Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

Published byCharleen Day Modified over 8 years ago

Similar presentations

Presentation on theme: "Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing."— Presentation transcript:

1 Security E-Learning Chapter 08

2 Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing data transmitted across the internet –Others can’t read it

3 Authenticating and Authorizing Users Lesson 1

4 Authentication and Authorization Authentication –The process of identifying users –“Who are you?” Authorization –The process of granting access based on identity –“I’ve checked your credentials out and you’re OK … Come on in!” Choose an Authorization strategy based on the type of application you’re creating

5 Anonymous Users Public web sites –Anyone can see information –Users are not authenticated Impersonation –Technique for allowing anonymous access to web site –Assigns a user account to an unknown user IUSER_ –Anonymous user account

6 Anonymous Access Account – See or Change priviledges Log in as administrator on server Start | Control Panel | Administrative Tools | Computer Management | Local Users and Groups | Users | rt-click on IUSER_ | Properties

7 IUSER_ Properties

8 Member of Guest group –Limited priviledges My ‘Member of’ –Debugger Users Group ASP.NET –Uses ASPNET account –Anything outside priviledges produces security exception – access denied –Exception appears in the Security Event Log of the Event Viewer

9 Restricting Anonymous Users Set Windows File Permissions Must have NTFS File System, FAT won’t work See Windows Security Help topics

10 Access by Authenticated Users Authenticated Users –Allows users to Access private information Perform restricted tasks (placing orders, etc.) 3 Ways to Authenticate –Windows Authentication Identify and authorize users based on server’s user list –Forms Authentication Directs users to a form that collects name and password Authenticates against user list or database –Passport Authentication Authenticated by Passport site hosted by Microsoft

11 System.Web.Security Namespace Windows, Forms, Passport Security classes provided in.NET by System.Web.Security namespace Visual Basic.NET Imports System.Web.Security Visual C# using System.Web.Security

12 Applying authentication methods to web application components Web App Component Web Forms (.aspx) Modules (.asax) Other resources that pass through web app executable Authentication Modes Windows Forms Passport Can use Web App Component (htm or html pages) Handled by IIS, not ASP.NET Can’t use directly x ASP.NET executable Must be mapped see Lesson 1

13 .NET Web Security Overview ASP.NET architecture

14 IIS and ASP.NET Interaction IIS Request comes in (for Web Form) If IIS authentication, Authorization performed Auth. Info added to request Info passed to ASP.NET runtime ASP.NET Windows Auth. Performed Request processed Forms ASP.NET checks forms auth. Cookie No cookie  login page If successful login, Auth. Cookie set User redirected to requested resource Passport ASP.NET checks for Passport Cookie No cookie  site’s Passport Login Page Successful login, cookie set User redirected to resource

15 Set/Change Authentication Method Used by IIS Open Internet Services Manager Select site, virtual directory or file you want to authenticate Right-click, select Properties Select Directory (or File) Security Tab In Anonymous Access and Authentication Control section, click Edit button In Authentication Methods dialog box, uncheck Anonymous Access check box. Check desired authentication

16 Set Authentication Method in IIS

17 Windows Authentication Lesson 2

18 Types of Windows Authentication Basic –User must supply user name and password –Supported by Netscape Navigator and IE –User credentials sent unencrypted –Should only be used with a secure channel (SSL) –SSL should be used on all pages, since credentials are passed on all subsequent requests Digest –Browser transmits a hash of the user’s credentials –Requires IE 5.0 or later –Password encryption can be reversed Integrated Windows Authentication –Kerebos or NTLM –Uses encrypted exchange between IE Browser and Server –Used in Intranet scenarios –Used by Web Server Only if anonymous access is disabled or Anonymous access has been denied through Windows File System Permissions

19 More Windows Authentication Methods Certificates –Client certificate is passed to the web server –IIS maps certificate to user account Anonymous authentication –When you don’t need to authenticate users or –When you use a custom authorization scheme –Web server creates an access token Represents all anonymous users with (guest) account IUSR_MACHINENAME

20 Integrated Windows Authentication Uses integrated Windows NT and XP authentication to authenticate web users Advantage –Uses same security scheme as your corporate network –Names, passwords, and permissions are the same –Users on corporate intranet don’t have to login to website - automatic Disadvantage –Only for Internet Explorer –Users on corporate network using a proxy connection can’t use –Every user must have a password on Web Server or Domain controller trusted by the Web server.

21 Configuring Windows Authentication - Web.config file <!-- AUTHENTICATION This section sets the authentication policies of the application. Possible modes are "Windows", "Forms", "Passport" and "None" "None" No authentication is performed. "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to its settings for the application. Anonymous access must be disabled in IIS. "Forms" You provide a custom form (Web page) for users to enter their credentials, and then you authenticate them in your application. A user credential token is stored in a cookie. "Passport" Authentication is performed via a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. -->

22 Allowing or Denying Access to Certain Users Authorize/Deny list set in Web.config file “*” – All “?” – Unauthenticated Users Comma-separated names – format: domain\username

23 Role-based Authorization Allows users based on role in organization Windows – Computer Management –Administrators –Users –Guests See roles/groups in Start | Control Panel | Administrative Tools | Computer Management | Local Users and Groups

24 Role-Based Authorization – web.config

25 User Object, Identity Property User.Identity available after authentication and authorization Returns name and role information Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 'Put user code to initialize the page here spnAuthenticated.InnerText = User.Identity.IsAuthenticated spnUserName.InnerText = User.Identity.Name SPNAUTHENTICATIONTYPE.InnerText = User.Identity.AuthenticationType End Sub If User.IsInRole("Administrators") Then ' Do something End If

26 IIS and Web.config Overlap Security settings may overlap Most restrictive applies Setting security in IIS IIS > Rt-Click on Web Site > Properties > Directory Security Tab > Anonymous Access and Authentication Control Section > Edit Best practice: allow IIS to control password on anonymous account Basic and Digest Authentication – less restrictive

27 Impersonation After Authentication and Authorization –Web app runs under ASPNET user account (by default) – demo –Limited user account Impersonation – allows user to run in context of his/her own account Use web.config to set identity element to enable impersonation -- or --

28 Folder-level Impersonation Impersonates a specific user account Can be used with Forms and Passport Authentication $ <identity impersonate="true" username="Administrator" password="O#thip32x" />

29 Forms Authentication Lesson 3

30

31 Reference for ASP.NET Security http://msdn2.microsoft.com/en-us/library/330a99hc.aspx

32 Providing Secure Communication Chapter 8 Lesson 5

33 I’d like to send some sensitive data across the web! But I don’t want just anyone to be able to read it! IIS provides: Standard means for encrypting and decrypting Both Web requests and responses Requires: Server Certificate (Encryption Key) Issued by: Independent 3 rd Party (Certificate Authority)

34 Secure Sockets Layer Standard means for ensuring data can’t be read by others. Overview:

35 Using SSL Request authorization from recognized certificate authority Server Certificate Install certificate in IIS (identifies your server) Server certificates are licensed (for a fee), but you can get one for testing purposes Certificate Authority acts as clearinghouse Identifies your server’s identity over the Internet

36 Using Secure Communications Browser Web Server Requests Server Certificate Returns Server Certificate Certificate Authority (CA) Check against list of trusted sites Web address registered with certificate? Anything wrong with certificate? Response from CA CA provides encryption Assures users your web site is authentic

37 Warnings from Browser

38 IIS on Web Server I need a certificate I can help! 1. Use IIS to generate a certificate request. Certificate Request Certificate Authority (CA) 2. Request Certificate from CA IIS on Web Server 3. Install certificate on Server 4. Install certificate on Browser (test certificate) 5. Use Secure Hypertext Transfer Protocol (HTTPS) in your web pages Certificat e Installed!

39

40

Download ppt "Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.

Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Managing Identity and Permissions

Managing Identity and Permissions
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
VPN Scenarios © N. Ganesan, Ph.D.. Chapter Objectives.

VPN Scenarios © N. Ganesan, Ph.D.. Chapter Objectives.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Similar presentations

Ads by Google