|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Limiting Access to ASP.NET Web Sites
Limiting access to an application is generally divided into two topics: authentication, which is how an application identifies who you are, and authorization, which is how an application identifies what you are permission to do. This topic provides an overview of authentication and authorization in ASP.NET Web applications. For more detailed information, see ASP.NET Web Application Security.
ASP.NET applications offer several different options for authenticating users. For read-only applications that can be viewed by anyone, use anonymous authentication. For more restricted access to an application, you need to use some form of authentication to identify users. There are two identities that you should to consider when authenticating users for your ASP.NET application: the application identity that is used to access Windows resources and the ASP.NET user identity that is used to identify a user to ASP.NET.
Your application can run without an ASP.NET user identity, but you will always have a Windows application identity. To help secure your application, you should restrict the Windows identity for the application to the required resources, such as file and database access.
ASP.NET Application Identity
When an ASP.NET page is executing, the server must have a security context, or identity, for the process that is executing the ASP.NET code. This identity is used when securing resources using Windows Integrated security, such as files protected using the NTFS file system or network resources.
For example, the files that contain the application code stored in the App_Code subdirectory of an application only need to be read by the ASP.NET application identity. Therefore, the security settings for the files in the App_Code directory can be restricted so that the ASP.NET application identity has Read access only. Another common use of the Windows identity of the ASP.NET application is as the identity of a connection to a SQL Server using Integrated Security. For more information, see ASP.NET Required Access Control Lists (ACLs) and How to: Access SQL Server Using Windows Integrated Security.
The identity of an ASP.NET application is determined by several factors. By default, ASP.NET pages run with the Windows identity of the service that processes ASP.NET pages on the Web server. On a computer running Windows Server 2003, that identity is the identity of the application pool that the ASP.NET application is a part of (by default, the NETWORK SERVICE account). On computers running Windows 2000 and Windows XP Professional, the identity is the local ASPNET account is created when the .NET Framework is installed. This identity can be configured to a different identity if desired. For more information, see Configuring ASP.NET Process Identity.
You can modify the Windows identity that your ASP.NET page runs as by using the identity element of the system.web configuration section. The identity element can be used to instruct ASP.NET to impersonate a Windows user ID. Impersonating a Windows identity means that the ASP.NET pages for the application will run as that Windows identity. You can specify a user name and password to impersonate. Alternatively, you can enable impersonation and ASP.NET will run in one of two ways: an anonymous identity specified by IIS, or the authenticated browser identity as determined by IIS (for example, Anonymous authentication, Windows Integrated (NTLM) authentication, and so on). For more information, see ASP.NET Impersonation.
If you are impersonating a Windows identity, you can execute code that reverts to the original identity of the process instead of the impersonated user ID. For this reason, in environments where you need to keep one application separate from another, you should isolate the applications in separate application pools on computers running Windows Server 2003. Each application pool should be configured with a unique Windows identity.
You can easily determine the Windows identity of the operating system thread that your ASP.NET page is running by using the Name property of the WindowsIdentity returned by the GetCurrent method as shown in the following code example.
The ASP.NET user identity is used to access ASP.NET-specific resources. For example, you can identify a portion of your application that is only available to certain users, while other portions of your application are available to all users.
The ASP.NET user is determined by the authentication element of the system.web section of the Web.config file for your application. You have several options for authenticating the ASP.NET identity for your application. You can use the Windows user name that is determined by IIS, ASP.NET Forms authentication, Passport authentication, or a custom authentication scheme. The ASP.NET identity can be accessed using the User property of the current HttpContext. For details, see ASP.NET Authentication.
If you are using ASP.NET Forms authentication or a custom authentication solution to provide the ASP.NET identity, you can use ASP.NET membership to provide a user data store and user management functionality. For more information, see Managing Users by Using Membership.
Authorization involves restricting user access to only those resources that are required. This includes restricting access to only the required files, databases, and portions of your application. In addition, this includes using Code Access Security to restrict access to code.
You can restrict access to portions of your application by using the UrlAuthorizationModule and ASP.NET Role Management. For more information, see ASP.NET Authorization and Managing Authorization Using Roles.