Building secure distributed Web applications can be challenging. It usually involves integrating several different technologies and products—yet your complete application will only be as secure as its weakest link. This guide presents a practical, scenario-driven approach to designing and building security-enhanced ASP.NET applications for Microsoft® Windows® 2000 and version 1.1 of the Microsoft .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications.
This guide focuses on:
Authentication—to identify the clients of your application
Authorization—to provide access controls for those clients
Secure communication—to help ensure that messages remain private and are not altered by unauthorized parties
Who should read this guide:
Middleware developers and architects who build or plan to build .NET Web applications using ASP.NET, XML Web Services, Enterprise Services (COM+), .NET Remoting, or Microsoft ADO.NET
About “Patterns and Practices”:
Patterns & Practices contain specific recommendations illustrating how to design, build, deploy, and operate architecturally sound solutions to challenging business and technical scenarios. The technical guidance is reviewed and approved by Microsoft engineering teams, consultants, and Product Support Services, and by partners and customers.
Note: Includes complete sample on the Web.
Chapter 1 Introduction
The Connected Landscape
The Foundations
Tying the Technologies Together
Design Principles
Summary
Chapter 2 Security Model for ASP.NET Applications
.NET Web Applications
Implementation Technologies
Security Architecture
Introducing .NET Framework Security
Summary
Chapter 3 Authentication and Authorization Design
Designing an Authentication and Authorization Strategy
Authorization Approaches
Flowing Identity
Role-Based Authorization
Choosing an Authentication Mechanism
Summary
Chapter 4 Secure Communication
Know What to Secure
SSL/TLS
IPSec
RPC Encryption
Point to Point Security
Choosing Between IPSec and SSL
Farming and Load Balancing
Summary
Chapter 5 Intranet Security
ASP.NET to SQL Server
ASP.NET to Enterprise Services to SQL Server
ASP.NET to Web Services to SQL Server
ASP.NET to Remoting to SQL Server
Flowing the Original Caller to the Database
Summary
Chapter 6 Extranet Security
Exposing a Web Service
Exposing a Web Application
Summary
Chapter 7 Internet Security
ASP.NET to SQL Server
ASP.NET to Remote Enterprise Services to SQL Server
Summary
Chapter 8 ASP.NET Security
ASP.NET Security Architecture
Authentication and Authorization Strategies
Configuring Security
Programming Security
Windows Authentication
Forms Authentication
Passport Authentication
Custom Authentication
Process Identity for ASP.NET
Impersonation
Accessing System Resources
Accessing COM Objects
Accessing Network Resources
Secure Communication
Storing Secrets
Securing Session and View State
Web Farm Considerations
Summary
Chapter 9 Enterprise Services Security
Security Architecture
Configuring Security
Programming Security
Choosing a Process Identity
Accessing Network Resources
Flowing the Original Caller
RPC Encryption
Building Serviced Components
DCOM and Firewalls
Calling Serviced Components from ASP.NET
Security Concepts
Summary
Chapter 10 Web Services Security
Web Service Security Model
Platform/Transport Security Architecture
Authentication and Authorization Strategies
Configuring Security
Passing Credentials for Authentication to Web Services
Flowing the Original Caller
Trusted Subsystem
Accessing System Resources
Accessing Network Resources
Accessing COM Objects
Using Client Certificates with Web Services
Secure Communication
Summary
Chapter 11 .NET Remoting Security
.NET Remoting Architecture
.NET Remoting Gatekeepers
Authentication
Authorization
Authentication and Authorization Strategies
Accessing System Resources
Accessing Network Resources
Passing Credentials for Authentication to Remote Objects
Flowing the Original Caller
Trusted Subsystem
Secure Communication
Choosing a Host Process
Remoting vs. Web Services
Summary
Chapter 12 Data Access Security
Introducing Data Access Security
Authentication
Authorization
Secure Communication
Connecting with Least Privilege
Creating a Least Privilege Database Account
Storing Database Connection Strings Securely
Authenticating Users against a Database
SQL Injection Attacks
Auditing
Process Identity for SQL Server
Summary
Chapter 13 Troubleshooting Security Issues
Process for Troubleshooting
Troubleshooting Authentication Issues
Troubleshooting Authorization Issues
ASP.NET
Determining Identity
.NET Remoting
SSL
IPSec
Auditing and Logging
Troubleshooting Tools
Appendix Index of How Tos
ASP.NET
Authentication and Authorization
Cryptography
Enterprise Services Security
Web Services Security
Remoting Security
Secure Communication
Appendix How To: Create a Custom Account to Run ASP.NET
ASP.NET Worker Process Identity
Impersonating Fixed Identities
Notes
Summary
Create a New Local Account
Assign Minimum Privileges
Assign NTFS Permissions
Configure ASP.NET to Run Using the New Account
Appendix How To: Use Forms Authentication with Active Directory
Requirements
Summary
Create a Web Application with a Logon Page
Configure the Web Application for Forms Authentication
Develop LDAP Authentication Code to Look Up the User in Active Directory
Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
Authenticate the User and Create a Forms Authentication Ticket
Implement an Authentication Request Handler to Construct a GenericPrincipal Object
Test the Application
Appendix How To: Use Forms Authentication with SQL Server 2000
Requirements
Summary
Create a Web Application with a Logon Page
Configure the Web Application for Forms Authentication
Develop Functions to Generate a Hash and Salt value
Create a User Account Database
Use ADO.NET to Store Account Details in the Database
Authenticate User Credentials Against the Database
Test the Application
Additional Resources
Appendix How To: Create GenericPrincipal Objects with Forms Authentication
Requirements
Summary
Create a Web Application with a Logon Page
Configure the Web Application for Forms Authentication
Generate an Authentication Ticket for Authenticated Users
Construct GenericPrincipal and FormsIdentity Objects
Test the Application
Appendix How To: Implement Kerberos Delegation for Windows 2000
Notes
Requirements
Summary
Confirm that the Client Account is Configured for Delegation
Confirm that the Server Process Account is Trusted for Delegation
References
Appendix How To: Implement IPrincipal
Requirements
Summary
Create a Simple Web Application
Configure the Web Application for Forms Authentication
Generate an Authentication Ticket for Authenticated Users
Create a Class that Implements and Extends IPrincipal
Create the CustomPrincipal Object
Test the Application
Additional Resources
Appendix How To: Create a DPAPI Library
Notes
Requirements
Summary
Create a C# Class Library
Strong Name the Assembly (Optional)
References
Appendix How To: Use DPAPI (Machine Store) from ASP.NET
Notes
Summary
Create an ASP.NET Client Web Application
Test the Application
Modify the Web Application to Read an Encrypted Connection String from Web.Config
References
Appendix How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
Notes
Requirements
Summary
Create a Serviced Component that Provides Encrypt and Decrypt Methods
Call the Managed DPAPI Class Library
Create a Dummy Class that will Launch the Serviced Component
Create a Windows Account to Run the Enterprise Services Application and Windows Service
Configure, Strong Name, and Register the Serviced Component
Create a Windows Service Application that will Launch the Serviced Component
Install and Start the Windows Service Application
Write a Web Application to Test the Encryption and Decryption Routines
Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
References
Appendix How To: Create an Encryption Library
Requirements
Summary
Create a C# Class Library
Create a Console Test Application
References
Appendix How To: Store an Encrypted Connection String in the Registry
Notes
Requirements
Summary
Store the Encrypted Data in the Registry
Create an ASP.NET Web Application
References
Appendix How To: Use Role-based Security with Enterprise Services
Notes
Requirements
Summary
Create a C# Class Library Application to Host the Serviced Component
Create the Serviced Component
Configure the Serviced Component
Generate a Strong Name for the Assembly
Build the Assembly and Add it to the Global Assembly Cache
Manually Register the Serviced Component
Examine the Configured Application
Create a Test Client Application
Appendix How To: Call a Web Service Using Client Certificates from ASP.NET
Why Use a Serviced Component?
Requirements
Summary
Create a Simple Web Service
Configure the Web Service Virtual Directory to Require Client Certificates
Create a Custom Account for Running the Serviced Component
Request a Client Certificate for the Custom Account
Test the Client Certificate Using a Browser
Export the Client Certificate to a File
Develop the Serviced Component Used to Call the Web Service
Configure and Install the Serviced Component
Develop a Web Application to Call the Serviced Component
Additional Resources
Appendix How To: Call a Web Service Using SSL
Requirements
Summary
Create a Simple Web Service
Configure the Web Service Virtual Directory to Require SSL
Test the Web Service Using a Browser
Install the Certificate Authority’s Certificate on the Client Computer
Develop a Web Application to Call the Web Service
Additional Resources
Appendix How To: Host a Remote Object in a Windows Service
Notes
Requirements
Summary
Create the Remote Object Class
Create a Windows Service Host Application
Create a Windows Account to Run the Service
Install the Windows Service
Create a Test Client Application
References
Appendix How To: Set Up SSL on a Web Server
Requirements
Summary
Generate a Certificate Request
Submit a Certificate Request
Issue the Certificate
Install the Certificate on the Web Server
Configure Resources to Require SSL Access
Appendix How To: Set Up Client Certificates
Requirements
Summary
Create a Simple Web Application
Configure the Web Application to Require Client Certificates
Request and Install a Client Certificate
Verify Client Certificate Operation
Additional Resources
Appendix How To: Use IPSec to Provide Secure Communication Between Two Servers
Notes
Requirements
Summary
Create an IP Filter
Create Filter Actions
Create Rules
Export the IPSec Policy to the Remote Computer
Assign Policies
Verify that it Works
Additional Resources
Appendix How To: Use SSL to Secure Communication with SQL Server 2000
Notes
Requirements
Summary
Install a Server Authentication Certificate
Verify that the Certificate Has Been Installed
Install the Issuing CA’s Certificate on the Client
Founded in 1975, Microsoft® is the worldwide leader in software, services, and solutions that help people and businesses realize their full potential. Since 1988, Microsoft has been building accessibility options right into its products to enable everyone to personalize their PCs to make them easier and more comfortable to see, hear, and use.
