We recommend using Visual Studio 2017

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

patterns & practices Developer Center

Configuration Stores and Tools

J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation

Published: November 2002

Last Revised: January 2006

Applies to:

  • Microsoft® ASP.NET

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Building Secure ASP.NET Applications.

Summary: The combined authentication, authorization, and secure communication services available to .NET Web applications are summarized in the following tables. The tables show the various security services available to each of the core .NET Web application technologies and for each one indicates where the related security configuration settings are maintained and what tools are available to edit the settings. (6 printed pages)

Note   Settings within the Internet Information Services (IIS) metabase are configured using the IIS MMC snap-in, or programmatically via script. Settings maintained within machine.config or web.config can be edited with any text editor (such as Notepad) or XML editor (such as the Microsoft Visual Studio® .NET XML editor).

Table 1. IIS security configuration

AuthenticationConfigurationTools
Anonymous
Basic
Digest
Windows Integrated
Client Certificates
IIS metabaseIIS MMC snap-in

Script

Makecert.exe can be used to create test certificates
AuthorizationConfigurationTools
NTFS permissions (Windows ACLs)


IP and DNS restrictions
Windows (NTFS) file system


IIS metabase
Windows Explorer
Cacls.exe
Security templates
Secedit.exe

Group Policy

Secure CommunicationConfigurationTools
SSL


IPSec
Windows (NTFS) file system

Machine's local policy (registry) or Microsoft Active Directory® directory service
IIS MMC snap-in
Script

Local Security Policy MMC snap-in
Domain security Policy MMC snap-in
Ipsecpol.exe
Additional GatekeepersConfigurationTools
IP address and domain name restrictionsIIS metabaseIIS MMC snap-in
Script

Table 2. ASP.NET security configuration

AuthenticationConfigurationTools
Windows
Forms
Passport
None (Custom)
<authentication> element of Machine.config or Web.configNotepad.exe
Visual Studio .NET
Any XML editor
AuthorizationConfigurationTools
URL authorization



File authorization











.NET roles
<authorization> element of Machine.config or Web.config

Windows (NTFS) file system
Active Directory
–or–
SAM database
–or–
Custom data store (for example, SQL Server)
Notepad.exe

Visual Studio .NET
Any XML editor

Windows Explorer
Calcs.exe
Security templates
Secedit.exe
Group Policy
For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool

ADSI script
Net.exe
For custom groups—
depends on custom data store

Table 3. Enterprise Services security configuration*

AuthenticationConfigurationTools
DCOM/RPC authenticationCOM+ Catalog
Note: Computer-wide settings for serviced component (and regular DCOM) proxies is maintained in Machine.config.
Component Services MMC snap-in
Script (Catalog automation objects)
AuthorizationConfigurationTools
Enterprise Services (COM+) roles



Windows ACLs (when using impersonation in serviced component)
COM+ Catalog




Windows (NTFS) file system
Component Services MMC snap-in
Script (Catalog automation objects)

Windows Explorer
Cacls.exe
Security templates
Secedit.exe
Group Policy
Secure CommunicationConfigurationTools
RPC encryption
(packet privacy)






IPSec
COM+ Catalog
Note: Computer-wide settings for serviced component (and regular DCOM) proxies is maintained in Machine.config.

Machine's local policy (registry) or Active Directory
Component Services
Script (Catalog automation objects)





Local Security Policy MMC snap-in
Ipsecpol.exe

* The security services for Enterprise service components apply both to components hosted by server and library applications. However, certain restrictions apply for library applications because many of the security defaults are inherited from the host process and as a result are not directly configurable. Process-wide authentication may also be explicitly switched off by library applications. For more details, see Chapter 9: Enterprise Services Security.

Table 4. Web services (implemented using ASP.NET) security configuration

AuthenticationConfigurationTools
Windows



Custom
<authentication> element of Machine.config or Web.config

Custom data store (for example. SQL Server or Active Directory)
Notepad
Visual Studio .NET
Any XML editor

Depends on custom store.
AuthorizationConfigurationTools
URL Authorization



File Authorization





.NET roles
Web.config



Windows (NTFS) file system




Active Directory
–or–
SAM database
–or–
Custom data store (for example, SQL Server)
Notepad
Visual Studio .NET
Any XML editor

Windows Explorer
Cacls.exe
Security templates
Secedit.exe
Group Policy

For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool

ADSI script
Net.exe
For custom groups
–depends on custom store
Secure CommunicationConfigurationTools
SSL


IPSec
IIS metabase


Machine's local policy (registry) or Active Directory
IIS MMC snap-in
Script

Local Security Policy MMC snap-in
Ipsecpol.exe

Table 5. .NET Remoting security configuration** (when hosted by ASP.NET using HTTP Channel)

AuthenticationConfigurationTools
Windows

Custom
IIS metabase

Custom data store (for example SQL Server)
IIS MMC snap-in Script

Depends on custom store
AuthorizationConfigurationTools
URL authorization



File authorization





.NET roles
Web.config



Windows (NTFS) file system




Active Directory
–or–
SAM database
–or–
Custom data store (for example, SQL Server
Notepad
Visual Studio .NET
Any XML editor

Windows Explorer
Cacls.exe
Security templates
Secedit.exe
Group Policy

For Windows groups, use the Active Directory Users and Computers MMC snap-in or (for local settings) use the Computer Management tool

ADSI script,
Net.exe
For custom groups–
depends on custom store
Secure CommunicationConfigurationTools
SSL

IPSec
IIS metabase

Machine's local policy (registry) or Active Directory
IIS MMC snap-in Script

Local Security Policy MMC snap-in
Ipsecpol.exe

** The security services shown for .NET Remoting assumes that the .NET remote component is hosted within ASP.NET and is using the HTTP channel. No default security services are available to .NET remote components hosted outside of IIS (for example, in a custom Win32 process or Win32 service) using the TCP channel. For more details, see Chapter 11: Remoting Security.

Table 6. .SQL Server security configuration

AuthenticationConfigurationTools
Integrated Windows

SQL Server standard authentication
SQL Server

SQL Server
SQL Server Enterprise Manager
SQL Server Enterprise Manager
AuthorizationConfigurationTools
Object permissions
Database roles
Server roles
User defined database roles
Application roles
SQL ServerSQL Server Enterprise Manager
Osql.exe (Database script)
Secure CommunicationConfigurationTools
SSL





IPSec
Server's machine certificate store
Client and server registry settings
Connection string

Machine's local policy (registry) or Active Directory
Certificates MMC snap-in
Server Network Utility
Client Network Utility



Local Security Policy snap-in
Ipsecpol.exe

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show: