Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

Published byLoren Hensley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue."— Presentation transcript:

1 1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue

2 2 INTRODUCTION Security Concepts ASP.NET Security Different security schemes offered by both ASP.NET and IIS Demo

3 3 Security Concepts Impersonation Authentication Authorization

4 4 Cont.. Impersonation Impersonation is a process in which a user accesses the resources by using the identity of another user Example: An example of impersonation is the use of the IUSR_machinename account that is created by IIS. When a Web site has anonymous access enabled, then IIS runs all the users' requests using the identity of the IUSR_machinename account Show IUSR_machinename

5 5 Cont.. Authentication Authentication is a process in which the security infrastructure makes sure that the users are who they say they are How it works: The security infrastructure collects the user's credentials, usually in the form of user ID and password, checks those credentials against any credentials' store. If the credentials provided by the user are valid, then the user is considered an authenticated user.

6 6 Cont.. Authorization Authorization is a process in which the security infrastructure checks whether the authenticated user has sufficient rights to access the requested resource Example: If Bob wants to access a resource, it will first check if Bob has sufficient right to access, then, if Bob wants to write to a file, if he has the write right on this file, the operation succeeds otherwise the operation fails.

7 7 ASP.NET Security ASP.NET works with IIS and the Windows operating system in order to implement the security services ASP.NET applications use configuration files for security and other Web application settings Snapshot Show Application Configuration Required File mapped to aspnet_isapi.dll forwards to aspnet_wp.exe

8 8 ASP.NET Security (Cont..) ASP.NET Impersonation Three ways by using the tag in the Web.config file This means impersonation for the ASP.NET worker thread is enabled. This means impersonation for the ASP.NET worker thread is not enabled

9 9 ASP.NET Security (Cont..) ASP.NET Authentication The authentication option for the ASP.NET application is specified by using the tag in the Web.config file <authentication mode= "Windows | Forms | Passport | None">

10 10 Ways to secure a Web Service Windows Authentication Forms authentication Passport authentication None

11 11 Windows Authentication Integrated Windows authentication Basic and basic with SSL authentication Digest authentication Client Certificate authentication

12 12 Integrated Windows authentication Integrated Windows authentication is a secure way of passing a user‘s credentials on wire. It can use either NT LAN Manager (NTLM) or Kerberos authentication. Contrast Table This is the best scheme that can be used for intranet environments using Windows, but this scheme cannot be used for Internet because it works only with Windows clients. Snapshot

13 13 Basic and basic with SSL authentication In basic authentication, the user is prompted for a username and password. This information is then transmitted to the server, but first it is encoded using base64 encoding. Most of the browsers, proxy servers, and Web servers support this method, but it is not secure. Anyone who knows how to decode a base64 string can decode users' credentials Snapshot for Basic Authentication Snapshot Snapshot for SSL Snapshot

14 14 Forms authentication In the “Web.config” file

15 15 None If we don't want ASP.NET to perform any authentication, we can set the authentication mode to "none". We don't want to authenticate our users, and our Web site is open for all to use We want to provide our own custom authentication. Login.aspx DEMO

16 16 ASP.NET Authorization Windows NTFS File Authorization  Access Control List (ACL): Anything that is stored in the NTFS file system has an ACL associated with it  Snapshot Snapshot ASP.NET URL Authorization

17 17 Conclusion Out of the authentication methods described previously, except for Forms and Passport authentications, all other methods require Windows accounts for implementing security. Combined with IIS, ASP.NET offers a more robust and flexible security model that can be leveraged, configured, and programmed according to our needs

18 18 References http://www.15seconds.com/issue/020312.htm http://www.dougknox.com/xp/tips/xp_security_ta b.htm http://www.dougknox.com/xp/tips/xp_security_ta b.htm http://forums.microsoft.com/MSDN/ShowPost.as px?PostID=22990&SiteID=1 http://forums.microsoft.com/MSDN/ShowPost.as px?PostID=22990&SiteID=1

Download ppt "1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET Security 9/9/2002 LA.NET Users Group Presented by David Henson

ASP.NET Security 9/9/2002 LA.NET Users Group Presented by David Henson
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Internet Information Server (IIS)

Internet Information Server (IIS)
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google