Building Secure ASP.NET Applications - People Search Directory

More documents

Recommendations

Info

viii Contents Passport Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Custom Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Process Identity for ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Use a Least Privileged Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Avoid Running as SYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Using the Default ASPNET Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Impersonation and Local Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Impersonation and Remote Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Impersonation and Threading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Accessing System Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Accessing the Event Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Accessing the Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Accessing COM Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Apartment Model Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Accessing Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Using the ASP.NET Process Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Using a Serviced Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Using the Anonymous Internet User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Using LogonUser and Impersonating a Specific Windows Identity . . . . . . . . . . . . . 182 Using the Original Caller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Accessing Files on a UNC File Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Accessing Non-Windows Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Secure Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Storing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Options for Storing Secrets in ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Consider Storing Secrets in Files on Separate Logical Volumes . . . . . . . . . . . . . . . 186 Securing Session and View State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Securing View State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Securing Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Securing SQL Session State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Web Farm Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Session State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 DPAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Using Forms Authentication in a Web Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 The Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Chapter 9 Enterprise Services Security 195 Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Gatekeepers and Gates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Use Server Applications for Increased Security . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Security for Server and Library Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Code Access Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Contents ix Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Configuring a Server Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Configuring an ASP.NET Client Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Configuring Impersonation Levels for an Enterprise Services Application . . . . . . . . 208 Programming Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Programmatic Role-Based Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Identifying Callers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Choosing a Process Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Never Run as the Interactive User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Use a Least-Privileged Custom Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Accessing Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Using the Original Caller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Using the Current Process Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Using a Specific Service Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Flowing the Original Caller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Calling CoImpersonateClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 RPC Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Building Serviced Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 DLL Locking Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 QueryInterface Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 DCOM and Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Calling Serviced Components from ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Caller’s Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Use Windows Authentication and Impersonation Within the Web-based Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Configure Authentication and Impersonation within Machine.config . . . . . . . . . . . . 218 Configuring Interface Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Enterprise Services (COM+) Roles and .NET Roles . . . . . . . . . . . . . . . . . . . . . . . . 222 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Chapter 10 Web Services Security 227 Web Service Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Platform/Transport Level (Point-to-Point) Security . . . . . . . . . . . . . . . . . . . . . . . . . 228 Application Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Message Level (End-to-End) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Platform/Transport Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Gatekeepers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Page 1 and 2: Building Secure ASP.NET Application
Page 3 and 4: Contents About This Book Summary .
Page 5 and 6: Contents v Role-Based Authorization
Page 7: Contents vii Chapter 7 Internet Sec
Page 11 and 12: Contents xi Accessing System Resour
Page 13 and 14: Contents xiii Troubleshooting Tools
Page 15 and 16: Contents xv How To: Create a DPAPI
Page 17 and 18: Contents xvii 6. Export the Client
Page 19 and 20: Contents xix Reference Hub 517 Sear
Page 21 and 22: About This Book Summary This guide
Page 23 and 24: About This Book xxiii Who Should Re
Page 25: About This Book xxv ● ● ● Spe
Page 28 and 29: xxviii Building Secure ASP.NET Appl
Page 30 and 31: xxx Building Secure ASP.NET Applica
Page 32 and 33: xxxii Building Secure ASP.NET Appli
Page 34 and 35: xxxiv Building Secure ASP.NET Appli
Page 36 and 37: xxxvi Building Secure ASP.NET Appli
Page 38 and 39: xxxviiiBuilding Secure ASP.NET Appl
Page 40 and 41: xl Building Secure ASP.NET Applicat
Page 42 and 43: 2 Building Secure ASP.NET Applicati
Page 49 and 50: 2 Security Model for ASP.NET Applic
Page 51 and 52: Chapter 2: Security Model for ASP.N
Page 59 and 60:
Chapter 2: Security Model for ASP.N
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67:
Page 70 and 71:
30 Building Secure ASP.NET Applicat
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
100 Building Secure ASP.NET Applica
Page 143 and 144:
6 Extranet Security Extranet applic
Page 145 and 146:
Chapter 6: Extranet Security 105 Se
Page 147 and 148:
Chapter 6: Extranet Security 107
Page 149 and 150:
Chapter 6: Extranet Security 109 Co
Page 151 and 152:
Chapter 6: Extranet Security 111 Re
Page 153 and 154:
Chapter 6: Extranet Security 113 Th
Page 155 and 156:
Chapter 6: Extranet Security 115 Co
Page 157:
Chapter 6: Extranet Security 117 Pi
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 235 and 236:
9 Enterprise Services Security Trad
Page 237 and 238:
Chapter 9: Enterprise Services Secu
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
10 Web Services Security This chapt
Page 269 and 270:
Chapter 10: Web Services Security 2
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299:
Page 302 and 303:
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 333 and 334:
12 Data Access Security When you bu
Page 335 and 336:
Chapter 12: Data Access Security 29
Page 337 and 338:
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
Page 369 and 370:
Page 371 and 372:
13 Troubleshooting Security Issues
Page 373 and 374:
Chapter 13: Troubleshooting Securit
Page 375 and 376:
Page 377 and 378:
Page 379 and 380:
Page 381 and 382:
Page 383 and 384:
Page 385 and 386:
Page 387 and 388:
Page 389 and 390:
How To: Index ASP.NET Building Secu
Page 391 and 392:
How To: Create a Custom Account to
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
How To: Use Forms Authentication wi
Page 399 and 400:
Page 401 and 402:
Page 403 and 404:
Page 405 and 406:
Page 407 and 408:
Page 409 and 410:
Page 411 and 412:
Page 413 and 414:
Page 415 and 416:
Page 417 and 418:
How To: Create GenericPrincipal Obj
Page 419 and 420:
Page 421 and 422:
Page 423 and 424:
Page 425 and 426:
How To: Implement Kerberos Delegati
Page 427:
How To: Implement Kerberos Delegati
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 449 and 450:
How To: Use DPAPI (Machine Store) f
Page 451 and 452:
Page 453 and 454:
Page 455 and 456:
How To: Use DPAPI (User Store) from
Page 457 and 458:
Page 459 and 460:
Page 461 and 462:
Page 463 and 464:
Page 465 and 466:
Page 467 and 468:
Page 469 and 470:
How To: Create an Encryption Librar
Page 471 and 472:
Page 473 and 474:
Page 475 and 476:
Page 477 and 478:
Page 479 and 480:
How To: Store an Encrypted Connecti
Page 481 and 482:
Page 483 and 484:
Page 485 and 486:
How To: Use Role-based Security wit
Page 487 and 488:
Page 489 and 490:
Page 491:
Page 494 and 495:
Page 496 and 497:
Page 498 and 499:
Page 500 and 501:
Page 502 and 503:
Page 504 and 505:
Page 506 and 507:
Page 508 and 509:
Page 510 and 511:
Page 512 and 513:
Page 514 and 515:
Page 516 and 517:
Page 518 and 519:
Page 520 and 521:
Page 522 and 523:
Page 525 and 526:
How To: Set Up Client Certificates
Page 527 and 528:
How To: Set Up Client Certificates
Page 529 and 530:
How To: Use IPSec to Provide Secure
Page 531 and 532:
Page 533 and 534:
Page 535 and 536:
Page 537 and 538:
Page 539 and 540:
How To: Use SSL to Secure Communica
Page 541 and 542:
Page 543 and 544:
Page 545 and 546:
Page 547:
Page 551 and 552:
Configuration Stores and Tools The
Page 553 and 554:
Configuration Stores and Tools 513
Page 555 and 556:
Configuration Stores and Tools 515
Page 557 and 558:
Reference Hub This section provides
Page 559 and 560:
Reference Hub 519 Key Notes ● ●
Page 561 and 562:
Reference Hub 521 ● ● HOW TO: A
Page 563 and 564:
Reference Hub 523 How Tos ● ● R
Page 565:
Reference Hub 525 ● ● Best Prac
Page 568 and 569:
Page 570 and 571:
Page 572 and 573:
Page 574 and 575:
Page 577 and 578:
ASP.NET Identity Matrix Principal o
Page 579:
ASP.NET Identity Matrix 539 Table 3
Page 582 and 583:
Page 584 and 585:
Page 586 and 587:
Page 589:
.NET Web Application Security The t
Page 592 and 593:
Page 594 and 595:
Page 596 and 597:
Page 598 and 599:
Page 600 and 601:
Page 602 and 603:
Page 604 and 605:
Page 606 and 607:
show all

Building Secure ASP.NET Applications - People Search Directory

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?