ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Maintaining State Between the Client and Server Internet Programming Using VBScript and JavaScript 9.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
CIS 451: ASP Sessions and Applications Dr. Ralph D. Westfall January, 2009.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
McGraw-Hill/Irwin © 2004 by The McGraw-Hill Companies, Inc. All rights reserved. Beginning Active Server Pages Barry Sosinsky Valda Hilley Programming.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Session 11: Security with ASP.NET
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
IT533 Lectures Session Management in ASP.NET. Session Tracking 2 Personalization Personalization makes it possible for e-businesses to communicate effectively.
ASP.NET 2.0 Chapter 5 Advanced Web Controls. ASP.NET 2.0, Third Edition2 Objectives.
JavaScript, Fourth Edition
Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Copyright 2000 eMation SECURITY - Controlling Data Access with
State Management. What is State management Why State management ViewState QueryString Cookies.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Chapter 8 Cookies And Security JavaScript, Third Edition.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:
STATE MANAGEMENT.  Web Applications are based on stateless HTTP protocol which does not retain any information about user requests  The concept of state.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
Configuring and Deploying Web Applications Lesson 7.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Unit 7 Learning Objectives
Jim Fawcett CSE686 – Internet Programming Summer 2005
Goals Introduce the Windows Server 2003 family of operating systems
Created by : Asst. Prof. Ashish Shah
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application

Objectives ASP.NET 2.0, Third Edition2

Building Information Management Security Policies Security needs to be at the forefront when designing a web application – The internet is widely accessible and there is always going to be people attempting to get secured information – Challenges to security include the constant changes in operating systems and software Privacy and security are tied together – Breaches in web security are linked to consumer distrust – It’s important to have a company-wide policy about the privacy of their customer’s information ASP.NET 2.0, Third Edition3

Security Policies Hackers use multiple methods to get private data, including cross- site scripting Companies should have their privacy and security policies on their web site with a third party providing security checks Consider the Windows Security Model – Web application and web server security protects access to web resources, and Windows security protects access to file system resources Web applications that integrate other applications, such as a database, will have additional layers of security ASP.NET 2.0, Third Edition4

Privacy Policies A privacy policy is often used to inform the user about the type of information being collected and about what is being done with that information – The privacy policy is shown on the web page or as a pop-up to the user before accessing the site Platform for Privacy Preferences (P3P) standards provide a way for browsers to obtain the privacy policy for any particular web site ASP.NET 2.0, Third Edition5

Passing Valid Data from a Web Form Form fields pass data that is received as a string When data is received in the intended format, it is called valid data Valid data or the lack thereof can become important because this data is often inserted into databases, used by other applications, or misused by hackers to gain access to you web server Validation controls are used to validate the format of the data Regular Expressions are used to validate custom data formats ASP.NET 2.0, Third Edition6

Understanding Validation Controls ASP.NET 2.0, Third Edition7

Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition8

Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition9

Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition10

Building Regular Expressions ASP.NET 2.0, Third Edition11

Building Regular Expressions (continued) ASP.NET 2.0, Third Edition12

Validating Form Data with Validation Controls ASP.NET 2.0, Third Edition13

5/19/08 Start ASP.NET 2.0, Third Edition14

Maintaining State ASP.NET 2.0, Third Edition15 Web developers need to be able to identify the user with each subsequent page visited Keeping track of information about users as they are visiting a site is called maintain state There are three methods to maintain state –Client-side cookies –HTTP cookies –Without HTTP cookies

Maintaining State with Client-Side Cookies ASP.NET 2.0, Third Edition16

Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition17

Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition18

Other Ways Hidden fields URL Encoding CBS19

Storing Session Data Companies use web servers networked together to create a web farm – In a web farm, load balancing servers will redistribute the clients based on the workload of the servers Some companies expand their web sites across multiple computer processing units (CPUs), within a single physical server called a web garden User information is retrieved by HTTP headers using the ServerVariables collection and some are retrieved from the properties of the Session object ASP.NET 2.0, Third Edition20

Storing and Retrieving Session Data ASP.NET 2.0, Third Edition21

Storing Session Data ASP.NET 2.0, Third Edition22

Storing Session Data (continued) ASP.NET 2.0, Third Edition23

Storing Session Data (continued) ASP.NET 2.0, Third Edition24

Application Configuration A web application is a group of files and folders (including virtual folders) located under the web application’s root directory You can maintain information across the entire web application with the Application object, which stores the application variables in the server’s memory The web server can be configured by using the property pages within the Microsoft Management Console (MMC) application, in the ASP.Net web configuration files, or in the Web Site Administration Tool (WSAT) ASP.NET 2.0, Third Edition25

Viewing and Understanding the Web Server Property Sheets ASP.NET 2.0, Third Edition26

Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition27

Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition28

Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition29

Understanding Application Configuration Files ASP.NET 2.0, Third Edition30

Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition31

Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition32

Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition33

Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition34

Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition35

Membership Services Two main principles of security are authentication and authorization – Authentication is the process of validating the identity of the request – Authorization is the process of ensuring that you can only access the resources made available to you by the system administrators The Windows NTFS file system allows you to set permissions on individual files and folders using an access control list (ACL) ASP.NET 2.0, Third Edition36

Implementing Authorization ASP.NET 2.0, Third Edition37

Authenticating Users with Forms Authentication Forms authentication is a cookie-based authentication method Every packet of information over the web is sent with a host header, which contains information about the sender and the request ASP.net determines if a FormsAuthentication cookie is present in the header packet – If the cookie is not present, the user is redirected to the login page ASP.NET 2.0, Third Edition38

Implementing Authentication The authentication method is configured in the authentication element in the web configuration file. The mode attribute is assigned to one of the authentication methods: – None (no authentication required) – Anonymous authentication – Basic authentication – Windows authentication ASP.NET 2.0, Third Edition39

Using Web Controls to Maintain Security There are several built-in Web controls that can be used to maintain security within your web application, which include: – Login Control – Password Recovery Control – Login Status Control ASP.NET 2.0, Third Edition40

Summary Validation controls are a form of ASP.NET controls that allow you to assign validation rules to other controls. You can build custom validation rules to validate your form fields, or use one of the standard Validation controls with a custom Regular Expression. A cookie can be used to maintain information across multiple sessions for a specific user. A cookie is a text file that is stored on the client’s computer. Your web sites should educate and inform users about the use of cookies, and about how the cookie affects their computer system. A cookie is passed in the HTTP header with the other HTTP server variables. The SessionID property is assigned by the server, and provides a way to identify the client during the user session. Sessions require the user to support HTTP cookies. ASP.NET 2.0, Third Edition41

Summary (continued) You can store session data within the web server process, the State Server, or a SQL Server database. State Server is a Windows service that must be turned on before session data can be stored in the State Server. If the web server crashes, any session data within the State Server or SQL Server persists. A web application is a group of files and folders. The IIS web server software configures the web application using the MMC with the WSAT, or you can configure it via the web application configuration files. The web.config file configures the web application. The machine.config file maintains information that is used across.NET applications. Authentication is the process of validating the identity of the request. Authorization is the process of validating the user access privileges to the resources. You can configure forms authentication in the web.config file. ASP.NET 2.0, Third Edition42

Summary (continued) Authorization within an ASP.NET application is conducted via the web.config file, WSAT, or via the Windows NTFS permissions. You can configure web applications to support various types of authentication. Anonymous authentication means that the user does not have to log in with a special account. The Internet Guest Account represents the client. Basic authentication sends the login data as clear text. Windows authentication allows the user to log in without sending his or her login over the Internet. Forms authentication is a new technique in ASP.NET to protect the web application. ASP.NET 2.0, Third Edition43

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.