E-Learning Chapter 8, incl SSL

Transcript E-Learning Chapter 8, incl SSL

Security
E-Learning Chapter 08
Security
• Control access to your web site
– 3 Techinques for
• Identifying users
• Giving users access to your site
• Securing data transmitted across the
internet
– Others can’t read it
Authenticating and
Authorizing Users
Lesson 1
Authentication and Authorization
• Authentication
– The process of identifying users
– “Who are you?”
• Authorization
– The process of granting access based on identity
– “I’ve checked your credentials out and you’re OK …
Come on in!”
• Choose an Authorization strategy based on the
type of application you’re creating
Anonymous Users
• Public web sites
– Anyone can see information
– Users are not authenticated
• Impersonation
– Technique for allowing anonymous access to
web site
– Assigns a user account to an unknown user
• IUSER_<machineName>
– Anonymous user account
Anonymous Access Account – See
or Change priviledges
• Log in as administrator on server
• Start | Control Panel | Administrative Tools
| Computer Management | Local Users
and Groups | Users | rt-click on
IUSER_<machineName> | Properties
IUSER_<machineName>
Properties
Member of
• <default> Guest group
– Limited priviledges
• My ‘Member of’
– Debugger Users Group
• ASP.NET
– Uses ASPNET account
– Anything outside priviledges produces security
exception – access denied
– Exception appears in the Security Event Log of the
Event Viewer
Restricting Anonymous Users
• Set Windows File Permissions
• Must have NTFS File System, FAT won’t
work
• See Windows Security Help topics
Access by Authenticated Users
• Authenticated Users
– Allows users to
• Access private information
• Perform restricted tasks (placing orders, etc.)
• 3 Ways to Authenticate
– Windows Authentication
• Identify and authorize users based on server’s user list
– Forms Authentication
• Directs users to a form that collects name and password
• Authenticates against user list or database
– Passport Authentication
• Authenticated by Passport site hosted by Microsoft
System.Web.Security Namespace
• Windows, Forms, Passport Security
classes provided in .NET by
System.Web.Security namespace
Visual Basic .NET
Imports System.Web.Security
Visual C#
using System.Web.Security
Applying authentication methods to
web application components
Web App Component
•Web Forms (.aspx)
Authentication Modes
Can use
•Windows
•Modules (.asax)
•Forms
•Other resources that
pass through web app
executable
•Passport
Web App Component
Can’t use
directly
x
ASP.NET executable
(htm or html pages)
•Handled by IIS, not
ASP.NET
Must be mapped
see Lesson 1
.NET Web Security Overview
ASP.NET architecture
IIS and ASP.NET Interaction
IIS
•Request comes in (for
Web Form)
•If IIS authentication,
•Authorization
performed
•Auth. Info added to
request
•Info passed to
ASP.NET runtime
ASP.NET
•Windows
•Auth. Performed
•Request processed
•Forms
•ASP.NET checks forms auth.
Cookie
•No cookie  login page
•If successful login,
•Auth. Cookie set
•User redirected to
requested resource
•Passport
•ASP.NET checks for Passport
Cookie
•No cookiesite’s Passport
Login Page
•Successful login, cookie set
•User redirected to resource
Set/Change Authentication Method
Used by IIS
• Open Internet Services Manager
• Select site, virtual directory or file you want to
authenticate
• Right-click, select Properties
• Select Directory (or File) Security Tab
• In Anonymous Access and Authentication
Control section, click Edit button
• In Authentication Methods dialog box, uncheck
Anonymous Access check box.
• Check desired authentication
Set Authentication Method in IIS
Windows Authentication
Lesson 2
Types of Windows Authentication
• Basic
–
–
–
–
–
User must supply user name and password
Supported by Netscape Navigator and IE
User credentials sent unencrypted
Should only be used with a secure channel (SSL)
SSL should be used on all pages, since credentials are passed on all
subsequent requests
• Digest
– Browser transmits a hash of the user’s credentials
– Requires IE 5.0 or later
– Password encryption can be reversed
• Integrated Windows Authentication
–
–
–
–
Kerebos or NTLM
Uses encrypted exchange between IE Browser and Server
Used in Intranet scenarios
Used by Web Server
• Only if anonymous access is disabled or
• Anonymous access has been denied through Windows File System
Permissions
More Windows Authentication
Methods
• Certificates
– Client certificate is passed to the web server
– IIS maps certificate to user account
• Anonymous authentication
– When you don’t need to authenticate users or
– When you use a custom authorization scheme
– Web server creates an access token
• Represents all anonymous users with (guest) account
• IUSR_MACHINENAME
Integrated Windows Authentication
• Uses integrated Windows NT and XP authentication to
authenticate web users
• Advantage
– Uses same security scheme as your corporate network
– Names, passwords, and permissions are the same
– Users on corporate intranet don’t have to login to website automatic
• Disadvantage
– Only for Internet Explorer
– Users on corporate network using a proxy connection can’t use
– Every user must have a password on Web Server or Domain
controller trusted by the Web server.
Configuring Windows Authentication Web.config file

<authentication mode="Windows" />
Allowing or Denying Access to
Certain Users
• Authorize/Deny list set in Web.config file
<authorization>
<allow users="contoso\DeannaMeyer, contoso\MichaelEmanuel" />

<deny users="*" />

</authorization>
• “*” – All
• “?” – Unauthenticated Users
• Comma-separated names – format:
domain\username
Role-based Authorization
• Allows users based on role in organization
• Windows – Computer Management
– Administrators
– Users
– Guests
• See roles/groups in Start | Control Panel |
Administrative Tools | Computer
Management | Local Users and Groups
Role-Based Authorization –
web.config
<authorization>
<allow roles="contoso\Administrators" />

<deny users="*" />

</authorization>
User Object, Identity Property
• User.Identity available after authentication
and authorization
• Returns name and role information
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
spnAuthenticated.InnerText = User.Identity.IsAuthenticated
spnUserName.InnerText = User.Identity.Name
SPNAUTHENTICATIONTYPE.InnerText = User.Identity.AuthenticationType
End Sub
If User.IsInRole("Administrators") Then
' Do something
End If
IIS and Web.config Overlap
• Security settings may overlap
• Most restrictive applies
• Setting security in IIS
• IIS > Rt-Click on Web Site > Properties > Directory
Security Tab > Anonymous Access and
Authentication Control Section > Edit
• Best practice: allow IIS to control password on
anonymous account
• Basic and Digest Authentication – less restrictive
Impersonation
• After Authentication and Authorization
– Web app runs under ASPNET user account (by default) – demo
– Limited user account
• Impersonation – allows user to run in context of his/her own account
• Use web.config to set identity element to enable impersonation
<configuration>
<system.web>

<identity impersonate="true" />
</system.web>
</configuration> -- or -
<identity impersonate="true" username="Administrator" password="O#thip32x" />
Folder-level Impersonation
• Impersonates a specific user account
• Can be used with Forms and Passport Authentication

<configuration>$
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" /> 
</authorization>

<identity impersonate="false" />
</system.web>
</configuration>

<configuration>
<system.web>
<authorization>
<allow users="contoso\Jane" />

<deny users="*" />
</authorization>

<identity impersonate="true" username="Administrator"
password="O#thip32x" />
</system.web>
</configuration>
Forms Authentication
Lesson 3
Reference for ASP.NET Security
http://msdn2.microsoft.com/en-us/library/330a99hc.aspx
Providing Secure
Communication
Chapter 8 Lesson 5
IIS provides:
• Standard means
for encrypting and
decrypting
I’d like to
send some
sensitive
data across
the web!
But I don’t
want just
anyone to be
able to read
it!
• Both Web requests
and responses
Requires:
Server Certificate
(Encryption Key)
Issued by:
Independent 3rd Party
(Certificate Authority)
Secure Sockets Layer
• Standard means for ensuring data can’t be read by others.
• Overview:
Using SSL
Request authorization
from recognized
certificate authority
Server certificates are
licensed (for a fee), but
you can get one for
testing purposes
Server Certificate
Install certificate in
IIS (identifies your
server)
• Certificate Authority acts as clearinghouse
• Identifies your server’s identity over the Internet
Using Secure Communications
Browser
Web Server
Requests Server Certificate
Returns Server Certificate
Certificate Authority (CA)
• Check against list of
trusted sites
• Web address registered
with certificate?
• Anything wrong with
certificate?
• CA provides encryption
• Assures users your web site is authentic
Warnings from Browser
Certificate
Authority (CA)
I need a
certificate
IIS on
Web Server
1. Use IIS to generate a
certificate request.
I can
help!
2. Request
Certificate from CA
Certificate
Request
Certificat
e
Installed!
5. Use Secure Hypertext
Transfer Protocol
(HTTPS) in your web
pages
4. Install certificate on Browser
(test certificate)
IIS on
Web Server
3. Install certificate on
Server