Improving Web Application Security: Threats and - CGISecurity

Chapter 17: Securing Your Application Server 487NTLM / Kerberos(Authentication)Web Server(Client)HTTPChannelIISASP.NETHostIPSecor SSL(SecureCommunication)IIS and ASP.NETGatekeepers(Authorization)Figure 17.6Remoting with the HTTP channel and an ASP.NET hostIn this scenario, you can use Windows integrated authentication to authenticate theASP.NET Web application process identity. You can also use SSL for securecommunication and the gatekeepers provided by IIS and ASP.NET for authorization.Enterprise Services (COM+) Security ConsiderationsCOM+ provides the underlying infrastructure for Enterprise Services; therefore,secure COM+ if you use it on the middle-tier application server. Two main steps areinvolved in securing an application server that uses Enterprise Services:● Secure the Component Services Infrastructure.You must secure the underlying operating system and Enterprise Servicesinfrastructure. This includes base security measures, such as applying patches andupdates, and disabling unused services, blocking unused ports, and so on.● Configure Enterprise Services application security.You must secure the Enterprise Services application that is deployed on the server,taking into account application-specific security needs.The developer can specify many of the application and component-level securityconfiguration settings using metadata embedded in the deployed assemblies. Thesegovern the initial catalog security settings that are applied to the application when itis registered with Enterprise Services. Then, the administrator can view and amendthese if necessary by using the Component Services tool.Secure the Component Services InfrastructureEnterprise Services is not an optional component, and it is installed as an integralpart of Windows 2000. From a security perspective, knowing what operating systemcomponents are installed to support Enterprise Services helps you take appropriatesecurity measures.