ASP .NET Security, C# Web Application Security

modified

Introduction

In all projects developed by Primary Objects, security is our first and foremost concern. We work very hard to assure our web applications contain the highest levels of security suitable for the project at hand.

As we develop applications using C# ASP .NET, there are several choices of security models, each suitable for their own purpose. Web site applications which collect little information from the user, such as search engines, require a different level of security than web applications which may collect highly sensitive or personal information (such as credit card numbers) and would require a stronger security implementation.

ASP .NET web applications provide three fundamental security operations, including Authentication, Authorization, and Impersonation. In addition, ASP .NET web applications utilize the security provided by IIS for Internet access to the web server. |

Authentication is the process of validating a user’s identity in order to provide a certain level of access to the user. This involves receiving credential information from the user in the form of a username and password and comparing it against a database. This may also include authentication via Windows Active Directory or other integrated methods. Once validated, the user will retain access througout the designated areas of the web site application until logging out.

Three forms of authentication exist for ASP .NET web applications. These include Forms-based authentication, Passport authentication, and Windows authentication. The most commonly used form is Forms-based authentication. This allows a user to enter a username and password for access to the site. Credentials are validated against a database using a secure validation routine or stored procedure. Depending on the type of web application, authentication may also be performed using a mix of Forms-based and Windows-based authentication based on Active Directory. This allows users to log into a web application without entering user credentials. Instead, their login information is read via their Windows login account. Alternatively, the user may enter a username and password which is to be validated directly against Active Directory. Depending on the type of project, we may also implement mix-mode authentication or a custom form of authentication to suit the task at hand.

Authorization is the process of designating and verifying access levels to specific users and areas of the web application. Administrative users typically have access to all levels of the software while basic users are often restricted.

Impersonation is the process of allowing the web application to execute commands under the security context of another user. Normally, an ASP .NET web application runs under the Anonymous Guest Internet User account in Windows. If the web application requires the ability to execute background administrative commands on the server, impersonation can be used to execute those commands under a different (and temporary) security context. Access to those resources will be granted or denied based on the identity of the impersonated user.

In the most common form of security, Forms-based authentication, a cookie is used to manage session state for the user. This provides the developer with access to specify which files on the site may be accessed by whom and which will be made public. Upon attempting to access a restriced file, the user will be automatically redirected to a login page. If the login is successful, ASP .NET issues a cookie to the user containing their credentials and redirects them to the originally requested resource. Alternatively, the web application may be configured to run cookieless, in which case a cookie is not created and login credentials are maintained within the URL parameter command line.

Configuring Forms-based authentication in an ASP .NET web application consists of the following steps:

  1. Enable anonymous access in IIS. This is done since users will be considered to be non-Windows users and authenticated by username/password. By enabling anonymous access, IIS will allow users to enter the web site, at which point ASP .NET security may play its part.

  2. Configure the authentication section in the web.config file for the application. The web.config file contains security-related information regarding which files and directories in the web site may be accessed by the public and which require login credentials. You will also specify which mode of authentication is active and how long the session cookie should be active for (in minutes).

An example authentication selection:

1
2
3
<authentication mode="Forms">
    <forms  name="Login" loginURL="Login.aspx" protection="All" timeout="20" path="/" />
</authentication>

An example authorization selection, specifying to deny access to unauthenticated users (indicated by the ?):

1
2
3
4
<authorization>
   <deny users="?" />
   <allow users="*" />
</authorization>

In authorization, an asterik means all users and a question mark means unauthenticated users. If the web.config file specifies to deny user=”*”, all entries below the line will be ignored by ASP .NET and it will be assumed that all users are denied access to a page.

The most common authorization entry is as follows:

1
2
3
4
<!-- All users must login before accessing this site -->
<authorization>
  <deny users="?" />
</authorization>

The benefits of using forms-based authentication include the ability of the developer to configure access to various parts of the web site. Authentication can be changed easily via the web.config file, even after the web application has already been launched. Administration is centralized in a single location.

Another form of authentication is Passport Authentication. In this scenario, a single sign-on service, such as Microsoft Passport, is used to maintain login credentials. Typically, the web application will provide personalized content and be used in conjunction with other Passport sites. This can offer a convenient method of authentication for users, since they only need to remember one username and password to access a serious of web applications.

To enable passport authentication in the web.config file, the entry listed below is required along with installing Passport SDK on the server and registering with Microsoft Passport:

1
2
3
<authentication mode="Passport">
   <passport redirectURL="internal" />
</authentication>

The third type of authentication is Windows Authentication and is mainly implemented within IIS, without the need of code changes to verify a username and password. The IIS security Basic, Digest, NTLM, or Kerberos Authentication can be used. Anonymous Authentication can not be used in this scenerio. Upon connecting to the web application, authentication will be validated first by IIS. The security token is then passed to the ASP .NET application, where it may decide to grant or deny access.

Windows-based Authentication is typically used when users accessing the web application will be part of the Windows domain. That is, the users will be accessing the application from an Intranet, within the network (as opposed to users accessing the application from the Internet). Activity within the web application usually take place under the same security context as the user’s Windows account. Therefore, if a user already has administrative priveledges in the Windows domain, he will also have administrative priveledges within the web application. When resources are requested, IIS verifyies the request and passes the token to the ASP .NET application to handle.

Setting up Windows authentication in the web.config file only requires two entries, to specify the type of authentication as Windows-based and to deny anonymous users:

1
2
3
4
5
6
<authentication mode="Windows">
</authentication>

<authorization>
   <deny users="?" />
</authorization>

In summary, ASP .NET security makes it easy to control access to a web site application through the use of Forms-based, Passport, and Windows authentication. By providing your users with a secure means to access resources and selecting the right type of security, you will assure the success of your software. Contact us today to discuss implementing your web application and the various security methods available.

Share