Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

  • Article
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

patterns & practices Developer Center

At a Glance

J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation

Published: November 2002

Last Revised: January 2006

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

Summary: This section allows you to quickly see the scope and coverage of the individual chapters in the guide. (12 printed pages)

Contents

Chapter 1: Introduction
Chapter 2: Security Model for ASP.NET Applications
Chapter 3: Authentication and Authorization
Chapter 4: Secure Communication
Chapter 5: Intranet Security
Chapter 6: Extranet Security
Chapter 7: Internet Security
Chapter 8: ASP.NET Security
Chapter 9: Enterprise Services Security
Chapter 10: Web Services Security
Chapter 11: .NET Remoting Security
Chapter 12: Data Access Security
Chapter 13: Troubleshooting Security Issues
Reference

Chapter 1: Introduction

This chapter highlights the goals of the guide, introduces key terminology and presents a set of core principles that apply to the guidance presented in later chapters.

Chapter 2: Security Model for ASP.NET Applications

This chapter describes the common characteristics of.NET Web applications from a security perspective and introduces the .NET Web application security model. It also introduces the set of core implementation technologies that you will use to build secure .NET Web applications.

The full range of gatekeepers that allow you to develop defense-in-depth security strategies are also introduced and the concept of principal-based authorization, using principal and identity objects is explained.

This chapter will help you answer the following questions:

  • What are the typical deployment patterns adopted by .NET Web applications?
  • What security features are provided by the various technologies that I use to build .NET Web applications?
  • What gatekeepers should I be aware of and how do I use them to provide a defense-in-depth security strategy?
  • What are principal and identity objects and why are they so significant?
  • How does .NET security relate to Windows security?

Chapter 3: Authentication and Authorization

Designing a coherent authentication and authorization strategy across your application's multiple tiers is a critical task. This chapter provides guidance to help you develop an appropriate strategy for your particular application scenario. It will help you choose the most appropriate authentication and authorization technique and apply them at the correct places in your application.

Read this chapter to learn how to:

  • Choose an appropriate authentication mechanism to identify users.

  • Develop an effective authorization strategy.

  • Choose an appropriate type of role-based security.

  • Compare and contrast .NET roles with Enterprise Services (COM+) roles.

  • Use database roles.

  • Choose between the trusted subsystem resource access model and the impersonation/delegation model, which is used to flow the original caller's security context at the operating system level throughout an application's multiple tiers.

    These two core resource access models are shown below in Figure 1 and Figure 2.

    Ff649306.f03sn01(en-us,PandP.10).gif

    Figure 1. The Trusted Subsystem model

    With the trusted subsystem model:

    • Downstream resource access is performed using a fixed trusted identity and security context.
    • The downstream resource manager (for example, database) trusts the upstream application to properly authenticate and authorize callers.
    • The resource manager authorizes the application to access resources. Original callers are not authorized to directly access the resource manager.
    • A trust boundary exists between the downstream and upstream components.
    • Original caller identity (for auditing) flows at the application (not operating system) level.

    Ff649306.f03sn03(en-us,PandP.10).gif

    Figure 2. The impersonation/delegation model

    With the impersonation/delegation model:

    • Downstream resource access is performed using the original caller's security context.
    • The downstream resource manager (for example, database) authorizes individual callers.
    • The original caller identity flows at the operating system and is available for platform level auditing and per caller authorization.

Chapter 4: Secure Communication

This chapter introduces the two core technologies that can be used to provide message confidentiality and message integrity for data that flows across the network between clients and servers on the Internet and corporate intranet. These are SSL and IPSec. It also discusses RPC encryption that can be used to secure the communication with remote serviced components.

Read this chapter to learn how to:

  • Apply secure communication techniques throughout the various tiers of your application.
  • Choose between SSL and IPSec.
  • Configure secure communication.
  • Use RPC encryption.

The chapter addresses the need to provide secure communication channels between your application's various physical tiers as shown in Figure 3.

Ff649306.f04sn02(en-us,PandP.10).gif

Figure 3. A typical Web deployment model, with secure communications

Chapter 5: Intranet Security

This chapter presents a set of common intranet application scenarios and for each one presents recommended security configurations. In each case, the configuration steps necessary to build the secure solution are presented, together with analysis and related scenario variations.

The application scenarios covered in this chapter are:

  • ASP.NET to SQL Server

    This scenario is shown in Figure 4.

  • ASP.NET to Enterprise Services to SQL Server

  • ASP.NET to Web services to SQL Server

  • Flowing the original caller to the database

    This includes multi-tier Kerberos delegation scenarios, as shown in Figure 5.

Ff649306.f05sn02(en-us,PandP.10).gif

Figure 4. Security configuration for ASP.NET to remote SQL Server scenarios

Ff649306.f05sn10(en-us,PandP.10).gif

Figure 5. Security configuration for ASP.NET to remote Enterprise Services to remote SQL Server Kerberos delegation scenario

Read this chapter to lean how to:

  • Use the default ASP.NET process identity account to make calls from an ASP.NET Web application to a remote SQL Server database.
  • Establish trusted database connections to SQL Server using Windows authentication.
  • Authorize database access with SQL Server user-defined database roles.
  • Avoid storing credentials within your application.
  • Secure sensitive data with a combination of SSL and IPSec.
  • Implement Kerberos delegation to flow the original caller's security context across multiple application tiers to a back-end database.
  • Flow the original caller's security context by using Basic authentication.
  • Authorize users with a combination of ASP.NET file authorization, URL authorization, .NET roles and Enterprise Services (COM+) roles.
  • Effectively use impersonation within an ASP.NET Web application.

Chapter 6: Extranet Security

This chapter presents a set of common extranet application scenarios and for each one presents recommended security configurations, configuration steps and analysis.

This chapter covers the following extranet scenarios.

  • Exposing a Web Service (B2B partner exchange)

    This scenario is shown in Figure 6.

  • Exposing a Web Application (partner application portal)

Ff649306.f06sn02(en-us,PandP.10).gif

Figure 6. Security configuration for Web Service B2B partner exchange scenario

Read this chapter to lean how to:

  • Authenticate partner companies by using client certificate authentication against a dedicated extranet Active Directory.
  • Map certificates to Windows accounts.
  • Authorize partner companies by using ASP.NET file authorization and .NET roles.
  • Use the ASP.NET process identity to access a remote SQL Server database located on the corporate intranet.

Chapter 7: Internet Security

This chapter presents a set of common Internet application scenarios, and for each one presents recommended security configurations, configuration steps, and analysis.

This chapter covers the following Internet application scenarios:

  • ASP.NET to SQL Server

  • ASP.NET to Remote Enterprise Services to SQL Server

    This scenario is shown in Figure 7.

Ff649306.f07sn04(en-us,PandP.10).gif

Figure 7. Security configuration for ASP.NET to remote Enterprise Services to SQL Server

Read this chapter to learn how to:

  • Use Forms authentication with a SQL Server credential database.
  • When storing passwords in the database, store the hashed password with salt instead of plain or encrypted passwords.
  • Authorize Internet users with URL Authorization and .NET roles.
  • Use Windows authentication from an ASP.NET Web application to SQL Server through a firewall.
  • Secure sensitive data with a combination of SSL and IPSec.
  • Communicate from an ASP.NET Web application to a remote Enterprise Services application through a firewall by using SOAP.
  • Secure calls to serviced component in the application's middle tier.

Chapter 8: ASP.NET Security

This chapter provides in-depth security recommendations for ASP.NET Web applications. This chapter covers the range of authentication, authorization and secure communication services provided by IIS and ASP.NET. These are illustrated in Figure 8.

Ff649306.f08sn01(en-us,PandP.10).gif

Figure 8. ASP.NET security services

Read this chapter to learn how to:

  • Configure the various ASP.NET authentication modes.
  • Implement Forms authentication.
  • Implement Windows authentication.
  • Work with IPrincipal and IIdentity objects.
  • Effectively use the IIS and ASP.NET gatekeepers.
  • Configure and use ASP.NET File authorization.
  • Configure and use ASP.NET URL authorization.
  • Implement declarative, imperative and programmatic role-based security, using principal permission demands and IPrincipal.IsInRole.
  • Know when and when not to use impersonation within an ASP.NET Web application.
  • Choose an appropriate account to run ASP.NET.
  • Access local and network resources using the ASP.NET process identity.
  • Access remote SQL Server databases using the local ASPNET account.
  • Call COM objects from ASP.NET.
  • Effectively use the anonymous Internet user account in Web hosting environments.
  • Store secrets in an ASP.NET Web application.
  • Secure session and view state.
  • Configure ASP.NET security in Web Farm scenarios.

Chapter 9: Enterprise Services Security

This chapter explains how to secure business functionality in serviced components contained within Enterprise Services applications. It shows you how and when to use Enterprise Services (COM+) roles for authorization, and how to configure RPC authentication and impersonation. It also shows you how to securely call serviced components from an ASP.NET Web application and how to identify and flow the original caller's security context through a middle tier serviced component.

Figure 9 shows the Enterprise Services security features covered by this chapter.

Ff649306.f09sn01(en-us,PandP.10).gif

Figure 9. Enterprise Services security overview

Read this chapter to learn how to:

  • Configure an Enterprise Services application using .NET attributes.
  • Secure server and library applications.
  • Choose an appropriate account to run an Enterprise Services server application.
  • Implement method level Enterprise Services (COM+) role based security both programmatically and declaratively.
  • Configure ASP.NET as a DCOM client.
  • Securely call serviced components from ASP.NET.
  • Compare Enterprise Services (COM+) roles with .NET roles.
  • Identify callers within a serviced component.
  • Flow the original caller's security context through an Enterprise Services application by using programmatic impersonation within a serviced component.
  • Access local and network resources from a serviced component.
  • Use RPC encryption to secure sensitive data passed to and from serviced components.
  • Understand the process of RPC authentication level negotiation.
  • Use DCOM through firewalls.

Chapter 10: Web Services Security

This chapter focuses on platform level security for Web services using the underlying features of IIS and ASP.NET. For message level security, Microsoft provides Web Services Enhancements for Microsoft .NET (WSE), which allows you to build security solutions that conform to the WS-Security specification.

The ASP.NET Web services platform security architecture is shown in Figure 10.

Ff649306.f10sn03(en-us,PandP.10).gif

Figure 10. Web services security architecture

Read this chapter to learn how to:

  • Implement platform-based Web service security solutions.
  • Develop an authentication and authorization strategy for a Web service.
  • Use client certificate authentication with Web services.
  • Use ASP.NET file authorization, URL authorization, and .NET roles to provide authorization in Web services.
  • Flow the original caller's security context through a Web service.
  • Call Web services using SSL.
  • Access local and network resources from Web services.
  • Pass credentials for authentication to a Web service through a Web service proxy.
  • Implement the trusted subsystem model for Web services.
  • Call COM objects from Web services.

Chapter 11: .NET Remoting Security

The .NET Framework provides a remoting infrastructure that allows clients to communicate with objects, hosted in remote application domains and processes, or on remote computers. This chapter shows you how to implement secure .NET Remoting solutions.

Read this chapter to learn how to:

  • Choose an appropriate host for remote components.
  • Use all of the available gatekeepers to provide defense-in-depth security.
  • Use URL authentication and .NET roles to authorize access to remote components.
  • Use File authentication with remoting. This requires you to create a physical .rem or .soap file that corresponds to the remote component's object URI.
  • Access local and network resources from a remote component.
  • Pass credentials for authentication to a remote component through the remote component proxy object.
  • Flow the original caller's security context through a remote component.
  • Secure communication to and from remote components using a combination of SSL and IPSec.
  • Know when to use remoting and when to use Web services.

Chapter 12: Data Access Security

This chapter presents recommendations and guidance that will help you develop a secure data access strategy. The key issues covered by this chapter are shown in Figure 11. These include storing connection strings securely, using an appropriate identity for database access, securing data passed to and from the database, using an appropriate authentication mechanism and implementing authorization in the database.

Ff649306.f12sn01(en-us,PandP.10).gif

Figure 11. Data Access security overview

Read this chapter to learn how to:

  • Use Windows authentication from ASP.NET to your database.
  • Secure connection strings.
  • Use DPAPI from ASP.NET Web applications to store secrets such as connection strings and credentials.
  • Store credentials for authentication securely in a database.
  • Validate user input to protect against SQL injection attacks.
  • Mitigate the security threats associated with the use of SQL authentication.
  • Know which type of database roles to use.
  • Compare and contrast database user roles with SQL Server application roles.
  • Secure communication to SQL Server using IPSec and also SSL.
  • Create a least privilege database account.
  • Enable auditing in SQL Server.

Chapter 13: Troubleshooting Security Issues

This chapter provides troubleshooting tips, techniques and tools to help diagnose security related issues. Read this chapter to learn a proven process for effectively troubleshooting security issues you may encounter while building your ASP.NET applications. For example, you'll learn techniques for determining identity in your ASP.NET pages, which can be used to diagnose authentication and access control issues. You'll also learn how to troubleshoot Kerberos authentication. The chapter concludes with a concise list of some of the more useful troubleshooting tools, used by Microsoft support to troubleshoot customer issues.

Reference

Use the supplementary information in this section of the guide to help further your understanding of the techniques, strategies and security solutions presented in earlier chapters. Detailed How To articles provide step-by-step procedures that enable you to implement specific security solutions. It contains the following information:

  • Reference Hub
  • How To articles
  • How Does it Work?
  • ASP.NET Identity Matrix
  • Base Configuration
  • Configuring Security
  • Cryptography and Certificates
  • .NET Web Application Security Figure
  • Glossary

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.