Improving Web Application Security: Threats and - CGISecurity

660 Part V: Assessing Your SecurityThe following questions help verify your impersonation configuration specified onthe element:●●Do you impersonate the original caller?If the impersonate attribute is set to true and you do not specify userName orpassword attributes, you impersonate the IIS authenticated identity, which maybe the anonymous Internet user account.Make sure that ACLs are configured to allow the impersonated identity accessonly to those resources that it needs to gain access to.Do you impersonate a fixed identity?If you impersonate and set the userName and password attributes, youimpersonate a fixed identity and this identity is used for resource access.Make sure you do not specify plaintext credentials on the element.Instead, use Aspnet_setreg.exe to store encrypted credentials in the registry.On Windows 2000 this approach forces you to grant the “Act as part of theoperating system” user right to the ASP.NET process account, which is notrecommended. For alternative approaches, see Chapter 19, “Securing YourASP.NET Application and Web Services.”This element controls ASP.NET URL authorization and specifically the ability ofWeb clients to gain access to specific folders, pages, and resources.● Have you used the correct format for user and role names?When you have , you are authorizing accessto Windows user and group accounts.User names take the form “DomainName\WindowsUserName”. Role names takethe form “DomainName\WindowsGroupName”.Note The local administrators group is referred to as “BUILTIN\Administrators”. The local usersgroup is referred to as “BUILTIN\Users”.When you have , you are authorizing againstthe identity that is authenticated by the application. Normally, you authorizeagainst the roles that are retrieved from the database. Role names are applicationspecific.