authorization
Download
Report
Transcript authorization
Securing Your ASP.NET
Application
Presented by:
Rob Bagby
Developer Evangelist
Microsoft
[email protected] (email)
http://www.robbagby.com (blog)
Session Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Security Overview
Defense-In-Depth Security – The concept that
many layers of security is better than one
layer.
Threat Modeling
Threat Modeling Process
Structured approach to:
Evaluate security threats
Identify countermeasures
DREAD helps rate risk
Damage potential
Reproducibility
Exploitability
Affected users
1. Identify Assets
2. Create an Architectural Overview
3. Decompose the Application
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Discoverability
More information in MSDN Patterns and Practices
http://msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp
Session Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
ASP.NET Architecture - Overview
ASP.NET Architecture - Gatekeepers
Gatekeepers – The authorization points within
an ASP.NET application that are provided by:
IIS
ASP.NET
IIS
Permits requests from users that it can
authenticate (with anonymous turned off)
Uses NTFS permissions to perform access
control
ASP.NET Architecture - Gatekeepers
ASP.NET – has 2 gatekeepers
UrlAuthorizationModule
Configure <authorization> elements in
Web.Config to configure access
Based on IPrincipal (stored in HttpContext.User)
FileAuthorizationModule
For file types mapped to the ASP.NET ISAPI ext.
Access checks done using the authenticated
users token
Could be the anonymous account
ASP.NET Architecture - Gatekeepers
ASP.NET Architecture
(Principal Permission Demands)
Declarative
[PrincipalPermission(SecurityAction.Demand,
Role=@"DomainName\WindowsGroup)]
Imperative
PrincipalPermission permCheck = new PrincipalPermission( null,
@"DomainName\ WindowsGroup");
permCheck.Demand();
Session Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Authentication
The process by which a user is uniquely
identified, given his/her credentials.
Authentication Options
Windows w/ impersonation
Windows w/o impersonation
Forms
Passport
Authentication - Windows
(Overview)
Operating system authenticates user
Requires valid windows account
Transparent access to resources
WindowsIdentity
WindowsIdentity widentity = WindowsIdentity.GetCurrent();
IIdentity iidentity = WindowsIdentity.GetCurrent();
Authentication - Windows
(w/ Impersonation)
Configuration
<authentication mode=“Windows” />
<identity impersonate=“true” />
Advantages
ACLs for Resources accessed by your app.
Flow caller’s identity to middle tier
Disadvantages
Reduced scalability – database pooling
Requires windows account for each user
Increased administration
Authentication - Windows
(w/o Impersonation)
Configuration
<authentication mode=“Windows” />
<identity impersonate=“false” /> (or no identity ele.)
Advantages
ACLs for Client Requested Resources
URL Authorization
<authorization>
<deny user=“DomainName\UserName” />
<allow roles=“DomainName\WindowsgroupName” />
</authorization>
Disadvantages
Requires windows account for each user
Increased administration
Authentication - Forms
Configuration
<authentication mode=“Forms”>
<forms loginUrl=“login.aspx” name=“AuthCookie” timeout=“60”
path=“/” />
</authentication>
Advantages
No Windows accounts required
Firewall friendly
Disadvantages
You have to implement / write
Authentication - Passport
Configuration
<authentication mode=“Passport” />
Advantages
Single sign-on
Disadvantages
Non-trivial to implement
Session Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Authorization
The Process By which The System Validates
That The Authenticated User Has Access To
Resources Or Has Privileges To Perform
Certain Operations.
Options Depend upon Authentication type
Windows w/ impersonation
Windows w/o impersonation
Forms
Passport
Authorization - Windows
(w/ Impersonation)
Behaviors
ACLs
Client Requested Resources: Original Caller’s
token
Resources Accessed by Application: Original
Caller’s token
URL Authorization:
Original Caller’s Group or User
<authorization>
<deny user=“DomainName\UserName” />
<allow roles=“DomainName\WindowsgroupName” />
</authorization>
Authorization - Windows
(w/o Impersonation)
Behaviors
ACLs
Client Requested Resources: Original Caller’s
token
Resources Accessed by Application: ASP.NET
process identity
URL Authorization:
Original Caller’s Group or User
<authorization>
<deny user=“DomainName\UserName” />
<allow roles=“DomainName\WindowsgroupName” />
</authorization>
Authorization - Forms
Behaviors
ACLs
Client Requested Resources: ACLs must allow
read access to anonymous Internet user
account
File Authorization not available
Resources Accessed by Application: ASP.NET
process identity
URL Authorization:
Determined by custom data store. Sql example:
<authorization>
<deny user=“?” />
<allow roles=“RoleName, RoleName1” />
</authorization>
Authorization cont.
(Role-Based)
.NET Role-Based Options
Declarative Demands With PrincipalPermissionAttribute (1 Role)
[PrincipalPermissionAttribute(SecurityAction.Demand, Role=“MyRole”)]
Imperative Demands Using PrincipalPermission Object (Multiple)
public void MyMethod {
PrincipalPermission perm = New PrincipalPermission(null, “MyRole”);
perm.Demand(); }
Role Checks With IsInRole (Multiple)
Principal.IsInRole(“MyRole”);
Custom Authentication Role Checks
string[] roles = new string[] {“MyRole”, “MyRole1”};
IPrincipal principal = new GenericPrincipal(identity, roles);
principal.IsInRole(“MyRole”);
Authorization cont.
(Guidelines)
Defense-In-Depth Approach
Granular Roles
Declarative Demands, Where Possible
Use IsInRole If You Need to Check > 1 Role
Membership
ASP.NET Forms Authentication
demo
Session Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Input Validation
Assume all input is malicious
Centralize your approach
Do not rely on client-side validation
Be careful with canonicalization issues
Constrain, reject, and sanitize your input
Session Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Database
Use Stored Procedures
Grant Access Only To Stored Procedures
Parameterize Queries, When SPs Not Possible
Use Least-Privileged Account Approach
Protect Connection Strings As Secrets
Hash Passwords
Encrypt Sensitive Data
Session Agenda
Security Overview / Basics
ASP.NET Security Architecture
Authentication
Authorization
Input Validation
Database
Sensitive Data
Sensitive Data
Hashing – Practically Impossible To Reverse
Encryption – Can Only Decrypt With
Encryption Key
DPAPI – Data Protection API
Sensitive Data Cont.
I want to…
Recommendation
Store a user
password securely
Salt + SHA1 (One-way
hash)
Prepend random salt to
the passwords before
hashing to defend
against off-line dictionary
attacks.
Advantages
No keys to
manage.
Limitations
Identical input yields
identical hash
values.
Must store a salt to
ensure unique cipher
text for identical
values.
Sensitive Data Cont.
I want to…
Recommendation
Store a user
password securely
Salt + SHA1 (One-way
hash)
Prepend random salt to
the passwords before
hashing to defend
against off-line dictionary
attacks.
No keys to
manage.
DPAPI
(Encryption using keys
derived from user
credentials)
DPAPI manages
keys on behalf of
the application.
Protect local user
data
Advantages
Limitations
Identical input yields
identical hash
values.
Must store a salt to
ensure unique cipher
text for identical
values.
Data can’t be
decrypted by other
users, or on other
machines.
Sensitive Data Cont.
I want to…
Recommendation
Store a user
password securely
Salt + SHA1 (One-way
hash)
Prepend random salt to
the passwords before
hashing to defend
against off-line dictionary
attacks.
No keys to
manage.
Protect local user
data
DPAPI
(Encryption using keys
derived from user
credentials)
DPAPI manages
keys on behalf of
the application.
Encrypt data that
will need to
decrypted later
Symmetric encryption
Flexible: data can
algorithms (e.g. Rijndael) be decrypted by
other apps /
machines that
have the key.
Advantages
Limitations
Identical input yields
identical hash
values.
Must store a salt to
ensure unique cipher
text for identical
values.
Data can’t be
decrypted by other
users, or on other
machines.
Application must
manage keys and
transmit them
securely.
Wrap-up & Questions …
Rob Bagby
Developer Evangelist
Microsoft
[email protected] (email)
http://www.robbagby.com (blog)