Book description
This guide presents a practical, scenario-driven approach to designing and building security-enhanced ASP.NET applications for Microsoft® Windows® 2000 and version 1.1 of the Microsoft .NET Framework.
Table of contents
- Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
- A Note Regarding Supplemental Files
- Acknowledgements
- Preface
- 1. Introduction
-
2. Security Model for ASP.NET Applications
- .NET Web Applications
- Implementation Technologies
- Security Architecture
- Introducing .NET Framework Security
- Summary
-
3. Authentication and Authorization Design
- Designing an Authentication and Authorization Strategy
- Authorization Approaches
- Flowing Identity
- Role-Based Authorization
- Choosing an Authentication Mechanism
- Summary
- 4. Secure Communication
- 5. Intranet Security
- 6. Extranet Security
-
7. Internet Security
- ASP.NET to SQL Server
- ASP.NET to Remote Enterprise Services to SQL Server
- Summary
-
8. ASP.NET Security
- ASP.NET Security Architecture
- Authentication and Authorization Strategies
- Configuring Security
- Programming Security
- Windows Authentication
-
Forms Authentication
-
Development Steps for Forms Authentication
- Configure IIS for Anonymous Access
- Configure ASP.NET for Forms Authentication
- Create a Logon Web Form and Validate the Supplied Credentials
- Retrieve a Role List from the Custom Data Store
- Create a Forms Authentication Ticket
- Create an IPrincipal Object
- Put the IPrincipal Object into the Current HTTP Context
- Authorize the User Based on User Name or Role Membership
- Forms Implementation Guidelines
- Hosting Multiple Applications Using Forms Authentication
- Cookieless Forms Authentication
-
Development Steps for Forms Authentication
- Passport Authentication
- Custom Authentication
- Process Identity for ASP.NET
- Impersonation
- Accessing System Resources
- Accessing COM Objects
- Accessing Network Resources
- Secure Communication
- Storing Secrets
- Securing Session and View State
- Web Farm Considerations
- Summary
-
9. Enterprise Services Security
- Security Architecture
-
Configuring Security
- Configuring a Server Application
- Configuring an ASP.NET Client Application
- Configuring Impersonation Levels for an Enterprise Services Application
- Programming Security
- Choosing a Process Identity
- Accessing Network Resources
- Flowing the Original Caller
- RPC Encryption
- Building Serviced Components
- DCOM and Firewalls
- Calling Serviced Components from ASP.NET
- Security Concepts
- Summary
-
10. Web Services Security
- Web Service Security Model
- Platform/Transport Security Architecture
- Authentication and Authorization Strategies
- Configuring Security
- Passing Credentials for Authentication to Web Services
- Flowing the Original Caller
- Trusted Subsystem
- Accessing System Resources
- Accessing Network Resources
- Accessing COM Objects
- Using Client Certificates with Web Services
- Secure Communication
- Summary
-
11. .NET Remoting Security
- .NET Remoting Architecture
- .NET Remoting Gatekeepers
- Authentication
- Authorization
- Authentication and Authorization Strategies
- Accessing System Resources
- Accessing Network Resources
- Passing Credentials for Authentication to Remote Objects
- Flowing the Original Caller
- Trusted Subsystem
- Secure Communication
- Choosing a Host Process
- Remoting vs. Web Services
- Summary
-
12. Data Access Security
- Introducing Data Access Security
-
Authentication
-
Windows Authentication
- More Information
- Using Windows Authentication
- Recommendation
- Using the ASP.NET Process Identity
- Using Fixed Identities within ASP.NET
- Using Serviced Components
- Calling LogonUser and Impersonating a Specific Windows Identity
- Using the Original Caller’s Identity
- Using the Anonymous Internet User Account
- When Can’t You Use Windows Authentication?
- SQL Authentication
- Authenticating Against Non-SQL Server Databases
-
Windows Authentication
- Authorization
- Secure Communication
- Connecting with Least Privilege
- Creating a Least Privilege Database Account
- Storing Database Connection Strings Securely
- Authenticating Users against a Database
- SQL Injection Attacks
- Auditing
- Process Identity for SQL Server
- Summary
-
13. Troubleshooting Security Issues
- Process for Troubleshooting
- Troubleshooting Authentication Issues
- Troubleshooting Authorization Issues
- ASP.NET
- Determining Identity
- .NET Remoting
- SSL
- IPSec
- Auditing and Logging
- Troubleshooting Tools
- Index of How Tos
- How To: Create a Custom Account to Run ASP.NET
-
How To: Use Forms Authentication with Active Directory
- Requirements
- Summary
- 1. Create a Web Application with a Logon Page
- 2. Configure the Web Application for Forms Authentication
- 3. Develop LDAP Authentication Code to Look Up the User in Active Directory
- 4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
- 5. Authenticate the User and Create a Forms Authentication Ticket
- 6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
- 7. Test the Application
-
How To: Use Forms Authentication with SQL Server 2000
- Requirements
- Summary
- 1. Create a Web Application with a Logon Page
- 2. Configure the Web Application for Forms Authentication
- 3. Develop Functions to Generate a Hash and Salt value
- 4. Create a User Account Database
- 5. Use ADO.NET to Store Account Details in the Database
- 6. Authenticate User Credentials Against the Database
- 7. Test the Application
- Additional Resources
- How To: Create GenericPrincipal Objects with Forms Authentication
- How To: Implement Kerberos Delegation for Windows 2000
-
How To: Implement IPrincipal
- Requirements
- Summary
- 1. Create a Simple Web Application
- 2. Configure the Web Application for Forms Authentication
- 3. Generate an Authentication Ticket for Authenticated Users
- 4. Create a Class that Implements and Extends IPrincipal
- 5. Create the CustomPrincipal Object
- 5. Test the Application
- Additional Resources
- How To: Create a DPAPI Library
- How To: Use DPAPI (Machine Store) from ASP.NET
-
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
- Notes
- Requirements
- Summary
- 1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
- 2. Call the Managed DPAPI Class Library
- 3. Create a Dummy Class that will Launch the Serviced Component
- 4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
- 5. Configure, Strong Name, and Register the Serviced Component
- 6. Create a Windows Service Application that will Launch the Serviced Component
- 7. Install and Start the Windows Service Application
- 8. Write a Web Application to Test the Encryption and Decryption Routines
- 9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
- References
- How To: Create an Encryption Library
- How To: Store an Encrypted Connection String in the Registry
-
How To: Use Role-based Security with Enterprise Services
- Notes
- Requirements
- Summary
- 1. Create a C# Class Library Application to Host the Serviced Component
- 2. Create the Serviced Component
- 3. Configure the Serviced Component
- 4. Generate a Strong Name for the Assembly
- 5. Build the Assembly and Add it to the Global Assembly Cache
- 6. Manually Register the Serviced Component
- 7. Examine the Configured Application
- 8. Create a Test Client Application
-
How To: Call a Web Service Using Client Certificates from ASP.NET
- Why Use a Serviced Component?
- Requirements
- Summary
- 1. Create a Simple Web Service
- 2. Configure the Web Service Virtual Directory to Require Client Certificates
- 3. Create a Custom Account for Running the Serviced Component
- 4. Request a Client Certificate for the Custom Account
- 5. Test the Client Certificate Using a Browser
- 6. Export the Client Certificate to a File
- 7. Develop the Serviced Component Used to Call the Web Service
- 8. Configure and Install the Serviced Component
- 9. Develop a Web Application to Call the Serviced Component
- Additional Resources
-
How To: Call a Web Service Using SSL
- Requirements
- Summary
- 1. Create a Simple Web Service
- 2. Configure the Web Service Virtual Directory to Require SSL
- 3. Test the Web Service Using a Browser
- 4. Install the Certificate Authority’s Certificate on the Client Computer
- 5. Develop a Web Application to Call the Web Service
- Additional Resources
- How To: Host a Remote Object in a Windows Service
- How To: Set Up SSL on a Web Server
- How To: Set Up Client Certificates
- How To: Use IPSec to Provide Secure Communication Between Two Servers
-
How To: Use SSL to Secure Communication with SQL Server 2000
- Notes
- Requirements
- Summary
- 1. Install a Server Authentication Certificate
- 2. Verify that the Certificate Has Been Installed
- 3. Install the Issuing CA’s Certificate on the Client
- 4. Force All Clients to Use SSL
- 5. Allow Clients to Determine Whether to Use SSL
- 6. Verify that Communication is Encrypted
- Additional Resources
- Base Configuration
- Configuration Stores and Tools
- Reference Hub
- How Does It Work?
- ASP.NET Identity Matrix
- Cryptography and Certificates
- .NET Web Application Security
- Glossary
- Microsoft® patterns & practices
- Index
- About the Author
- Copyright
Product information
- Title: Building Secure Microsoft® ASP.NET Applications
- Author(s):
- Release date: January 2003
- Publisher(s): Microsoft Press
- ISBN: 9780735618909
You might also like
book
Beginning ASP.NET Security
Programmers: protect and defend your Web apps against attack! You may know ASP.NET, but if you …
book
Testing ASP.NET Web Applications
A unique resource that combines all aspects of Web testing and makes it completely specific to …
book
ASP.NET Core 5 Secure Coding Cookbook
Learn how to secure your ASP.NET Core web app through robust and secure code Key Features …
book
Pro ASP.NET Web API: HTTP Web Services in ASP.NET
Pro ASP.NET Web API shows you how to build flexible, extensible web services that run seamlessly …