database 368
6. Authenticate User Credentials Against the Database 369
7. Test the Application 371
Additional Resources 372
How To: Create GenericPrincipal Objects with Forms Authentication 373
Requirements 374
Summary 374
1. Create a Web Application with a Logon Page 374
2. Configure the Web Application for Forms Authentication 375
3. Generate an Authentication Ticket for Authenticated Users 375
4. Construct GenericPrincipal and FormsIdentity Objects 378
5. Test the Application 379
Additional Resources 380
How To: Implement Kerberos Delegation for Windows 2000 381
Notes 381
Requirements 382
Summary 382
1. Confirm that the Client Account is Configured for Delegation 382
2. Confirm that the Server Process Account is Trusted for Delegation 382
References 383
How To: Implement IPrincipal 385
Requirements 386
Summary 386
1. Create a Simple Web Application 386
2. Configure the Web Application for Forms Authentication 387
3. Generate an Authentication Ticket for Authenticated Users 388
4. Create a Class that Implements and Extends IPrincipal 390
5. Create the CustomPrincipal Object 391
5. Test the Application 393
Additional Resources 394
How To: Create a DPAPI Library 395
Notes 395
Requirements 396
Summary 396
1. Create a C# Class Library 396
2. Strong Name the Assembly (Optional) 402
References 403
How To: Use DPAPI (Machine Store) from ASP.NET 405
Notes 405
Requirements 406
Summary 406
1. Create an ASP.NET Client Web Application 406
2. Test the Application 408
3. Modify the Web Application to Read an Encrypted Connection String from Web.Config 409
References 410
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services 411
Notes 411
Why Use Enterprise Services? 412
Why Use a Windows Service? 413
Requirements 414
Summary 414
1. Create a Serviced Component that Provides Encrypt and Decrypt Methods 414
2. Call the Managed DPAPI Class Library 415
3. Create a Dummy Class that will Launch the Serviced Component 416
4. Create a Windows Account to Run the Enterprise Services Application and Windows Service 416
5. Configure, Strong Name, and Register the Serviced Component 417
6. Create a Windows Service Application that will Launch the Serviced Component 418
7. Install and Start the Windows Service Application 420
8. Write a Web Application to Test the Encryption and Decryption Routines 420
9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File 423
References 424
How To: Create an Encryption Library 425
Requirements 425
Summary 425
1. Create a C# Class Library 426
2. Create a Console Test Application 433
References 434
How To: Store an Encrypted Connection String in the Registry 435
Notes 435
Requirements 435
Summary 436
1. Store the Encrypted Data in the Registry 436
2. Create an ASP.NET Web Application 439
References 440
How To: Use Role-based Security with Enterprise Services 441
Notes 441
Requirements 441
Summary 442
1. Create a C# Class Library Application to Host the Serviced Component 442
2. Create the Serviced Component 442
3. Configure the Serviced Component 443
4. Generate a Strong Name for the Assembly 444
5. Build the Assembly and Add it to the Global Assembly Cache 445
6. Manually Register the Serviced Component 445
7. Examine the Configured Application 445
8. Create a Test Client Application 446
How To: Call a Web Service Using Client Certificates from ASP.NET 449
Why Use a Serviced Component? 449
Why is a User Profile Required? 450
Requirements 451
Summary 451
1. Create a Simple Web Service 451
2. Configure the Web Service Virtual Directory to Require Client Certificates 452
3. Create a Custom Account for Running the Serviced Component 453
4. Request a Client Certificate for the Custom Account 453
5. Test the Client Certificate Using a Browser 455
6. Export the Client Certificate to a File 455
7. Develop the Serviced Component Used to Call the Web Service 456
8. Configure and Install the Serviced Component 459
9. Develop a Web Application to Call the Serviced Component 460
Additional Resources 462
How To: Call a Web Service Using SSL 463
Requirements 463
Summary 463
1. Create a Simple Web Service 464
2. Configure the Web Service Virtual Directory to Require SSL 464
3. Test the Web Service Using a Browser 465
4. Install the Certificate Authority's Certificate on the Client Computer 466
5. Develop a Web Application to Call the Web Service 467
Additional Resources 468
How To: Host a Remote Object in a Windows Service 469
Notes 469
Requirements 469
Summary 470
1. Create the Remote Object Class 470
2. Create a Windows Service Host Application 470
3. Create a Windows Account to Run the Service 473
4. Install the Windows Service 473
5. Create a Test Client Application 474
References 474
How To: Set Up SSL on a Web Server 475
Requirements 475
Summary 475
1. Generate a Certificate Request 475
2. Submit a Certificate Request 477
3. Issue the Certificate 478
4. Install the Certificate on the Web Server 478
5. Configure Resources to Require SSL Access 479
How To: Set Up Client Certificates 481
Requirements 481
Summary 481
1. Create a Simple Web Application 482
2. Configure the Web Application to Require Client Certificates 482
3. Request and Install a Client Certificate 483
4. Verify Client Certificate Operation 484
Additional Resources 484
How To: Use IPSec to Provide Secure Communication Between Two Servers 485
Notes 487
Requirements 487
Summary 488
1. Create an IP Filter 488
2. Create Filter Actions 489
3. Create Rules 490
4. Export the IPSec Policy to the Remote Computer 491
5. Assign Policies 491
6. Verify that it Works 492
Additional Resources 494
How To: Use SSL to Secure Communication with SQL Server 2000 495
Notes 495
Requirements 496
Summary 496
1. Install a Server Authentication Certificate 496
2. Verify that the Certificate Has Been Installed 497
3. Install the Issuing CA's Certificate on the Client 498
4. Force All Clients to Use SSL 498
5. Allow Clients to Determine Whether to Use SSL 499
6. Verify that Communication is Encrypted 500
Additional Resources 503
Base Configuration 505
Configuration Stores and Tools 507
Reference Hub 513
Searching the Knowledge Base 513
Tips 514
.NET Security 514
Hubs 514
Active Directory 514
Hubs 514
Key Notes 515
Articles 515
ADO.NET 515
Roadmaps and Overviews 515
Seminars and WebCasts 515
ASP.NET 515
Hubs 515
Roadmaps and Overviews 516
Knowledge Base 516
Articles 516
How Tos 516
Seminars and WebCasts 517
Enterprise Services 517
Knowledge Base 517
Roadmaps and Overviews 517
How Tos 518
FAQs 518
Seminars and WebCasts 518
IIS (Internet Information Server) 518
Hubs 518
Remoting 518
Roadmaps and Overviews 518
How Tos 519
Seminars and WebCasts 519
SQL Server 519
Hubs 519
Seminars and WebCasts 519
Visual Studio .NET 519
Hubs 519
Roadmaps and Overviews: 519
Web Services 520
Hubs 520
Roadmaps and Overviews 520
How Tos 520
Seminars and WebCasts 520
Windows 2000 521
Hubs 521
How Does It Work? 523
IIS and ASP.NET Processing 523
Application Isolation 524
The ASP.NET ISAPI Extension 524
IIS 6.0 and Windows .NET Server 524
ASP.NET Pipeline Processing 525
The Anatomy of a Web Request 526
Event Handling 530
Implementing a Custom HTTP Module 531
Implementing a Custom HTTP Handler 531
ASP.NET Identity Matrix 533
Cryptography and Certificates 537
Keys and Certificates 537
X.509 Digital Certificates 538
Certificate Stores 538
More Information 539
Cryptography 539
Technical Choices 539
Cryptography in .NET 540
Summary 543
.NET Web Application Security 545
GLOSSARY 547
INDEX 565
|
