Building Secure ASP.NET Applications - People Search Directory

More documents

Recommendations

Info

80 Building Secure ASP.NET Applications Characteristics ● ● ● ● ● ● ● Users have Internet Explorer 5.x or later. All computers run Windows 2000 or later. User accounts are in Active Directory within a single forest. The application flows the original caller’s security context all the way to the database. All tiers use Windows authentication. Domain user accounts are configured for delegation. The database does not support delegation. Secure the Scenario In this scenario, the Web server that hosts the ASP.NET Web application authenticates the original caller’s identity and flows their security context to the remote server that hosts the Web service. This enables authorization checks to be applied to Web methods to either allow or deny access to the original caller. The database authenticates against the Web service process identity (the database trusts the Web service). The Web service in turn makes calls to the database and passes the user’s identity at the application level using stored procedure parameters. Table 5.3: Security measures Category Detail Authentication ● The Web application authenticates users by using Integrated Windows authentication from IIS. ● The Web service uses Integrated Windows authentication from IIS. It authenticates the original caller’s security context delegated by the Web application. ● The Kerberos authentication protocol is used to flow the original caller security context from the Web application to the Web service using delegation. ● Windows authentication is used to connect to the database using the ASP.NET process account. Authorization ● The Web application performs role checks against the original caller to restrict access to pages. ● Access to the Web service methods is controlled by using .NET roles based on the original caller’s Windows group membership. Secure Communication ● Sensitive data sent between the original callers and the Web application and Web service is secured by using SSL. ● Sensitive data sent between the Web service and the database is secure by using IPSec.
Chapter 5: Intranet Security 81 The Result Figure 5.6 shows the recommended security configuration for this scenario. NTFS Permissions (Authorization) File Authorization (Authorization) NTFS Permissions (Authorization) File Authorization .NET Roles (Authorization) Alice Mary Bob SSL (Privacy/ Integrity) IIS Alice Mary Bob Web Server Integrated Windows Authentication (Kerberos) ASP.NET (Web App) Windows Authentication + Impersonation Alice Mary Bob SSL (Privacy/ Integrity) IIS Integrated Windows Authentication Application Server ASP.NET Identity ASP.NET (Web Service) Windows Authentication IPSec (Privacy/ Integrity) Windows Authentication SQL Server Database Server Figure 5.6 The recommended security configuration for the ASP.NET to Web Service to SQL Server intranet scenario Security Configuration Steps Before you begin, you’ll want to see the following: ● ● Configuring SSL on a Web server (see “How To: Set Up SSL on a Web Server” in the Reference section of this guide) Configuring IPSec (see “How To: Use IPSec to Provide Secure Communication Between Two Servers” in the Reference section of this guide)
Page 1 and 2:
Building Secure ASP.NET Application
Page 3 and 4:
Contents About This Book Summary .
Page 5 and 6:
Contents v Role-Based Authorization
Page 7 and 8:
Contents vii Chapter 7 Internet Sec
Page 9 and 10:
Contents ix Configuring Security .
Page 11 and 12:
Contents xi Accessing System Resour
Page 13 and 14:
Contents xiii Troubleshooting Tools
Page 15 and 16:
Contents xv How To: Create a DPAPI
Page 17 and 18:
Contents xvii 6. Export the Client
Page 19 and 20:
Contents xix Reference Hub 517 Sear
Page 21 and 22:
About This Book Summary This guide
Page 23 and 24:
About This Book xxiii Who Should Re
Page 25:
About This Book xxv ● ● ● Spe
Page 28 and 29:
xxviii Building Secure ASP.NET Appl
Page 30 and 31:
xxx Building Secure ASP.NET Applica
Page 32 and 33:
xxxii Building Secure ASP.NET Appli
Page 34 and 35:
xxxiv Building Secure ASP.NET Appli
Page 36 and 37:
xxxvi Building Secure ASP.NET Appli
Page 38 and 39:
xxxviiiBuilding Secure ASP.NET Appl
Page 40 and 41:
xl Building Secure ASP.NET Applicat
Page 42 and 43:
2 Building Secure ASP.NET Applicati
Page 44 and 45:
Page 46 and 47:
Page 49 and 50:
2 Security Model for ASP.NET Applic
Page 51 and 52:
Chapter 2: Security Model for ASP.N
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67:
Page 70 and 71: 30 Building Secure ASP.NET Applicat
Page 140 and 141: 100 Building Secure ASP.NET Applica
Page 143 and 144: 6 Extranet Security Extranet applic
Page 145 and 146: Chapter 6: Extranet Security 105 Se
Page 147 and 148: Chapter 6: Extranet Security 107
Page 149 and 150: Chapter 6: Extranet Security 109 Co
Page 151 and 152: Chapter 6: Extranet Security 111 Re
Page 153 and 154: Chapter 6: Extranet Security 113 Th
Page 155 and 156: Chapter 6: Extranet Security 115 Co
Page 157: Chapter 6: Extranet Security 117 Pi
Page 170 and 171:
130 Building Secure ASP.NET Applica
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 235 and 236:
9 Enterprise Services Security Trad
Page 237 and 238:
Chapter 9: Enterprise Services Secu
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
10 Web Services Security This chapt
Page 269 and 270:
Chapter 10: Web Services Security 2
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299:
Page 302 and 303:
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 333 and 334:
12 Data Access Security When you bu
Page 335 and 336:
Chapter 12: Data Access Security 29
Page 337 and 338:
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
Page 369 and 370:
Page 371 and 372:
13 Troubleshooting Security Issues
Page 373 and 374:
Chapter 13: Troubleshooting Securit
Page 375 and 376:
Page 377 and 378:
Page 379 and 380:
Page 381 and 382:
Page 383 and 384:
Page 385 and 386:
Page 387 and 388:
Page 389 and 390:
How To: Index ASP.NET Building Secu
Page 391 and 392:
How To: Create a Custom Account to
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
How To: Use Forms Authentication wi
Page 399 and 400:
Page 401 and 402:
Page 403 and 404:
Page 405 and 406:
Page 407 and 408:
Page 409 and 410:
Page 411 and 412:
Page 413 and 414:
Page 415 and 416:
Page 417 and 418:
How To: Create GenericPrincipal Obj
Page 419 and 420:
Page 421 and 422:
Page 423 and 424:
Page 425 and 426:
How To: Implement Kerberos Delegati
Page 427:
How To: Implement Kerberos Delegati
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 449 and 450:
How To: Use DPAPI (Machine Store) f
Page 451 and 452:
Page 453 and 454:
Page 455 and 456:
How To: Use DPAPI (User Store) from
Page 457 and 458:
Page 459 and 460:
Page 461 and 462:
Page 463 and 464:
Page 465 and 466:
Page 467 and 468:
Page 469 and 470:
How To: Create an Encryption Librar
Page 471 and 472:
Page 473 and 474:
Page 475 and 476:
Page 477 and 478:
Page 479 and 480:
How To: Store an Encrypted Connecti
Page 481 and 482:
Page 483 and 484:
Page 485 and 486:
How To: Use Role-based Security wit
Page 487 and 488:
Page 489 and 490:
Page 491:
Page 494 and 495:
Page 496 and 497:
Page 498 and 499:
Page 500 and 501:
Page 502 and 503:
Page 504 and 505:
Page 506 and 507:
Page 508 and 509:
Page 510 and 511:
Page 512 and 513:
Page 514 and 515:
Page 516 and 517:
Page 518 and 519:
Page 520 and 521:
Page 522 and 523:
Page 525 and 526:
How To: Set Up Client Certificates
Page 527 and 528:
How To: Set Up Client Certificates
Page 529 and 530:
How To: Use IPSec to Provide Secure
Page 531 and 532:
Page 533 and 534:
Page 535 and 536:
Page 537 and 538:
Page 539 and 540:
How To: Use SSL to Secure Communica
Page 541 and 542:
Page 543 and 544:
Page 545 and 546:
Page 547:
Page 551 and 552:
Configuration Stores and Tools The
Page 553 and 554:
Configuration Stores and Tools 513
Page 555 and 556:
Configuration Stores and Tools 515
Page 557 and 558:
Reference Hub This section provides
Page 559 and 560:
Reference Hub 519 Key Notes ● ●
Page 561 and 562:
Reference Hub 521 ● ● HOW TO: A
Page 563 and 564:
Reference Hub 523 How Tos ● ● R
Page 565:
Reference Hub 525 ● ● Best Prac
Page 568 and 569:
Page 570 and 571:
Page 572 and 573:
Page 574 and 575:
Page 577 and 578:
ASP.NET Identity Matrix Principal o
Page 579:
ASP.NET Identity Matrix 539 Table 3
Page 582 and 583:
Page 584 and 585:
Page 586 and 587:
Page 589:
.NET Web Application Security The t
Page 592 and 593:
Page 594 and 595:
Page 596 and 597:
Page 598 and 599:
Page 600 and 601:
Page 602 and 603:
Page 604 and 605:
Page 606 and 607:
show all

Building Secure ASP.NET Applications - People Search Directory

Create successful ePaper yourself

Delete template?

Save as template?