Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
| Retired Content |
|---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
.png "patterns & practices Developer Center")
Configuration Stores and Tools
J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation
Published: November 2002
Last Revised: January 2006
Applies to:
- Microsoft® ASP.NET
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for the starting point and a complete overview of Building Secure ASP.NET Applications.
Summary: The combined authentication, authorization, and secure communication services available to .NET Web applications are summarized in the following tables. The tables show the various security services available to each of the core .NET Web application technologies and for each one indicates where the related security configuration settings are maintained and what tools are available to edit the settings. (6 printed pages)
Note Settings within the Internet Information Services (IIS) metabase are configured using the IIS MMC snap-in, or programmatically via script. Settings maintained within machine.config or web.config can be edited with any text editor (such as Notepad) or XML editor (such as the Microsoft Visual Studio® .NET XML editor).
Table 1. IIS security configuration
| Authentication | Configuration | Tools |
|---|---|---|
| Anonymous Basic Digest Windows Integrated Client Certificates |
IIS metabase | IIS MMC snap-in Script Makecert.exe can be used to create test certificates |
| Authorization | Configuration | Tools |
| NTFS permissions (Windows ACLs) IP and DNS restrictions |
Windows (NTFS) file system IIS metabase |
Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy |
| Secure Communication | Configuration | Tools |
| SSL IPSec |
Windows (NTFS) file system Machine's local policy (registry) or Microsoft Active Directory® directory service |
IIS MMC snap-in Script Local Security Policy MMC snap-in Domain security Policy MMC snap-in Ipsecpol.exe |
| Additional Gatekeepers | Configuration | Tools |
| IP address and domain name restrictions | IIS metabase | IIS MMC snap-in Script |
Table 2. ASP.NET security configuration
| Authentication | Configuration | Tools |
|---|---|---|
| Windows Forms Passport None (Custom) |
<authentication> element of Machine.config or Web.config | Notepad.exe Visual Studio .NET Any XML editor |
| Authorization | Configuration | Tools |
| URL authorization File authorization .NET roles |
<authorization> element of Machine.config or Web.config Windows (NTFS) file system Active Directory –or– SAM database –or– Custom data store (for example, SQL Server) |
Notepad.exe
Visual Studio .NET |
Table 3. Enterprise Services security configuration*
| Authentication | Configuration | Tools |
|---|---|---|
| DCOM/RPC authentication | COM+ Catalog Note: Computer-wide settings for serviced component (and regular DCOM) proxies is maintained in Machine.config. |
Component Services MMC snap-in Script (Catalog automation objects) |
| Authorization | Configuration | Tools |
| Enterprise Services (COM+) roles Windows ACLs (when using impersonation in serviced component) |
COM+ Catalog Windows (NTFS) file system |
Component Services MMC snap-in Script (Catalog automation objects) Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy |
| Secure Communication | Configuration | Tools |
| RPC encryption (packet privacy) IPSec |
COM+ Catalog Note: Computer-wide settings for serviced component (and regular DCOM) proxies is maintained in Machine.config. Machine's local policy (registry) or Active Directory |
Component Services Script (Catalog automation objects) Local Security Policy MMC snap-in Ipsecpol.exe |
* The security services for Enterprise service components apply both to components hosted by server and library applications. However, certain restrictions apply for library applications because many of the security defaults are inherited from the host process and as a result are not directly configurable. Process-wide authentication may also be explicitly switched off by library applications. For more details, see Chapter 9: Enterprise Services Security.
Table 4. Web services (implemented using ASP.NET) security configuration
| Authentication | Configuration | Tools |
|---|---|---|
| Windows Custom |
<authentication> element of Machine.config or Web.config Custom data store (for example. SQL Server or Active Directory) |
Notepad Visual Studio .NET Any XML editor Depends on custom store. |
| Authorization | Configuration | Tools |
| URL Authorization File Authorization .NET roles |
Web.config Windows (NTFS) file system Active Directory –or– SAM database –or– Custom data store (for example, SQL Server) |
Notepad Visual Studio .NET Any XML editor Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool ADSI script Net.exe For custom groups –depends on custom store |
| Secure Communication | Configuration | Tools |
| SSL IPSec |
IIS metabase Machine's local policy (registry) or Active Directory |
IIS MMC snap-in Script Local Security Policy MMC snap-in Ipsecpol.exe |
Table 5. .NET Remoting security configuration** (when hosted by ASP.NET using HTTP Channel)
| Authentication | Configuration | Tools |
|---|---|---|
| Windows Custom |
IIS metabase Custom data store (for example SQL Server) |
IIS MMC snap-in Script Depends on custom store |
| Authorization | Configuration | Tools |
| URL authorization File authorization .NET roles |
Web.config Windows (NTFS) file system Active Directory –or– SAM database –or– Custom data store (for example, SQL Server |
Notepad Visual Studio .NET Any XML editor Windows Explorer Cacls.exe Security templates Secedit.exe Group Policy For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool ADSI script, Net.exe For custom groups– depends on custom store |
| Secure Communication | Configuration | Tools |
| SSL IPSec |
IIS metabase Machine's local policy (registry) or Active Directory |
IIS MMC snap-in Script Local Security Policy MMC snap-in Ipsecpol.exe |
** The security services shown for .NET Remoting assumes that the .NET remote component is hosted within ASP.NET and is using the HTTP channel. No default security services are available to .NET remote components hosted outside of IIS (for example, in a custom Win32 process or Win32 service) using the TCP channel. For more details, see Chapter 11: Remoting Security.
Table 6. .SQL Server security configuration
| Authentication | Configuration | Tools |
|---|---|---|
| Integrated Windows SQL Server standard authentication |
SQL Server SQL Server |
SQL Server Enterprise Manager SQL Server Enterprise Manager |
| Authorization | Configuration | Tools |
| Object permissions Database roles Server roles User defined database roles Application roles |
SQL Server | SQL Server Enterprise Manager Osql.exe (Database script) |
| Secure Communication | Configuration | Tools |
| SSL IPSec |
Server's machine certificate store Client and server registry settings Connection string Machine's local policy (registry) or Active Directory |
Certificates MMC snap-in Server Network Utility Client Network Utility Local Security Policy snap-in Ipsecpol.exe |
| Retired Content |
|---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |