About the Book
Your guide to authentication, authorization,
and secure communication.
Building secure distributed Web applications
can be challenging. It usually involves integrating several different technologies
and products—yet your complete application will only be as secure as its
weakest link. This guide presents a practical, scenario-driven approach
to designing and building security-enhanced ASP.NET applications for Microsoft®
Windows® 2000 and version 1.1 of the Microsoft .NET Framework. It focuses
on the key elements of authentication, authorization, and secure communication
within and across the tiers of distributed .NET Web applications.
This guide focuses on:
• Authentication—to identify the clients
of your application
• Authorization—to provide access controls
for those clients
• Secure communication—to help ensure
that messages remain private and are not altered by unauthorized parties
Who should read this guide:
Middleware developers and architects who
build or plan to build .NET Web applications using ASP.NET, XML Web Services,
Enterprise Services (COM+), .NET Remoting, or Microsoft ADO.NET
About “Patterns and Practices”:
Patterns & Practices contain specific
recommendations illustrating how to design, build, deploy, and operate
architecturally sound solutions to challenging business and technical scenarios.
The technical guidance is reviewed and approved by Microsoft engineering
teams, consultants, and Product Support Services, and by partners and customers.
Related Books
Introducing ASP.NET 2.0
Understanding Web Services Specifications
and the WSE
Microsoft® ASP.NET Coding Strategies
with the Microsoft ASP.NET Team
Table of Contents
Acknowledgements
xxiii
Preface
xxv
CHAPTER 1 Introduction
1
The Connected
Landscape 1
The Foundations
2
Authentication 2
Authorization 2
Secure Communication 3
Tying
the Technologies Together 3
Design
Principles 4
Summary
6
CHAPTER 2 Security Model
for ASP.NET Applications
7
.NET
Web Applications 7
Logical Tiers 8
Physical Deployment Models 9
Implementation
Technologies 10
Security
Architecture 11
Security Across the Tiers 12
Authentication 13
Authorization 16
Gatekeepers and Gates 17
Introducing
.NET Framework Security 20
Code Access Security 20
Principals and Identities 21
WindowsPrincipal and WindowsIdentity 23
GenericPrincipal and Associated Identity Objects 23
ASP.NET and HttpContext.User 24
Remoting and Web Services 24
Summary
25
CHAPTER 3 Authentication
and Authorization Design 27
Designing
an Authentication and Authorization Strategy 28
Identify Resources 28
Choose an Authorization Strategy 28
Choose the Identities Used for Resource Access 29
Consider Identity Flow 30
Choose an Authentication Approach 31
Decide How to Flow Identity 31
Authorization
Approaches 32
Role Based Authorization 32
Resource Based Authorization 33
Resource Access Models 33
The Trusted Subsystem Model 33
The Impersonation / Delegation Model 35
Choosing a Resource Access Model 36
Flowing
Identity 38
Application vs. Operating System Identity Flow 38
Impersonation and Delegation 38
Role-Based
Authorization 40
.NET Roles 40
Enterprise Services (COM+) Roles 42
SQL Server User Defined Database Roles 42
SQL Server Application Roles 42
.NET Roles versus Enterprise Services (COM+) Roles 43
Using .NET Roles 44
Choosing
an Authentication Mechanism 47
Internet Scenarios 49
Intranet / Extranet Scenarios 50
Authentication Mechanism Comparison 51
Summary
51
CHAPTER 4 Secure Communication
53
Know
What to Secure 54
SSL/TLS
55
Using SSL 55
IPSec
56
Using IPSec 56
RPC Encryption
57
Using RPC Encryption 57
Point
to Point Security 58
Browser to Web Server 58
Web Server to Remote Application Server 59
Application Server to Database Server 59
Choosing
Between IPSec and SSL 61
Farming
and Load Balancing 61
More Information 61
Summary
61
CHAPTER 5 Intranet Security
63
ASP.NET
to SQL Server 64
Characteristics 64
Secure the Scenario 65
The Result 65
Security Configuration Steps 66
Analysis 68
Q&A 69
Related Scenarios 70
ASP.NET
to Enterprise Services to SQL Server 71
Characteristics 72
Secure the Scenario 72
The Result 73
Security Configuration Steps 74
Analysis 76
Pitfalls 77
ASP.NET
to Web Services to SQL Server 77
Characteristics 78
Secure the Scenario 78
The Result 79
Security Configuration Steps 79
Analysis 82
Pitfalls 84
Q&A 84
ASP.NET
to Remoting to SQL Server 85
Characteristics 85
Secure the Scenario 85
The Result 86
Security Configuration Steps 87
Analysis 89
Pitfalls 90
Flowing
the Original Caller to the Database 91
ASP.NET to SQL Server 92
ASP.NET to Enterprise Services to SQL Server 93
The Result 94
Analysis 98
Pitfalls 99
Summary
99
CHAPTER 6 Extranet Security
101
Exposing
a Web Service 102
Characteristics 102
Secure the Scenario 103
The Result 103
Security Configuration Steps 104
Analysis 107
Pitfalls 108
Q&A 108
Exposing
a Web Application 109
Scenario Characteristics 109
Secure the Scenario 110
The Result 111
Analysis 113
Pitfalls 115
Summary
115
CHAPTER 7 Internet Security
117
ASP.NET
to SQL Server 118
Characteristics 118
Secure the Scenario 119
The Result 120
Security Configuration Steps 120
Analysis 122
Pitfalls 124
Related Scenarios 124
ASP.NET
to Remote Enterprise Services to SQL Server 125
Characteristics 126
Secure the Scenario 127
The Result 128
Security Configuration Steps 128
Analysis 132
Pitfalls 133
Related Scenarios 133
Summary 134
CHAPTER 8 ASP.NET Security
135
ASP.NET
Security Architecture 135
Gatekeepers 137
Authentication
and Authorization Strategies 139
Available Authorization Options 140
Windows Authentication with Impersonation 141
Windows Authentication without Impersonation 143
Windows Authentication Using a Fixed Identity 145
Forms Authentication 145
Passport Authentication 147
Configuring
Security 147
Configure IIS Settings 149
Configure ASP.NET Settings 149
Secure Resources 152
Secure Communication 155
Programming
Security 155
An Authorization Pattern 156
Creating a Custom IPrincipal class 158
Windows
Authentication 159
Forms
Authentication 160
Development Steps for Forms Authentication 162
Forms Implementation Guidelines 165
Hosting Multiple Applications Using Forms Authentication 166
Cookieless Forms Authentication 166
Passport
Authentication 167
Custom
Authentication 168
Process
Identity for ASP.NET 168
Use a Least Privileged Account 168
Avoid Running as SYSTEM 169
Using the Default ASPNET Account 169
Impersonation
172
Impersonation and Local Resources 172
Impersonation and Remote Resources 172
Impersonation and Threading 172
Accessing
System Resources 173
Accessing the Event Log 173
Accessing the Registry 174
Accessing
COM Objects 174
Apartment Model Objects 174
Accessing
Network Resources 176
Using the ASP.NET Process Identity 176
Using a Serviced Component 177
Using the Anonymous Internet User Account 178
Using LogonUser and Impersonating a Specific Windows Identity 180
Using the Original Caller 180
Accessing Files on a UNC File Share 181
Accessing Non-Windows Network Resources 181
Secure
Communication 182
Storing
Secrets 182
Options for Storing Secrets in ASP.NET 184
Consider Storing Secrets in Files on Separate Logical Volumes 184
Securing
Session and View State 185
Securing View State 185
Securing Cookies 185
Securing SQL Session State 185
Web Farm
Considerations 188
Session State 188
DPAPI 188
Using Forms Authentication in a Web Farm 188
The <machineKey> Element 189
Summary
190
CHAPTER 9 Enterprise Services
Security 193
Security
Architecture 193
Gatekeepers and Gates 195
Use Server Applications for Increased Security 196
Security for Server and Library Applications 197
Code Access Security Requirements 197
Configuring
Security 198
Configuring a Server Application 198
Configuring an ASP.NET Client Application 205
Configuring Impersonation Levels for an Enterprise Services Application
206
Programming
Security 207
Programmatic Role-Based Security 207
Identifying Callers 208
Choosing
a Process Identity 208
Avoid Running as the Interactive User 208
Use a Least-Privileged Custom Account 209
Accessing
Network Resources 209
Using the Original Caller 210
Using the Current Process Identity 210
Using a Specific Service Account 211
Flowing
the Original Caller 211
Calling CoImpersonateClient 212
RPC Encryption
213
More Information 213
Building
Serviced Components 213
DLL Locking Problems 213
Versioning 214
QueryInterface Exceptions 215
DCOM
and Firewalls 215
More Information 215
Calling
Serviced Components from ASP.NET 216
Caller's Identity 216
Use Windows Authentication and Impersonation Within
the Web-based Application
216
Configure Authentication and Impersonation within Machine.config 216
Configuring Interface Proxies 216
Security
Concepts 219
Enterprise Services (COM+) Roles and .NET Roles 220
Authentication 221
Impersonation 222
Summary
224
CHAPTER 10 Web Services
Security 225
Web Service
Security Model 225
Platform/Transport Level (Point-to-Point) Security 226
Application Level Security 227
Message Level (End-to-End) Security 227
Platform/Transport
Security Architecture 229
Gatekeepers 230
Authentication
and Authorization Strategies 231
Windows Authentication with Impersonation 231
Windows Authentication without Impersonation 233
Windows Authentication Using a Fixed Identity 235
Configuring
Security 236
Configure IIS Settings 236
Configure ASP.NET Settings 237
Secure Resources 237
Disable HTTP-GET, HTTP-POST 237
Secure Communication 238
Passing
Credentials for Authentication to Web Services 238
Specifying Client Credentials for Windows Authentication 239
Calling Web Services from Non-Windows Clients 241
Proxy Server Authentication 242
Flowing
the Original Caller 242
Default Credentials with Kerberos Delegation 243
Explicit Credentials with Basic or Forms Authentication 245
Trusted
Subsystem 248
Flowing the Caller's Identity 249
Configuration Steps 249
Accessing
System Resources 250
Accessing
Network Resources 250
Accessing
COM Objects 251
More Information 251
Using
Client Certificates with Web Services 251
Authenticating Web Browser Clients with Certificates 252
Using the Trusted Subsystem Model 252
Secure
Communication 255
Transport Level Options 256
Message Level Options 256
Summary
256
CHAPTER 11 .NET Remoting
Security 259
.NET
Remoting Architecture 259
Remoting Sinks 260
Anatomy of a Request When Hosting in ASP.NET 262
ASP.NET and the HTTP Channel 263
.NET
Remoting Gatekeepers 264
Authentication
265
Hosting in ASP.NET 265
Hosting in a Windows Service 266
Authorization
267
Using File Authorization 267
Authentication
and Authorization Strategies 268
More Information 269
Accessing
System Resources 269
Accessing
Network Resources 270
Passing
Credentials for Authentication to Remote Objects 270
Specifying Client Credentials 270
Flowing
the Original Caller 273
Default Credentials with Kerberos Delegation 274
Explicit Credentials with Basic or Forms Authentication 276
Trusted
Subsystem 280
Flowing the Caller's Identity 281
Choosing a Host 282
Configuration Steps 282
Secure
Communication 284
Platform Level Options 284
Choosing
a Host Process 285
Recommendation 285
Hosting in ASP.NET 285
Hosting in a Windows Service 286
Hosting in a Console Application 287
Remoting
vs. Web Services 288
Summary
289
CHAPTER 12 Data Access
Security 291
Introducing
Data Access Security 291
SQL Server Gatekeepers 293
Trusted Subsystem vs. Impersonation/Delegation 293
Authentication
295
Windows Authentication 295
SQL Authentication 301
Authenticating Against Non-SQL Server Databases 303
Authorization
304
Using Multiple Database Roles 304
Secure
Communication 305
The Options 306
Choosing an Approach 306
Connecting
with Least Privilege 307
The Database Trusts the Application 307
The Database Trusts Different Roles 307
The Database Trusts the Original Caller 308
Creating
a Least Privilege Database Account 308
Storing
Database Connection Strings Securely 310
The Options 310
Using DPAPI 310
Using Web.config and Machine.config 314
Using UDL Files 314
Using Custom Text Files 316
Using the Registry 316
Using the COM+ Catalog 316
Authenticating
Users against a Database 317
Store One-way Password Hashes (with Salt) 317
SQL Injection
Attacks 319
Auditing
323
Process
Identity for SQL Server 324
Summary
325
CHAPTER 13 Troubleshooting
Security Issues 327
Process
for Troubleshooting 327
Searching for Implementation Solutions 328
Troubleshooting
Authentication Issues 329
IIS Authentication Issues 329
Using Windows Authentication 330
Using Forms Authentication 331
Kerberos Troubleshooting 331
Troubleshooting
Authorization Issues 331
Check Windows ACLs 331
Check Identity 331
Check the <authorization> Element 332
ASP.NET
333
Enable Tracing 333
Configuration Settings 333
Determining
Identity 334
Determining Identity in a Web Page 334
Determining Identity in a Web service 336
Determining Identity in a Visual Basic 6 COM Object 336
.NET
Remoting 337
More Information 337
SSL 338
More Information 338
IPSec
338
Auditing
and Logging 339
Windows Security Logs 339
SQL Server Auditing 339
IIS Logging 340
Troubleshooting
Tools 341
File Monitor (FileMon.exe) 341
Fusion Log Viewer (Fuslogvw.exe) 341
ISQL.exe 342
Windows Task Manager 342
Network Monitor (NetMon.exe) 343
Registry Monitor (regmon.exe) 343
WFetch.exe 343
Visual Studio .NET Tools 344
WebServiceStudio 344
Windows 2000 Resource Kit 344
Index of How Tos
345
ASP.NET
345
Authentication
and Authorization 345
Cryptography
345
Enterprise
Services Security 345
Web Services
Security 346
Remoting
Security 346
Secure
Communication 346
How To: Create a Custom Account
to Run ASP.NET 347
ASP.NET
Worker Process Identity 347
Impersonating
Fixed Identities 348
Notes
348
Summary
349
1. Create
a New Local Account 349
2. Assign
Minimum Privileges 349
3. Assign
NTFS Permissions 350
4. Configure
ASP.NET to Run Using the New Account 352
How To: Use Forms Authentication with
Active Directory 353
Requirements
353
Summary
353
1. Create
a Web Application with a Logon Page 354
2. Configure
the Web Application for Forms Authentication 355
3. Develop
LDAP Authentication Code to Look Up the User in Active Directory 356
4. Develop
LDAP Group Retrieval Code to Look Up the User's Group Membership 357
5. Authenticate
the User and Create a Forms Authentication Ticket 358
6. Implement
an Authentication Request Handler to Construct a GenericPrincipal Object
360
7. Test
the Application 362
How To: Use Forms Authentication with
SQL Server 2000 363
Requirements
364
Summary
364
1. Create
a Web Application with a Logon Page 364
2. Configure
the Web Application for Forms Authentication 365
3. Develop
Functions to Generate a Hash and Salt value 366
4. Create
a User Account Database 367
5. Use
ADO.NET to Store Account Details in the Database 368
6. Authenticate
User Credentials Against the Database 369
7. Test
the Application 371
Additional
Resources 372
How To: Create GenericPrincipal Objects
with Forms Authentication 373
Requirements
374
Summary
374
1. Create
a Web Application with a Logon Page 374
2. Configure
the Web Application for Forms Authentication 375
3. Generate
an Authentication Ticket for Authenticated Users 375
4. Construct
GenericPrincipal and FormsIdentity Objects 378
5. Test
the Application 379
Additional Resources 380
How To: Implement Kerberos Delegation
for Windows 2000 381
Notes
381
Requirements
382
Summary
382
1. Confirm
that the Client Account is Configured for Delegation 382
2. Confirm
that the Server Process Account is Trusted for Delegation 382
References
383
How To: Implement IPrincipal
385
Requirements
386
Summary
386
1. Create
a Simple Web Application 386
2. Configure
the Web Application for Forms Authentication 387
3. Generate
an Authentication Ticket for Authenticated Users 388
4. Create
a Class that Implements and Extends IPrincipal 390
5. Create
the CustomPrincipal Object 391
5. Test
the Application 393
Additional
Resources 394
How To: Create a DPAPI Library
395
Notes
395
Requirements
396
Summary
396
1. Create
a C# Class Library 396
2. Strong
Name the Assembly (Optional) 402
References
403
How To: Use DPAPI (Machine Store) from
ASP.NET 405
Notes
405
Requirements 406
Summary
406
1. Create
an ASP.NET Client Web Application 406
2. Test
the Application 408
3. Modify
the Web Application to Read an Encrypted Connection String from Web.Config
409
References
410
How To: Use DPAPI (User Store) from
ASP.NET with Enterprise Services 411
Notes
411
Why Use Enterprise Services? 412
Why Use a Windows Service? 413
Requirements
414
Summary
414
1. Create
a Serviced Component that Provides Encrypt and Decrypt Methods 414
2. Call
the Managed DPAPI Class Library 415
3. Create
a Dummy Class that will Launch the Serviced Component 416
4. Create
a Windows Account to Run the Enterprise Services Application and Windows
Service
416
5. Configure,
Strong Name, and Register the Serviced Component 417
6. Create
a Windows Service Application that will Launch the Serviced Component 418
7. Install
and Start the Windows Service Application 420
8. Write
a Web Application to Test the Encryption and Decryption Routines 420
9. Modify
the Web Application to Read an Encrypted Connection String from an Application
Configuration
File 423
References
424
How To: Create an Encryption Library
425
Requirements
425
Summary
425
1. Create
a C# Class Library 426
2. Create
a Console Test Application 433
References
434
How To: Store an Encrypted Connection
String in the Registry 435
Notes
435
Requirements
435
Summary
436
1. Store
the Encrypted Data in the Registry 436
2. Create
an ASP.NET Web Application 439
References
440
How To: Use Role-based Security with
Enterprise Services 441
Notes
441
Requirements
441
Summary
442
1. Create
a C# Class Library Application to Host the Serviced Component 442
2. Create
the Serviced Component 442
3. Configure
the Serviced Component 443
4. Generate
a Strong Name for the Assembly 444
5. Build
the Assembly and Add it to the Global Assembly Cache 445
6. Manually
Register the Serviced Component 445
7. Examine
the Configured Application 445
8. Create
a Test Client Application 446
How To: Call a Web Service Using Client
Certificates from ASP.NET 449
Why Use
a Serviced Component? 449
Why is a User Profile Required? 450
Requirements
451
Summary
451
1. Create
a Simple Web Service 451
2. Configure
the Web Service Virtual Directory to Require Client Certificates 452
3. Create
a Custom Account for Running the Serviced Component 453
4. Request
a Client Certificate for the Custom Account 453
5. Test
the Client Certificate Using a Browser 455
6. Export
the Client Certificate to a File 455
7. Develop
the Serviced Component Used to Call the Web Service 456
8. Configure
and Install the Serviced Component 459
9. Develop
a Web Application to Call the Serviced Component 460
Additional
Resources 462
How To: Call a Web Service Using SSL
463
Requirements
463
Summary
463
1. Create
a Simple Web Service 464
2. Configure
the Web Service Virtual Directory to Require SSL 464
3. Test
the Web Service Using a Browser 465
4. Install
the Certificate Authority's Certificate on the Client Computer 466
5. Develop
a Web Application to Call the Web Service 467
Additional
Resources 468
How To: Host a Remote Object in a Windows
Service 469
Notes
469
Requirements
469
Summary
470
1. Create
the Remote Object Class 470
2. Create
a Windows Service Host Application 470
3. Create
a Windows Account to Run the Service 473
4. Install
the Windows Service 473
5. Create
a Test Client Application 474
References
474
How To: Set Up SSL on a Web Server
475
Requirements
475
Summary
475
1. Generate
a Certificate Request 475
2. Submit
a Certificate Request 477
3. Issue
the Certificate 478
4. Install
the Certificate on the Web Server 478
5. Configure
Resources to Require SSL Access 479
How To: Set Up Client Certificates
481
Requirements
481
Summary
481
1. Create
a Simple Web Application 482
2. Configure
the Web Application to Require Client Certificates 482
3. Request
and Install a Client Certificate 483
4. Verify
Client Certificate Operation 484
Additional
Resources 484
How To: Use IPSec to Provide Secure
Communication Between Two Servers 485
Notes
487
Requirements
487
Summary
488
1. Create
an IP Filter 488
2. Create
Filter Actions 489
3. Create
Rules 490
4. Export
the IPSec Policy to the Remote Computer 491
5. Assign
Policies 491
6. Verify
that it Works 492
Additional
Resources 494
How To: Use SSL to Secure Communication
with SQL Server 2000 495
Notes
495
Requirements
496
Summary
496
1. Install
a Server Authentication Certificate 496
2. Verify
that the Certificate Has Been Installed 497
3. Install
the Issuing CA's Certificate on the Client 498
4. Force
All Clients to Use SSL 498
5. Allow
Clients to Determine Whether to Use SSL 499
6. Verify
that Communication is Encrypted 500
Additional
Resources 503
Base
Configuration 505
Configuration
Stores and Tools 507
Reference
Hub 513
Searching
the Knowledge Base 513
Tips 514
.NET
Security 514
Hubs 514
Active
Directory 514
Hubs 514
Key Notes 515
Articles 515
ADO.NET
515
Roadmaps and Overviews 515
Seminars and WebCasts 515
ASP.NET
515
Hubs 515
Roadmaps and Overviews 516
Knowledge Base 516
Articles 516
How Tos 516
Seminars and WebCasts 517
Enterprise
Services 517
Knowledge Base 517
Roadmaps and Overviews 517
How Tos 518
FAQs 518
Seminars and WebCasts 518
IIS (Internet
Information Server) 518
Hubs 518
Remoting
518
Roadmaps and Overviews 518
How Tos 519
Seminars and WebCasts 519
SQL Server
519
Hubs 519
Seminars and WebCasts 519
Visual
Studio .NET 519
Hubs 519
Roadmaps and Overviews: 519
Web Services
520
Hubs 520
Roadmaps and Overviews 520
How Tos 520
Seminars and WebCasts 520
Windows
2000 521
Hubs 521
How Does It Work?
523
IIS and
ASP.NET Processing 523
Application Isolation 524
The ASP.NET ISAPI Extension 524
IIS 6.0 and Windows .NET Server 524
ASP.NET
Pipeline Processing 525
The Anatomy of a Web Request 526
Event Handling 530
Implementing a Custom HTTP Module 531
Implementing a Custom HTTP Handler 531
ASP.NET
Identity Matrix 533
Cryptography
and Certificates 537
Keys
and Certificates 537
X.509 Digital Certificates 538
Certificate Stores 538
More Information 539
Cryptography
539
Technical Choices 539
Cryptography in .NET 540
Summary
543
.NET Web Application Security
545
GLOSSARY 547
INDEX 565 |
