book

Building Secure Microsoft® ASP.NET Applications

Name: Building Secure Microsoft® ASP.NET Applications
Author: Microsoft Corporation
ISBN: 9780735618909

by Microsoft Corporation

January 2003

Intermediate to advanced

620 pages

14h 58m

English

Microsoft Press

Read now

Unlock full access

Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
A Note Regarding Supplemental Files
Acknowledgements
Preface
Why We Wrote This BookWho Should Read This Book?How You Should Read This BookOrganization of this BookPart I, Security ModelsPart II, Application ScenariosPart III, Securing the TiersPart IV, ReferenceSystem RequirementsInstalling the Sample FilesBuilding Secure ASP.NET Applications—Online VersionSupport
1. Introduction
The Connected LandscapeThe FoundationsAuthenticationAuthorizationSecure CommunicationTying the Technologies TogetherDesign PrinciplesSummary
2. Security Model for ASP.NET Applications
.NET Web ApplicationsLogical TiersPhysical Deployment ModelsThe Web Server as an Application ServerRemote Application TierImplementation TechnologiesSecurity ArchitectureSecurity Across the TiersAuthenticationASP.NET Authentication ModesMore InformationEnterprise Services AuthenticationMore InformationSQL Server AuthenticationMore InformationAuthorizationASP.NET Authorization OptionsMore InformationEnterprise Services AuthorizationMore InformationSQL Server AuthorizationMore InformationGatekeepers and GatesIntroducing .NET Framework SecurityCode Access SecurityEvidence and Security PolicyCAS and ASP.NET Web ApplicationsPrincipals and IdentitiesThe IPrincipal and IIdentity InterfacesWindowsPrincipal and WindowsIdentityGenericPrincipal and Associated Identity ObjectsASP.NET and HttpContext.UserASP.NET IdentitiesMore InformationRemoting and Web ServicesSummary
3. Authentication and Authorization Design
Designing an Authentication and Authorization StrategyIdentify ResourcesChoose an Authorization StrategyMore InformationChoose the Identities Used for Resource AccessConsider Identity FlowChoose an Authentication ApproachMore InformationDecide How to Flow IdentityMore InformationAuthorization ApproachesRole Based AuthorizationResource Based AuthorizationResource Access ModelsThe Trusted Subsystem ModelFixed IdentitiesUsing Multiple Trusted IdentitiesThe Impersonation / Delegation ModelChoosing a Resource Access ModelAdvantage of the Impersonation / Delegation ModelDisadvantages of the Impersonation / Delegation ModelAdvantages of the Trusted Subsystem ModelDisadvantages of the Trusted Subsystem ModelFlowing IdentityApplication vs. Operating System Identity FlowImpersonation and DelegationImpersonationDelegationRole-Based Authorization.NET Roles.NET Roles with Windows Authentication.NET Roles with non-Windows AuthenticationCustom IPrincipal ObjectsMore InformationEnterprise Services (COM+) RolesSQL Server User Defined Database RolesSQL Server Application RolesMore Information.NET Roles versus Enterprise Services (COM+) RolesUsing .NET RolesMore InformationChecking Role MembershipRole Checking ExamplesChoosing an Authentication MechanismInternet ScenariosForms / Passport ComparisonAdvantages of Forms AuthenticationAdvantages of Passport AuthenticationMore InformationIntranet / Extranet ScenariosAuthentication Mechanism ComparisonSummary
4. Secure Communication
Know What to SecureSSL/TLSUsing SSLIPSecUsing IPSecRPC EncryptionUsing RPC EncryptionMore InformationPoint to Point SecurityBrowser to Web ServerWeb Server to Remote Application ServerApplication Server to Database ServerUsing SSL to SQL ServerMore InformationChoosing Between IPSec and SSLFarming and Load BalancingMore InformationSummary
5. Intranet Security
ASP.NET to SQL ServerCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsConfiguring IISConfiguring ASP.NETConfiguring SQL ServerConfiguring Secure CommunicationAnalysisQ&ARelated ScenariosNon-Internet Explorer BrowsersSQL Authentication to the DatabaseFlowing the Original Caller to the DatabaseASP.NET to Enterprise Services to SQL ServerCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsConfiguring IISConfiguring ASP.NETConfiguring Enterprise ServicesConfiguring SQL ServerConfiguring Secure CommunicationAnalysisPitfallsASP.NET to Web Services to SQL ServerCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsConfiguring the Web Server (that Hosts the Web Application)Configuring the Application Server (that Hosts the Web Service)Configure SQL ServerConfiguring Secure CommunicationAnalysisPitfallsQ&ARelated ScenariosASP.NET to Remoting to SQL ServerCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsConfiguring the Web ServerConfigure the Application ServerConfigure SQL ServerConfiguring Secure CommunicationAnalysisPitfallsRelated ScenariosFlowing the Original Caller to the DatabaseASP.NET to SQL ServerUsing Basic Authentication at the Web ServerUsing Integrated Windows Authentication at the Web ServerASP.NET to Enterprise Services to SQL ServerCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsAnalysisPitfallsSummary
6. Extranet Security
Exposing a Web ServiceCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsConfiguring the Partner ApplicationConfiguring the Extranet Web ServerConfiguring SQL ServerConfiguring Secure CommunicationAnalysisPitfallsQ&ARelated ScenariosMore InformationExposing a Web ApplicationScenario CharacteristicsSecure the ScenarioThe ResultConfiguring the Extranet Web ServerConfiguring SQL ServerConfiguring Secure CommunicationAnalysisPitfallsRelated ScenariosNo Connectivity from Extranet to Corporate NetworkMore InformationSummary

7. Internet Security
ASP.NET to SQL ServerCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsConfigure the Web ServerConfiguring SQL ServerConfiguring Secure CommunicationAnalysisPitfallsRelated ScenariosForms Authentication against Active DirectoryMore Information.NET Roles for AuthorizationMore InformationUsing a Domain Anonymous Account at the Web ServerMore InformationASP.NET to Remote Enterprise Services to SQL ServerCharacteristicsSecure the ScenarioThe ResultSecurity Configuration StepsConfigure the Web ServerConfigure the Application ServerConfiguring SQL ServerConfiguring Secure CommunicationAnalysisPitfallsRelated ScenariosForms Authentication Against Active DirectoryMore InformationUsing DCOMMore InformationUsing .NET RemotingMore InformationSummary
8. ASP.NET Security
ASP.NET Security ArchitectureGatekeepersIISASP.NETUrlAuthorizationModuleFileAuthorizationModulePrincipal Permission Demands and Explicit Role ChecksMore InformationAuthentication and Authorization StrategiesAvailable Authorization OptionsWindows Authentication with ImpersonationConfigurable SecurityProgrammatic SecurityWhen to UseMore InformationWindows Authentication without ImpersonationConfigurable SecurityProgrammatic SecurityWhen to UseMore InformationWindows Authentication Using a Fixed IdentityWhen to UseForms AuthenticationConfigurable SecurityProgrammatic SecurityWhen to UseMore InformationPassport AuthenticationWhen to UseConfiguring SecurityConfigure IIS SettingsConfigure ASP.NET SettingsURL Authorization NotesURL Authorization ExamplesSecure ResourcesLocking Configuration SettingsPreventing Files from Being DownloadedSecure CommunicationMore informationProgramming SecurityAn Authorization PatternRetrieve CredentialsValidate CredentialsPut Users in RolesCreate an IPrincipal ObjectPut the IPrincipal Object into the Current HTTP ContextAuthorize Based on the User Identity and/or Role MembershipMore InformationCreating a Custom IPrincipal classMore InformationWindows AuthenticationIdentifying the Authenticated UserForms AuthenticationDevelopment Steps for Forms AuthenticationConfigure IIS for Anonymous AccessConfigure ASP.NET for Forms AuthenticationCreate a Logon Web Form and Validate the Supplied CredentialsMore InformationRetrieve a Role List from the Custom Data StoreCreate a Forms Authentication TicketCreate an IPrincipal ObjectPut the IPrincipal Object into the Current HTTP ContextAuthorize the User Based on User Name or Role MembershipForms Implementation GuidelinesMore InformationHosting Multiple Applications Using Forms AuthenticationMore InformationCookieless Forms AuthenticationMore InformationPassport AuthenticationConfigure ASP.NET for Passport authenticationMap a Passport Identity into Roles in Global.asaxTest Role MembershipCustom AuthenticationMore InformationProcess Identity for ASP.NETUse a Least Privileged AccountAvoid Running as SYSTEMMore InformationDomain Controllers and the ASP.NET Process AccountUsing the Default ASPNET AccountThe <processModel> ElementStoring Encrypted <processModel> CredentialsMore InformationImpersonationImpersonation and Local ResourcesImpersonation and Remote ResourcesMore InformationImpersonation and ThreadingAccessing System ResourcesAccessing the Event LogAccessing the RegistryMore InformationAccessing COM ObjectsApartment Model ObjectsThe AspCompat Directive is RequiredMore InformationDon’t Create COM Objects Outside of Specific Page EventsMore InformationC# and VB .NET Objects in COM+Accessing Network ResourcesUsing the ASP.NET Process IdentityMore InformationUsing a Serviced ComponentUsing the Anonymous Internet User AccountHosting Multiple Web ApplicationsUsing LogonUser and Impersonating a Specific Windows IdentityUsing the Original CallerMore InformationAccessing Files on a UNC File ShareAccessing Non-Windows Network ResourcesSecure CommunicationMore InformationStoring SecretsOptions for Storing Secrets in ASP.NETMore InformationConsider Storing Secrets in Files on Separate Logical VolumesSecuring Session and View StateSecuring View StateSecuring CookiesSecuring SQL Session StateSecuring the Database Connection StringSecuring Session State Across the NetworkMore InformationWeb Farm ConsiderationsSession StateDPAPIMore InformationUsing Forms Authentication in a Web FarmThe <machineKey> ElementThe validationKey AttributeThe decryptionKey AttributeThe Validation AttributeMore InformationSummary
9. Enterprise Services Security
Security ArchitectureGatekeepers and GatesUse Server Applications for Increased SecuritySecurity for Server and Library ApplicationsAssign Roles to Classes, Interfaces, or MethodsCode Access Security RequirementsConfiguring SecurityConfiguring a Server ApplicationDevelopment Time vs. Deployment Time ConfigurationConfigure AuthenticationConfigure Authorization (Component-Level Access Checks)Create and Assign RolesAdding Roles to an ApplicationAdding Roles to a Component (Class)Adding Roles to an InterfaceAdding Roles to a MethodRegister Serviced ComponentsPopulate RolesUse Windows GroupsMore InformationConfigure IdentityMore InformationConfiguring an ASP.NET Client ApplicationConfigure AuthenticationMore InformationConfigure ImpersonationMore InformationConfiguring Impersonation Levels for an Enterprise Services ApplicationProgramming SecurityProgrammatic Role-Based SecurityIdentifying CallersChoosing a Process IdentityAvoid Running as the Interactive UserUse a Least-Privileged Custom AccountAccessing Network ResourcesUsing the Original CallerMore InformationUsing the Current Process IdentityUsing a Specific Service AccountFlowing the Original CallerCalling CoImpersonateClientMore InformationRPC EncryptionMore InformationBuilding Serviced ComponentsDLL Locking ProblemsVersioningMore InformationQueryInterface ExceptionsDCOM and FirewallsMore InformationCalling Serviced Components from ASP.NETCaller’s IdentityUse Windows Authentication and Impersonation Within the Web-based ApplicationConfigure Authentication and Impersonation within Machine.configConfiguring Interface ProxiesMore InformationSecurity ConceptsEnterprise Services (COM+) Roles and .NET RolesAuthenticationAuthentication Level PromotionAuthentication Level NegotiationMore InformationImpersonationCloakingMore InformationSummary
10. Web Services Security
Web Service Security ModelPlatform/Transport Level (Point-to-Point) SecurityWhen to UseApplication Level SecurityWhen to UseMessage Level (End-to-End) SecurityWhen to UseThe Web Services Development KitMore InformationPlatform/Transport Security ArchitectureGatekeepersMore InformationAuthentication and Authorization StrategiesWindows Authentication with ImpersonationConfigurable SecurityProgrammatic SecurityWhen to UseMore InformationWindows Authentication without ImpersonationConfigurable SecurityProgrammatic SecurityWhen to UseMore InformationWindows Authentication Using a Fixed IdentityWhen to UseMore InformationConfiguring SecurityConfigure IIS SettingsConfigure ASP.NET SettingsMore InformationSecure ResourcesDisable HTTP-GET, HTTP-POSTMore InformationSecure CommunicationMore informationPassing Credentials for Authentication to Web ServicesSpecifying Client Credentials for Windows AuthenticationUsing DefaultCredentialsUsing Specific CredentialsRequest a Specific Authentication TypeSet the PreAuthenticate PropertyUsing the ConnectionGroupName PropertyCalling Web Services from Non-Windows ClientsProxy Server AuthenticationFlowing the Original CallerDefault Credentials with Kerberos DelegationConfiguring the Web ServerConfiguring the Remote Application ServerMore InformationExplicit Credentials with Basic or Forms AuthenticationBasic AuthenticationForms AuthenticationConfiguring the Web ServerConfiguring the Application ServerTrusted SubsystemFlowing the Caller’s IdentityConfiguration StepsConfiguring the Web ServerConfiguring the Application ServerAccessing System ResourcesAccessing Network ResourcesAccessing COM ObjectsMore InformationUsing Client Certificates with Web ServicesAuthenticating Web Browser Clients with CertificatesUsing the Trusted Subsystem ModelSolution ImplementationWhy Use an Additional Process?More InformationSecure CommunicationTransport Level OptionsMessage Level OptionsMore InformationSummary
11. .NET Remoting Security
.NET Remoting ArchitectureRemoting SinksTransport Channel SinksComparing Transport Channel SinksCustom SinksFormatter SinksAnatomy of a Request When Hosting in ASP.NETASP.NET and the HTTP ChannelMore Information.NET Remoting GatekeepersAuthenticationHosting in ASP.NETHosting in a Windows ServiceCustom AuthenticationMore InformationAuthorizationUsing File AuthorizationMore InformationAuthentication and Authorization StrategiesMore InformationAccessing System ResourcesAccessing Network ResourcesPassing Credentials for Authentication to Remote ObjectsSpecifying Client CredentialsUsing DefaultCredentialsExplicit ConfigurationProgrammatic ConfigurationUsing Specific CredentialsRequest a Specific Authentication TypeSet the preauthenticate PropertyUsing the connectiongroupname PropertyFlowing the Original CallerDefault Credentials with Kerberos DelegationConfiguring the Web ServerConfiguring the Remote Application ServerMore InformationExplicit Credentials with Basic or Forms AuthenticationBasic AuthenticationForms AuthenticationConfiguring the Web ServerConfiguring the Application ServerTrusted SubsystemFlowing the Caller’s IdentityChoosing a HostConfiguration StepsConfiguring the Web ServerConfiguring the Application ServerUsing a Windows Service HostSecure CommunicationPlatform Level OptionsMessage Level OptionsMore InformationChoosing a Host ProcessRecommendationHosting in ASP.NETAdvantagesDisadvantagesHosting in a Windows ServiceAdvantagesDisadvantagesHosting in a Console ApplicationAdvantagesDisadvantagesRemoting vs. Web ServicesSummary
12. Data Access Security
Introducing Data Access SecuritySQL Server GatekeepersTrusted Subsystem vs. Impersonation/DelegationAuthenticationWindows AuthenticationMore InformationUsing Windows AuthenticationRecommendationUsing the ASP.NET Process IdentityUse Mirrored ASPNET Local AccountsUse Mirrored, Custom Local AccountsUse a Custom Domain AccountImplementing Mirrored ASPNET Process IdentityConnecting to SQL Server Using Windows AuthenticationUsing Fixed Identities within ASP.NETUsing Serviced ComponentsCalling LogonUser and Impersonating a Specific Windows IdentityUsing the Original Caller’s IdentityUsing the Anonymous Internet User AccountMore InformationWhen Can’t You Use Windows Authentication?SQL AuthenticationConnection String TypesMore InformationChoosing a SQL Account for Your ConnectionsPassing Credentials over the NetworkSecuring SQL Connection StringsAuthenticating Against Non-SQL Server DatabasesAuthorizationUsing Multiple Database RolesSecure CommunicationThe OptionsChoosing an ApproachMore InformationConnecting with Least PrivilegeThe Database Trusts the ApplicationThe Database Trusts Different RolesThe Database Trusts the Original CallerCreating a Least Privilege Database AccountStoring Database Connection Strings SecurelyThe OptionsUsing DPAPIWhy Not LSA?Machine Store vs. User StoreDPAPI Implementation SolutionsUsing DPAPI from Enterprise ServicesUsing DPAPI Directly from ASP.NETMore InformationUsing Web.config and Machine.configUsing UDL FilesACL GranularityMore InformationUsing Custom Text FilesUsing the RegistryMore InformationUsing the COM+ CatalogMore InformationAuthenticating Users against a DatabaseStore One-way Password Hashes (with Salt)Creating a Salt ValueCreating a Hash Value (with Salt)More InformationSQL Injection AttacksThe ProblemAnatomy of a SQL Script Injection AttackThe SolutionAdditional Best PracticesProtecting Pattern Matching StatementsAuditingProcess Identity for SQL ServerSummary
13. Troubleshooting Security Issues
Process for TroubleshootingSearching for Implementation SolutionsTroubleshooting Authentication IssuesIIS Authentication IssuesUsing Windows AuthenticationUsing Forms AuthenticationKerberos TroubleshootingTroubleshooting Authorization IssuesCheck Windows ACLsCheck IdentityMore InformationCheck the <authorization> ElementASP.NETEnable TracingMore InformationConfiguration SettingsDetermining IdentityDetermining Identity in a Web PageDetermining Identity in a Web serviceMore InformationDetermining Identity in a Visual Basic 6 COM Object.NET RemotingMore InformationSSLMore InformationIPSecAuditing and LoggingWindows Security LogsMore InformationSQL Server AuditingSample Log EntriesIIS LoggingTroubleshooting ToolsFile Monitor (FileMon.exe)More InformationFusion Log Viewer (Fuslogvw.exe)ISQL.exeConnecting Using SQL AuthenticationConnecting Using Windows AuthenticationRunning a Simple QueryWindows Task ManagerNetwork Monitor (NetMon.exe)More InformationRegistry Monitor (regmon.exe)WFetch.exeMore InformationVisual Studio .NET ToolsMore InformationWebServiceStudioWindows 2000 Resource Kit
Index of How Tos
ASP.NETAuthentication and AuthorizationCryptographyEnterprise Services SecurityWeb Services SecurityRemoting SecuritySecure Communication
How To: Create a Custom Account to Run ASP.NET
ASP.NET Worker Process IdentityImpersonating Fixed IdentitiesNotesSummary1. Create a New Local Account2. Assign Minimum Privileges3. Assign NTFS Permissions4. Configure ASP.NET to Run Using the New Account
How To: Use Forms Authentication with Active Directory
RequirementsSummary1. Create a Web Application with a Logon Page2. Configure the Web Application for Forms Authentication3. Develop LDAP Authentication Code to Look Up the User in Active Directory4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership5. Authenticate the User and Create a Forms Authentication Ticket6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object7. Test the Application
How To: Use Forms Authentication with SQL Server 2000
RequirementsSummary1. Create a Web Application with a Logon Page2. Configure the Web Application for Forms Authentication3. Develop Functions to Generate a Hash and Salt value4. Create a User Account Database5. Use ADO.NET to Store Account Details in the Database6. Authenticate User Credentials Against the Database7. Test the ApplicationAdditional Resources
How To: Create GenericPrincipal Objects with Forms Authentication
RequirementsSummary1. Create a Web Application with a Logon Page2. Configure the Web Application for Forms Authentication3. Generate an Authentication Ticket for Authenticated Users4. Construct GenericPrincipal and FormsIdentity Objects5. Test the ApplicationAdditional Resources
How To: Implement Kerberos Delegation for Windows 2000
NotesRequirementsSummary1. Confirm that the Client Account is Configured for Delegation2. Confirm that the Server Process Account is Trusted for DelegationReferences
How To: Implement IPrincipal
RequirementsSummary1. Create a Simple Web Application2. Configure the Web Application for Forms Authentication3. Generate an Authentication Ticket for Authenticated Users4. Create a Class that Implements and Extends IPrincipal5. Create the CustomPrincipal Object5. Test the ApplicationAdditional Resources
How To: Create a DPAPI Library
NotesRequirementsSummary1. Create a C# Class Library2. Strong Name the Assembly (Optional)References
How To: Use DPAPI (Machine Store) from ASP.NET
NotesRequirementsSummary1. Create an ASP.NET Client Web Application2. Test the Application3. Modify the Web Application to Read an Encrypted Connection String from Web.ConfigReferences
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
NotesWhy Use Enterprise Services?Why Use a Windows Service?RequirementsSummary1. Create a Serviced Component that Provides Encrypt and Decrypt Methods2. Call the Managed DPAPI Class Library3. Create a Dummy Class that will Launch the Serviced Component4. Create a Windows Account to Run the Enterprise Services Application and Windows Service5. Configure, Strong Name, and Register the Serviced Component6. Create a Windows Service Application that will Launch the Serviced Component7. Install and Start the Windows Service Application8. Write a Web Application to Test the Encryption and Decryption Routines9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration FileReferences
How To: Create an Encryption Library
RequirementsSummary1. Create a C# Class Library2. Create a Console Test ApplicationReferences
How To: Store an Encrypted Connection String in the Registry
NotesRequirementsSummary1. Store the Encrypted Data in the Registry2. Create an ASP.NET Web ApplicationReferences
How To: Use Role-based Security with Enterprise Services
NotesRequirementsSummary1. Create a C# Class Library Application to Host the Serviced Component2. Create the Serviced Component3. Configure the Serviced Component4. Generate a Strong Name for the Assembly5. Build the Assembly and Add it to the Global Assembly Cache6. Manually Register the Serviced Component7. Examine the Configured Application8. Create a Test Client Application
How To: Call a Web Service Using Client Certificates from ASP.NET
Why Use a Serviced Component?Why is a User Profile Required?RequirementsSummary1. Create a Simple Web Service2. Configure the Web Service Virtual Directory to Require Client Certificates3. Create a Custom Account for Running the Serviced Component4. Request a Client Certificate for the Custom Account5. Test the Client Certificate Using a Browser6. Export the Client Certificate to a File7. Develop the Serviced Component Used to Call the Web Service8. Configure and Install the Serviced Component9. Develop a Web Application to Call the Serviced ComponentAdditional Resources
How To: Call a Web Service Using SSL
RequirementsSummary1. Create a Simple Web Service2. Configure the Web Service Virtual Directory to Require SSL3. Test the Web Service Using a Browser4. Install the Certificate Authority’s Certificate on the Client Computer5. Develop a Web Application to Call the Web ServiceAdditional Resources
How To: Host a Remote Object in a Windows Service
NotesRequirementsSummary1. Create the Remote Object Class2. Create a Windows Service Host Application3. Create a Windows Account to Run the Service4. Install the Windows Service5. Create a Test Client ApplicationReferences
How To: Set Up SSL on a Web Server
RequirementsSummary1. Generate a Certificate Request2. Submit a Certificate Request3. Issue the Certificate4. Install the Certificate on the Web Server5. Configure Resources to Require SSL Access
How To: Set Up Client Certificates
RequirementsSummary1. Create a Simple Web Application2. Configure the Web Application to Require Client Certificates3. Request and Install a Client Certificate4. Verify Client Certificate OperationAdditional Resources
How To: Use IPSec to Provide Secure Communication Between Two Servers
NotesRequirementsSummary1. Create an IP Filter2. Create Filter Actions3. Create Rules4. Export the IPSec Policy to the Remote Computer5. Assign Policies6. Verify that it WorksAdditional Resources
How To: Use SSL to Secure Communication with SQL Server 2000
NotesRequirementsSummary1. Install a Server Authentication Certificate2. Verify that the Certificate Has Been Installed3. Install the Issuing CA’s Certificate on the Client4. Force All Clients to Use SSL5. Allow Clients to Determine Whether to Use SSL6. Verify that Communication is EncryptedAdditional Resources
Base Configuration
Configuration Stores and Tools
Reference Hub
Searching the Knowledge BaseTips.NET SecurityHubsActive DirectoryHubsKey NotesArticlesADO.NETRoadmaps and OverviewsSeminars and WebCastsASP.NETHubsRoadmaps and OverviewsKnowledge BaseArticlesHow TosSeminars and WebCastsEnterprise ServicesKnowledge BaseRoadmaps and OverviewsHow TosFAQsSeminars and WebCastsIIS (Internet Information Server)HubsRemotingRoadmaps and OverviewsHow TosSeminars and WebCastsSQL ServerHubsSeminars and WebCastsVisual Studio .NETHubsRoadmaps and Overviews:Web ServicesHubsRoadmaps and OverviewsHow TosSeminars and WebCastsWindows 2000Hubs
How Does It Work?
IIS and ASP.NET ProcessingApplication IsolationThe ASP.NET ISAPI ExtensionIIS 6.0 and Windows .NET ServerMore InformationASP.NET Pipeline ProcessingThe Anatomy of a Web RequestForms Authentication ProcessingWindows Authentication ProcessingEvent HandlingImplementing a Custom HTTP ModuleImplementing a Custom HTTP Handler
ASP.NET Identity Matrix
Cryptography and Certificates
Keys and CertificatesX.509 Digital CertificatesCertificate StoresMore InformationCryptographyTechnical ChoicesCryptography in .NETSymmetric Algorithm SupportAsymmetric Algorithm SupportHashing Algorithm SupportSummary
.NET Web Application Security
Glossary
Microsoft® patterns & practices
Index
About the Author
Copyright

Content preview from Building Secure Microsoft® ASP.NET Applications

Chapter 3. Authentication and Authorization Design

Designing an authentication and authorization strategy for distributed Web applications is a challenging task. The good news is that proper authentication and authorization design during the early phases of your application development helps to mitigate many top security risks.

This chapter will help you design an appropriate authorization strategy for your application and will also help answer the following key questions:

Where should I perform authorization and what mechanisms should I use?
What authentication mechanism should I use?
Should I use Active Directory® directory service for authentication or should I validate credentials against a custom data store?
What are the implications and design ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0735618909Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Building Secure Microsoft® ASP.NET Applications

by Microsoft Corporation

Chapter 3. Authentication and Authorization Design

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.