Building secure distributed Web applications can be challenging. It usually involves integrating several different technologies and products—yet your complete application will only be as secure as its weakest link. This guide presents a practical, scenario-driven approach to designing and building security-enhanced ASP.NET applications for Microsoft Windows 2000 and version 1.1 of the Microsoft .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications.
This guide focuses on:
Authentication—to identify the clients of your application
Authorization—to provide access controls for those clients
Secure communication—to help ensure that messages remain private and are not altered by unauthorized parties
Who should read this guide:
Middleware developers and architects who build or plan to build .NET Web applications using ASP.NET, XML Web Services, Enterprise Services (COM+), .NET Remoting, or Microsoft ADO.NET
About “Patterns and Practices”:
Patterns & Practices contain specific recommendations illustrating how to design, build, deploy, and operate architecturally sound solutions to challenging business and technical scenarios. The technical guidance is reviewed and approved by Microsoft engineering teams, consultants, and Product Support Services, and by partners and customers.
Note: Includes complete sample on the Web.
Founded in 1975, Microsoft is the worldwide leader in software, services, and solutions that help people and businesses realize their full potential. Since 1988, Microsoft has been building accessibility options right into its products to enable everyone to personalize their PCs to make them easier and more comfortable to see, hear, and use.
Acknowledgements xxiii Preface xxv CHAPTER 1 Introduction 1 The Connected Landscape 1 The Foundations 2 Authentication 2 Authorization 2 Secure Communication 3 Tying the Technologies Together 3 Design Principles 4 Summary 6 CHAPTER 2 Security Model for ASP.NET Applications 7 .NET Web Applications 7 Logical Tiers 8 Physical Deployment Models 9 Implementation Technologies 10 Security Architecture 11 Security Across the Tiers 12 Authentication 13 Authorization 16 Gatekeepers and Gates 17 Introducing .NET Framework Security 20 Code Access Security 20 Principals and Identities 21 WindowsPrincipal and WindowsIdentity 23 GenericPrincipal and Associated Identity Objects 23 ASP.NET and HttpContext.User 24 Remoting and Web Services 24 Summary 25 CHAPTER 3 Authentication and Authorization Design 27 Designing an Authentication and Authorization Strategy 28 Identify Resources 28 Choose an Authorization Strategy 28 Choose the Identities Used for Resource Access 29 Consider Identity Flow 30 Choose an Authentication Approach 31 Decide How to Flow Identity 31 Authorization Approaches 32 Role Based Authorization 32 Resource Based Authorization 33 Resource Access Models 33 The Trusted Subsystem Model 33 The Impersonation / Delegation Model 35 Choosing a Resource Access Model 36 Flowing Identity 38 Application vs. Operating System Identity Flow 38 Impersonation and Delegation 38 Role-Based Authorization 40 .NET Roles 40 Enterprise Services (COM+) Roles 42 SQL Server User Defined Database Roles 42 SQL Server Application Roles 42 .NET Roles versus Enterprise Services (COM+) Roles 43 Using .NET Roles 44 Choosing an Authentication Mechanism 47 Internet Scenarios 49 Intranet / Extranet Scenarios 50 Authentication Mechanism Comparison 51 Summary 51 CHAPTER 4 Secure Communication 53 Know What to Secure 54 SSL/TLS 55 Using SSL 55 IPSec 56 Using IPSec 56 RPC Encryption 57 Using RPC Encryption 57 Point to Point Security 58 Browser to Web Server 58 Web Server to Remote Application Server 59 Application Server to Database Server 59 Choosing Between IPSec and SSL 61 Farming and Load Balancing 61 More Information 61 Summary 61 CHAPTER 5 Intranet Security 63 ASP.NET to SQL Server 64 Characteristics 64 Secure the Scenario 65 The Result 65 Security Configuration Steps 66 Analysis 68 Q&A 69 Related Scenarios 70 ASP.NET to Enterprise Services to SQL Server 71 Characteristics 72 Secure the Scenario 72 The Result 73 Security Configuration Steps 74 Analysis 76 Pitfalls 77 ASP.NET to Web Services to SQL Server 77 Characteristics 78 Secure the Scenario 78 The Result 79 Security Configuration Steps 79 Analysis 82 Pitfalls 84 Q&A 84 ASP.NET to Remoting to SQL Server 85 Characteristics 85 Secure the Scenario 85 The Result 86 Security Configuration Steps 87 Analysis 89 Pitfalls 90 Flowing the Original Caller to the Database 91 ASP.NET to SQL Server 92 ASP.NET to Enterprise Services to SQL Server 93 The Result 94 Analysis 98 Pitfalls 99 Summary 99 CHAPTER 6 Extranet Security 101 Exposing a Web Service 102 Characteristics 102 Secure the Scenario 103 The Result 103 Security Configuration Steps 104 Analysis 107 Pitfalls 108 Q&A 108 Exposing a Web Application 109 Scenario Characteristics 109 Secure the Scenario 110 The Result 111 Analysis 113 Pitfalls 115 Summary 115 CHAPTER 7 Internet Security 117 ASP.NET to SQL Server 118 Characteristics 118 Secure the Scenario 119 The Result 120 Security Configuration Steps 120 Analysis 122 Pitfalls 124 Related Scenarios 124 ASP.NET to Remote Enterprise Services to SQL Server 125 Characteristics 126 Secure the Scenario 127 The Result 128 Security Configuration Steps 128 Analysis 132 Pitfalls 133 Related Scenarios 133 Summary 134 CHAPTER 8 ASP.NET Security 135 ASP.NET Security Architecture 135 Gatekeepers 137 Authentication and Authorization Strategies 139 Available Authorization Options 140 Windows Authentication with Impersonation 141 Windows Authentication without Impersonation 143 Windows Authentication Using a Fixed Identity 145 Forms Authentication 145 Passport Authentication 147 Configuring Security 147 Configure IIS Settings 149 Configure ASP.NET Settings 149 Secure Resources 152 Secure Communication 155 Programming Security 155 An Authorization Pattern 156 Creating a Custom IPrincipal class 158 Windows Authentication 159 Forms Authentication 160 Development Steps for Forms Authentication 162 Forms Implementation Guidelines 165 Hosting Multiple Applications Using Forms Authentication 166 Cookieless Forms Authentication 166 Passport Authentication 167 Custom Authentication 168 Process Identity for ASP.NET 168 Use a Least Privileged Account 168 Avoid Running as SYSTEM 169 Using the Default ASPNET Account 169 Impersonation 172 Impersonation and Local Resources 172 Impersonation and Remote Resources 172 Impersonation and Threading 172 Accessing System Resources 173 Accessing the Event Log 173 Accessing the Registry 174 Accessing COM Objects 174 Apartment Model Objects 174 Accessing Network Resources 176 Using the ASP.NET Process Identity 176 Using a Serviced Component 177 Using the Anonymous Internet User Account 178 Using LogonUser and Impersonating a Specific Windows Identity 180 Using the Original Caller 180 Accessing Files on a UNC File Share 181 Accessing Non-Windows Network Resources 181 Secure Communication 182 Storing Secrets 182 Options for Storing Secrets in ASP.NET 184 Consider Storing Secrets in Files on Separate Logical Volumes 184 Securing Session and View State 185 Securing View State 185 Securing Cookies 185 Securing SQL Session State 185 Web Farm Considerations 188 Session State 188 DPAPI 188 Using Forms Authentication in a Web Farm 188 The Element 189 Summary 190 CHAPTER 9 Enterprise Services Security 193 Security Architecture 193 Gatekeepers and Gates 195 Use Server Applications for Increased Security 196 Security for Server and Library Applications 197 Code Access Security Requirements 197 Configuring Security 198 Configuring a Server Application 198 Configuring an ASP.NET Client Application 205 Configuring Impersonation Levels for an Enterprise Services Application 206 Programming Security 207 Programmatic Role-Based Security 207 Identifying Callers 208 Choosing a Process Identity 208 Avoid Running as the Interactive User 208 Use a Least-Privileged Custom Account 209 Accessing Network Resources 209 Using the Original Caller 210 Using the Current Process Identity 210 Using a Specific Service Account 211 Flowing the Original Caller 211 Calling CoImpersonateClient 212 RPC Encryption 213 More Information 213 Building Serviced Components 213 DLL Locking Problems 213 Versioning 214 QueryInterface Exceptions 215 DCOM and Firewalls 215 More Information 215 Calling Serviced Components from ASP.NET 216 Caller s Identity 216 Use Windows Authentication and Impersonation Within the Web-based Application 216 Configure Authentication and Impersonation within Machine.config 216 Configuring Interface Proxies 216 Security Concepts 219 Enterprise Services (COM+) Roles and .NET Roles 220 Authentication 221 Impersonation 222 Summary 224 CHAPTER 10 Web Services Security 225 Web Service Security Model 225 Platform/Transport Level (Point-to-Point) Security 226 Application Level Security 227 Message Level (End-to-End) Security 227 Platform/Transport Security Architecture 229 Gatekeepers 230 Authentication and Authorization Strategies 231 Windows Authentication with Impersonation 231 Windows Authentication without Impersonation 233 Windows Authentication Using a Fixed Identity 235 Configuring Security 236 Configure IIS Settings 236 Configure ASP.NET Settings 237 Secure Resources 237 Disable HTTP-GET, HTTP-POST 237 Secure Communication 238 Passing Credentials for Authentication to Web Services 238 Specifying Client Credentials for Windows Authentication 239 Calling Web Services from Non-Windows Clients 241 Proxy Server Authentication 242 Flowing the Original Caller 242 Default Credentials with Kerberos Delegation 243 Explicit Credentials with Basic or Forms Authentication 245 Trusted Subsystem 248 Flowing the Caller s Identity 249 Configuration Steps 249 Accessing System Resources 250 Accessing Network Resources 250 Accessing COM Objects 251 More Information 251 Using Client Certificates with Web Services 251 Authenticating Web Browser Clients with Certificates 252 Using the Trusted Subsystem Model 252 Secure Communication 255 Transport Level Options 256 Message Level Options 256 Summary 256 CHAPTER 11 .NET Remoting Security 259 .NET Remoting Architecture 259 Remoting Sinks 260 Anatomy of a Request When Hosting in ASP.NET 262 ASP.NET and the HTTP Channel 263 .NET Remoting Gatekeepers 264 Authentication 265 Hosting in ASP.NET 265 Hosting in a Windows Service 266 Authorization 267 Using File Authorization 267 Authentication and Authorization Strategies 268 More Information 269 Accessing System Resources 269 Accessing Network Resources 270 Passing Credentials for Authentication to Remote Objects 270 Specifying Client Credentials 270 Flowing the Original Caller 273 Default Credentials with Kerberos Delegation 274 Explicit Credentials with Basic or Forms Authentication 276 Trusted Subsystem 280 Flowing the Caller s Identity 281 Choosing a Host 282 Configuration Steps 282 Secure Communication 284 Platform Level Options 284 Choosing a Host Process 285 Recommendation 285 Hosting in ASP.NET 285 Hosting in a Windows Service 286 Hosting in a Console Application 287 Remoting vs. Web Services 288 Summary 289 CHAPTER 12 Data Access Security 291 Introducing Data Access Security 291 SQL Server Gatekeepers 293 Trusted Subsystem vs. Impersonation/Delegation 293 Authentication 295 Windows Authentication 295 SQL Authentication 301 Authenticating Against Non-SQL Server Databases 303 Authorization 304 Using Multiple Database Roles 304 Secure Communication 305 The Options 306 Choosing an Approach 306 Connecting with Least Privilege 307 The Database Trusts the Application 307 The Database Trusts Different Roles 307 The Database Trusts the Original Caller 308 Creating a Least Privilege Database Account 308 Storing Database Connection Strings Securely 310 The Options 310 Using DPAPI 310 Using Web.config and Machine.config 314 Using UDL Files 314 Using Custom Text Files 316 Using the Registry 316 Using the COM+ Catalog 316 Authenticating Users against a Database 317 Store One-way Password Hashes (with Salt) 317 SQL Injection Attacks 319 Auditing 323 Process Identity for SQL Server 324 Summary 325 CHAPTER 13 Troubleshooting Security Issues 327 Process for Troubleshooting 327 Searching for Implementation Solutions 328 Troubleshooting Authentication Issues 329 IIS Authentication Issues 329 Using Windows Authentication 330 Using Forms Authentication 331 Kerberos Troubleshooting 331 Troubleshooting Authorization Issues 331 Check Windows ACLs 331 Check Identity 331 Check the Element 332 ASP.NET 333 Enable Tracing 333 Configuration Settings 333 Determining Identity 334 Determining Identity in a Web Page 334 Determining Identity in a Web service 336 Determining Identity in a Visual Basic 6 COM Object 336 .NET Remoting 337 More Information 337 SSL 338 More Information 338 IPSec 338 Auditing and Logging 339 Windows Security Logs 339 SQL Server Auditing 339 IIS Logging 340 Troubleshooting Tools 341 File Monitor (FileMon.exe) 341 Fusion Log Viewer (Fuslogvw.exe) 341 ISQL.exe 342 Windows Task Manager 342 Network Monitor (NetMon.exe) 343 Registry Monitor (regmon.exe) 343 WFetch.exe 343 Visual Studio .NET Tools 344 WebServiceStudio 344 Windows 2000 Resource Kit 344 Index of How Tos 345 ASP.NET 345 Authentication and Authorization 345 Cryptography 345 Enterprise Services Security 345 Web Services Security 346 Remoting Security 346 Secure Communication 346 How To: Create a Custom Account to Run ASP.NET 347 ASP.NET Worker Process Identity 347 Impersonating Fixed Identities 348 Notes 348 Summary 349 1. Create a New Local Account 349 2. Assign Minimum Privileges 349 3. Assign NTFS Permissions 350 4. Configure ASP.NET to Run Using the New Account 352 How To: Use Forms Authentication with Active Directory 353 Requirements 353 Summary 353 1. Create a Web Application with a Logon Page 354 2. Configure the Web Application for Forms Authentication 355 3. Develop LDAP Authentication Code to Look Up the User in Active Directory 356 4. Develop LDAP Group Retrieval Code to Look Up the User s Group Membership 357 5. Authenticate the User and Create a Forms Authentication Ticket 358 6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object 360 7. Test the Application 362 How To: Use Forms Authentication with SQL Server 2000 363 Requirements 364 Summary 364 1. Create a Web Application with a Logon Page 364 2. Configure the Web Application for Forms Authentication 365 3. Develop Functions to Generate a Hash and Salt value 366 4. Create a User Account Database 367 5. Use ADO.NET to Store Account Details in the Database 368 6. Authenticate User Credentials Against the Database 369 7. Test the Application 371 Additional Resources 372 How To: Create GenericPrincipal Objects with Forms Authentication 373 Requirements 374 Summary 374 1. Create a Web Application with a Logon Page 374 2. Configure the Web Application for Forms Authentication 375 3. Generate an Authentication Ticket for Authenticated Users 375 4. Construct GenericPrincipal and FormsIdentity Objects 378 5. Test the Application 379 Additional Resources 380 How To: Implement Kerberos Delegation for Windows 2000 381 Notes 381 Requirements 382 Summary 382 1. Confirm that the Client Account is Configured for Delegation 382 2. Confirm that the Server Process Account is Trusted for Delegation 382 References 383 How To: Implement IPrincipal 385 Requirements 386 Summary 386 1. Create a Simple Web Application 386 2. Configure the Web Application for Forms Authentication 387 3. Generate an Authentication Ticket for Authenticated Users 388 4. Create a Class that Implements and Extends IPrincipal 390 5. Create the CustomPrincipal Object 391 5. Test the Application 393 Additional Resources 394 How To: Create a DPAPI Library 395 Notes 395 Requirements 396 Summary 396 1. Create a C# Class Library 396 2. Strong Name the Assembly (Optional) 402 References 403 How To: Use DPAPI (Machine Store) from ASP.NET 405 Notes 405 Requirements 406 Summary 406 1. Create an ASP.NET Client Web Application 406 2. Test the Application 408 3. Modify the Web Application to Read an Encrypted Connection String from Web.Config 409 References 410 How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services 411 Notes 411 Why Use Enterprise Services? 412 Why Use a Windows Service? 413 Requirements 414 Summary 414 1. Create a Serviced Component that Provides Encrypt and Decrypt Methods 414 2. Call the Managed DPAPI Class Library 415 3. Create a Dummy Class that will Launch the Serviced Component 416 4. Create a Windows Account to Run the Enterprise Services Application and Windows Service 416 5. Configure, Strong Name, and Register the Serviced Component 417 6. Create a Windows Service Application that will Launch the Serviced Component 418 7. Install and Start the Windows Service Application 420 8. Write a Web Application to Test the Encryption and Decryption Routines 420 9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File 423 References 424 How To: Create an Encryption Library 425 Requirements 425 Summary 425 1. Create a C# Class Library 426 2. Create a Console Test Application 433 References 434 How To: Store an Encrypted Connection String in the Registry 435 Notes 435 Requirements 435 Summary 436 1. Store the Encrypted Data in the Registry 436 2. Create an ASP.NET Web Application 439 References 440 How To: Use Role-based Security with Enterprise Services 441 Notes 441 Requirements 441 Summary 442 1. Create a C# Class Library Application to Host the Serviced Component 442 2. Create the Serviced Component 442 3. Configure the Serviced Component 443 4. Generate a Strong Name for the Assembly 444 5. Build the Assembly and Add it to the Global Assembly Cache 445 6. Manually Register the Serviced Component 445 7. Examine the Configured Application 445 8. Create a Test Client Application 446 How To: Call a Web Service Using Client Certificates from ASP.NET 449 Why Use a Serviced Component? 449 Why is a User Profile Required? 450 Requirements 451 Summary 451 1. Create a Simple Web Service 451 2. Configure the Web Service Virtual Directory to Require Client Certificates 452 3. Create a Custom Account for Running the Serviced Component 453 4. Request a Client Certificate for the Custom Account 453 5. Test the Client Certificate Using a Browser 455 6. Export the Client Certificate to a File 455 7. Develop the Serviced Component Used to Call the Web Service 456 8. Configure and Install the Serviced Component 459 9. Develop a Web Application to Call the Serviced Component 460 Additional Resources 462 How To: Call a Web Service Using SSL 463 Requirements 463 Summary 463 1. Create a Simple Web Service 464 2. Configure the Web Service Virtual Directory to Require SSL 464 3. Test the Web Service Using a Browser 465 4. Install the Certificate Authority s Certificate on the Client Computer 466 5. Develop a Web Application to Call the Web Service 467 Additional Resources 468 How To: Host a Remote Object in a Windows Service 469 Notes 469 Requirements 469 Summary 470 1. Create the Remote Object Class 470 2. Create a Windows Service Host Application 470 3. Create a Windows Account to Run the Service 473 4. Install the Windows Service 473 5. Create a Test Client Application 474 References 474 How To: Set Up SSL on a Web Server 475 Requirements 475 Summary 475 1. Generate a Certificate Request 475 2. Submit a Certificate Request 477 3. Issue the Certificate 478 4. Install the Certificate on the Web Server 478 5. Configure Resources to Require SSL Access 479 How To: Set Up Client Certificates 481 Requirements 481 Summary 481 1. Create a Simple Web Application 482 2. Configure the Web Application to Require Client Certificates 482 3. Request and Install a Client Certificate 483 4. Verify Client Certificate Operation 484 Additional Resources 484 How To: Use IPSec to Provide Secure Communication Between Two Servers 485 Notes 487 Requirements 487 Summary 488 1. Create an IP Filter 488 2. Create Filter Actions 489 3. Create Rules 490 4. Export the IPSec Policy to the Remote Computer 491 5. Assign Policies 491 6. Verify that it Works 492 Additional Resources 494 How To: Use SSL to Secure Communication with SQL Server 2000 495 Notes 495 Requirements 496 Summary 496 1. Install a Server Authentication Certificate 496 2. Verify that the Certificate Has Been Installed 497 3. Install the Issuing CA s Certificate on the Client 498 4. Force All Clients to Use SSL 498 5. Allow Clients to Determine Whether to Use SSL 499 6. Verify that Communication is Encrypted 500 Additional Resources 503 Base Configuration 505 Configuration Stores and Tools 507 Reference Hub 513 Searching the Knowledge Base 513 Tips 514 .NET Security 514 Hubs 514 Active Directory 514 Hubs 514 Key Notes 515 Articles 515 ADO.NET 515 Roadmaps and Overviews 515 Seminars and WebCasts 515 ASP.NET 515 Hubs 515 Roadmaps and Overviews 516 Knowledge Base 516 Articles 516 How Tos 516 Seminars and WebCasts 517 Enterprise Services 517 Knowledge Base 517 Roadmaps and Overviews 517 How Tos 518 FAQs 518 Seminars and WebCasts 518 IIS (Internet Information Server) 518 Hubs 518 Remoting 518 Roadmaps and Overviews 518 How Tos 519 Seminars and WebCasts 519 SQL Server 519 Hubs 519 Seminars and WebCasts 519 Visual Studio .NET 519 Hubs 519 Roadmaps and Overviews: 519 Web Services 520 Hubs 520 Roadmaps and Overviews 520 How Tos 520 Seminars and WebCasts 520 Windows 2000 521 Hubs 521 How Does It Work? 523 IIS and ASP.NET Processing 523 Application Isolation 524 The ASP.NET ISAPI Extension 524 IIS 6.0 and Windows .NET Server 524 ASP.NET Pipeline Processing 525 The Anatomy of a Web Request 526 Event Handling 530 Implementing a Custom HTTP Module 531 Implementing a Custom HTTP Handler 531 ASP.NET Identity Matrix 533 Cryptography and Certificates 537 Keys and Certificates 537 X.509 Digital Certificates 538 Certificate Stores 538 More Information 539 Cryptography 539 Technical Choices 539 Cryptography in .NET 540 Summary 543 .NET Web Application Security 545 GLOSSARY 547 INDEX