Microsoft Corporation
brief introduction
The security of intranet web applications is not important because it exists in many control networks, and users can access to a limit set. Different individuals and departments may need to have different access levels provided by the application, so they must protect the security of confidential data during transmission. In order to complicate problems, the security structure of the application must compensate for any security-related issues, these issues stem from the existing basis and the operational features of the Intranet to configure the application.
By focusing on certain commonly used distributed application structures, this chapter describes the recommendation solutions of authentication, authorization, and secure communication based on intranet web applications.
aims
Use this chapter:
• Protect intranet .NET applications • Understand security issues and solutions recommended by using ASP.NET Web applications and SQL Server 2000 communication:
• Direct communication • Use Enterprise Services as an intermediary • Using Web Services as an intermediary • Using .NET Remoting as an intermediary • Decide to implement authentication, authorization, secure communication based on intranet distributed web applications.
Applicable to:
This chapter applies to the following products and techniques:
• Microsoft Windows_ XP or Windows 2000 Server (with Service Pack 3) and later operating system • Microsoft Internet Information Services (IIS) 5.0 and later Operating System • Microsoft Active Directory_Defficient • .NET Framework 1.0 (with Service Pack 2) and later • SQL Server 2000 (with Service Pack 2) and later
How to use this chapter
In order to get the biggest benefit from this chapter:
• You must have experience in developing and configuring Asp.Net, SQL Server, IIS. • You must have experience in configuring Windows Security and Active Directory. • You must have experience in configuring Enterprise Services (COM ) applications. • Refer to "Build a Security ASP.NET Application Introduction" in this guide. This part defines the importance of distributed web applications authentication, authorization, and secure communication. • See "ASP.NET App Security Model" in this guide. This section summarizes the structure and technology used in creating a distributed ASP.NET web application, and emphasizes which parts of the structure are suitable for authentication, authorization, and secure communication. • Use the following chapters to use this chapter, which clarifies the techniques discussed in this chapter:
• "How to create a custom account to run asp.net". • "How to Implement Kerberos Delegation for Windows 2000". • "How to create a dpapi library". • "How to use dpapi (machine store" from asp.net ". • "How to Use DPAPI (User Store) from ASP.NET with Enterprise Services. • "How to Use Role-Based Security With Enterprise Services". • "How to set up SSL ON A Web Server". • "How to use ipsec to provide secretation between two servers". • "How to use SSL to Secure Communication with SQL Server 2000". This page
Prepare knowledge ASP.NET to SQL Serverasp.net to Enterprise Services to SQL Serverasp.net to Web Services to SQL ServeraSp.NET to Remoting to SQL Server Transfer the original call to database summary
Preparatory knowledge
Access to intranet applications is limited to a set of limited authorized users (eg, employees belonging to a domain). Although intranet setting limits the disclosure of the application, it may still face some problems when you develop authentication, authorization and secure communication policies. For example, you may include a non-reliable domain, so it is difficult to pass the caller's security context and identity to the backend resources within the system. In addition, your operating environment may be a heterogeneous environment with a hybrid browser type. Therefore, it is more inconvenient to use a general authentication mechanism.
If all computers in the same intranet run Microsoft Windows 2000 or higher operating system, and trusted users in the domain to use the delegation, you can choose to send the security of the original call to the backend.
You must also consider secure communication issues. Although your application runs in an intranet environment, it is not considered to be secure in the network. In addition to protecting the data transmitted between the application server and the database, you may need to protect the data transmitted between the browser and the web server.
This chapter uses the following common intranet programs to explain the main authentication, authorization and security communication technology:
• ASP.NET to SQL Server • ASP.NET to Enterprise Services to SQL Server • ASP.NET to Web Services to SQL Server • ASP.NET to Remoting to SQL Server
In addition, this chapter also introduces a Windows 2000 delegation program ("" transfer the original call party to the database "). In this scenario, use the intermediate web server and the application server to pass the security context and identifiers of the original modes from the browser to the database at the operating system level.
Note Several programs described in this section or replace the default ASPNET account for running the ASP.NET application, or change its password to allow duplicate accounts to be created on remote computers. These programs require the
In this scenario, the human resource database securely provides data for each user in the same intranet. The application uses a trusted subsystem model and represents the call on behalf of the original call. The application uses integration of Windows authentication to verify the identity of the caller and use the ASP.NET process identity to call the database. Since the data itself has confidentiality, SSL is used between the web server and the client.
Figure 1 shows the basic model of this application solution.
Figure 1. ASP.NET to SQL Server
Characteristics
This program has the following characteristics:
• Internet Explorer is installed on the client. • The user account is located in Active Directory. • The application provides confidential data for each user. • Only authenticated clients can access applications. • The Database Delegate the app for the user correct authentication (ie, the application calls the database on behalf of the user). • Microsoft SQL Server uses a single database user role to authorize.
Protection program
In this scenario, the web server verifies the identity of the caller and limits access to local resources by using the caller's identity. To limit the original registration party's access to resources, you do not have to simulate in a web application. Database authentication ASP.NET default process identity (which is the least permission account) (ie, database trust ASP.NET applications).
Table 1: Safety Measures Category Details Authentication By using integrated Windows authentication in IIS, providing enhanced authentication on the web server to verify the identity of the original call. Using Windows Authentication (not analog) in ASP.NET. Make sure the database connection is secure by configuring SQL Server confirms using Windows authentication. The database trusted ASP.NET assist process for calls. The identity of the ASP.NET process identification can be verified in the database. Authorization uses the ACL bound to the original call to configure resources on the web server. To simplify management, add users to the Windows group and use groups in ACLs. The web application executes the .NET role check to the original call to limit access to the page. Security Communication Protection Confidential Data Protection Transfer between Web Server and Databases Transported between Original Model and WEB Application
result
Figure 2 shows the recommended security configuration of this scenario.
Figure 2. Suggested security configuration for ASP.NET to SQL Server Intranet solution
Safety configuration steps
Before you start, you need to view the following:
• Create a custom ASP.NET account (see "How to create a custom account to run asp.net" in this guide) • Create a database account for a least permission (see "Data Access Security" in this guide. • Configure SSL on a web server (see "How to set up SSL ON A Web Server" in this guide) • Configure IPSec (see "How to use ipsec to provide secretation" in this guide " Configuring IIS Steps MORE INFORMATION To disable anonymous access to web applications Virtual root directory Enable integrated Windows Authentication To use IIS authentication settings, use IIS MMC management units. Right click on the virtual directory of the application and click Properties. Click the Directory Security tab, and then click Edit in the Anonymous Access and Verification Controls group.
Configuring an ASP.NET step MORE INFORMATION Change the ASPNET Password to a known strong code value ASPNET is the least permission to the local account, which is used by default to run the ASP.NET web application. Set the password of the ASPNET account to a known value by using the Local User and Group. Edit Machine.config in% WINDIR% / Microsoft.Net / Framework / V1.0.3705 / Framework / V1.0.3705 / Config and reconfigure the
Become
Username = "Registry: hklm / software / yoursecureapp /
ProcessModel / aspnet_setReg, Username "Password =" Registry: HKLM / Software / YouRSecureApp /
ProcessModel / aspnet_setReg, Password "->
Note that the ASPNET_SETREG.EXE tool is used to store in the registry in the encrypted password. Configure the ASP.NET Web application to use the web.config under the virtual root directory of the Windows authentication editing application to set the
Configuring SQL Server steps MORE INFORMATION Creating a Windows account username and password matching with an ASP.NET Process Account (ASPNET) on SQL Server Computers must match the ASPNET account. Give this account: - Access this computer from the network - Reject local login - Configuring SQL Server in a batch job to configure SQL Server to create a SQL Server to create a SQL Server to create a SQL Server access to SQL Server New database users, and map the login name to the database user. This will grant access to the specified database to create a new user-defined database role and add a database user to the role of the database. Create the database permission. For more information, see "Data Access Security" in this guide.
Configuring Secure Communication Steps For more information Configuring SSL of the Web site, please refer to "How To Set Up Upl On A Web Server" in this guide. Configuring IPsec between web servers and database servers See "How to Use IPsec to Provide Secure Communication Between Two Servers" in this guide. analysis
• In this scenario, since all users use a Windows account and use Microsoft Internet Explorer, it is best to use integrated Windows authentication in IIS. The advantage of integrated Windows authentication is that the user's password is transmitted from the network. In addition, since Windows uses the login session of the current interactive user, it is transparent to the user. • ASP.NET is run as an account for the least permissions, so once the attack is attacked, the potential hazard is greatly reduced. • To perform the .NET role check, you do not have to simulate in ASP.NET for the security of the original call. In order to execute the .NET role check for the original call, retrieve the WindowsPrincipal object representative of the original call from the HTTP context as shown below: WindowsPrincipal WP = (httpcontext.current.user as windowsprincipal);
IF (wp.isinrole ("manager"))
{
// User is authorized to Perform Manager-Specific FunctionAlicity
}
ASP.NET FILEAUTHORIZATIONMODULE checks the ASP.NET file type mapped to the ASPNET_ISAPI.DLL in IIS in the ACL. For static file types (for example, .jpg, .gif, and .htm files), IIS acts as a validation, which performs access checks using the original NTFS permission according to the file. • To use Windows authentication for SQL Server means that you do not have to store credentials in a file and pass credentials to the database server over the network. • Use a duplicate Windows account on the database server (accounts that match the ASP.NET local account) will result in an increase in management burden. If the password on a computer is changed, you must synchronize and update it on other computers. In some scenarios, you may be able to use a larger domain account for more simple management. • When setting the firewall (when the port required for Windows authentication may not open), the duplicate local account method is equally valid. Windows authentication and domain accounts may not be used in this scenario. • You need to make sure that the particle size of the Windows group is the same as your security requirements. Since security is based on the security of the .NET role, this solution depends on the Windows group to set up a Windows group with the correct particle size to match the user category of the application (share the same security permissions). The Windows group used here to manage the role can be a local group or domain group of this computer. • SQL Server Database User Roles take precedence over SQL Server application roles, which avoids password management and connection pool issues related to using SQL application roles. The application activates SQL application roles by calling built-in stored procedures with role names and passwords. Therefore, the password must be safely stored. When using the SQL application role, the database connection pool must also be disabled because it will seriously affect the scalability of the application. See "Data Access Security" in this guide for more information on SQL Server Database User Roles and SQL Server Applications. • Add a database user to the database user role and specify permissions for the role, so you don't have to change the permissions of all database objects when the database account changes. Question and answer
• Why can't I enable web applications to simulate to protect the resources accessed by the web application for the original modes for the original modes? If analog is enabled, the simulated security context does not have network credentials (assuming that the delegation is not enabled and you are using Integrated Windows Authentication). Therefore, remote calls for SQL Server will use null sessions, which will result in failure of calls. If analog simulation is disabled, the remote request uses the ASP.NET process ID. The above scheme uses ASP.NET FileAuthorizationModule, which uses the Windows ACL to perform authorization for the original modular manner, and does not require simulation. If you use basic authentication instead of integrating Windows Authentication (NTLM), and indeed analog, each database calls will use the security context of the original call. Each user account (or the Windows group to which the user belongs) is required to log in with SQL Server. It is necessary to limit the permissions of the Windows group (or original modes) to access the database object to ensure security. • The database does not know who is the original caller. How can I create an audit record? Audit the end user activity in the web application, or explicitly transmit the user identifier as the parameters of the data access call.
Related program
Non-Internet Explorer browser
Internet Explorer needs to be integrated with IIS. In a hybrid browser environment, your typical options include: • Basic authentication and SSL. Most browsers support basic authentication. Since the user's credentials are passed through the network, SSL must be used to ensure the security of this scenario. • Client certificate. You can map each client certificate to a unique Windows account or use a single Windows account to represent all clients. T Use the client certificate to use SSL. • Table single authentication. Table Single authentication can verify the credentials according to custom data storage (such as database) or Active Directory. If authentication is performed in accordance with Active Directory, be sure to retrieve only the necessary groups related to the application. If you should not use the Select * clause, you should not blindly retrieve all groups from the Active Directory. If authenticated according to the database, you need to carefully analyze the input values used in the SQL command to prevent SQL injection attacks, and should store the password hash value (with SALT) in the database, rather than storing the expressword or encrypted password. For more information on using SQL Server as credential storage and store passwords in the database, see "Data Access Security" in this guide.
Note that in all cases, if you do not use Integrated Windows Authentication (where you manage your credentials by the platform), SSL will last. However, this advantage is limited to the authentication process. If you pass secure confidential data over the network, IPSec or SSL is still required.
SQL authentication for the database
In some scenarios, you may have to make data access security rather than the preferred Windows authentication. For example, a firewall may be set between web applications and databases, or because of security reasons, the web server may not belong to your domain. This also hinders Windows authentication. In this case, you can use SQL authentication between the database and the web server. To ensure the security of this program, you should:
• Use data protection API (DPAPI) to protect database connection strings that contain usernames and passwords. For more information, see the following:
• Refer to "Secure Storage Database Connection String" in Data Access Security in this guide. • "How to use dPapi (Machine Store) from ASP.NET" • "How to use dpapi (user store)" • "How to create a dpapi library" • On the web server and database server Introduction, use IPSec or SSL to protect the express document passing through the network.
Pass the original call to the database
In this scenario, the database is called from the web application using the security context of the original modem. When using this method, you must pay attention to the following points:
• If you choose this method, you need to use Kerberos authentication (configured as a delegate) or basic authentication. The "Transfer Original to the Database" section in this chapter discusses the delegation scheme. • You must also enable simulation in ASP.NET. This means using the safe context of the original modular side to perform local system resource access, so ACLs of local resources (such as registry and event logs) are required to be properly configured. • Since the original modes cannot share the connection, the database connection pool is limited. Each connection is associated with the security context of the caller. • Another method of transmitting user security context is the identity of the original call party (eg, by using method and stored procedure parameters) at the application level. ASP.NET to Enterprise Services to SQL Server
In this scenario, the ASP.NET page calls the business component resides in the Enterprise Services application, and the Enterprise Services application is connected to the database. For example, see an internal order system that transactions over intranet and allows the internal department to order. This scheme is shown in Figure 3.
Figure 3. ASP.NET calls a component in Enterprise Services, which will call the database
Characteristics
This program has the following characteristics:
• The user has installed Internet Explorer. • Deploy components on the web server. • The application handles confidential data, which must protect the security of these data during the transfer process. • Business components Connect to SQL Server using Windows authentication. • Limit business functions in these components based on the caller's identity. • Configure the service component as a server application (outside the process). • Pieces connected to the database using the server application's process identity. • Enable simulation in ASP.NET (make sure the Enterprise Services role is secure).
Protection program
In this scenario, the web server verifies the identity of the original call and passes the security context of the call party to the service component. The service component grants access to business functions based on the identifier of the original call. The database is authenticated according to the process identity of the Enterprise Service application (ie the database trusted in the Enterprise Services application). When the service component calls the database, it passes the identity of the user at the application level (by using trusted query parameters).
Table 2: Safety Measures Category Details Authentication Using Integrated Windows Authentication Enhanced Authentication on the web server. Pass the security context of the original modes to the service component to support Enterprise Services (COM ) role checks. Use Windows authentication to protect the secure database connection. The logo of the database trust service component is called. Database authentication Enterprise Services application process identifier identity. Authorization to grant access to business logic using Enterprise Services (COM ) roles. Secure communication uses SSL to protect the confidential data transmitted between users and web applications. Use IPSec to protect confidential data transmitted between web servers and databases.
result
Figure 4 shows the recommended security configuration of this scenario.
Figure 4. Suitable security configuration for the Intranet solution of ASP.NET to the local Enterprise Services to SQL Server
Safety configuration steps
Before you start, you need to view the following:
• Create a database account for a permission (see "Data Access Security" in this guide) • Configure SSL on the web server (see "How to set up ssl on a web server" in this guide) • Configuring IPSec (See the Module, "How to Use IPsec to Provide Secure Communication Between Two Servers) • Configure IPSec (see" How to: Use Role-based Security with Enterprise Services "in this guide) Configuring IIS step more Disable anonymous access to web applications Enable integrated Windows authentication
Configuring ASP.NET Steps MORE INFORMATION Configuring the ASP.NET Web Application to Web.config under the virtual root of the application using the Windows authentication editing application to set the
Configuring Enterprise Services Steps MORE INFORMATION Creating a custom account to run Enterprise Services Note If you use a local account, you must also create a duplicate account on the SQL Server computer. Configuring Enterprise Services applications to server applications This can be configured by using the Component Services tool or by the following .NET properties located below the service component set. [assmbly: ApplicationActivation (ActivationOption.server)]
Configuring Enterprise Services (COM ) Roles Use the Component Services tool or script to add Windows users and / or groups to the role. You can define the role using the .NET property in the service component program set. Configuring Enterprise Services to run with a custom account must be configured using the Component Services tool or script. You cannot use the .NET property in the service component assembly.
Configuring SQL Server steps MORE INFORMATION Creating a Windows Account User Name and Password Matching with Enterprise Services Process Accounts on SQL Server Computers must match custom Enterprise Services accounts. Give the following permissions: - Access this computer from the network - Reject local login - Configuring SQL Server in a batch job to configure SQL Server for Windows Authentication to create a SQL Server to log in to this will grant access to SQL Server. Create a new database user and map the login name to the database user. This will grant access to a particular database. Create a new database user role and add a database user to the role to establish a database user role. Database permissions. For details, see "Data Access Security" in this guide.
Configuring Secure Communication Steps For more information Configuring SSL of the Web site, please refer to "How To Set Up Upl On A Web Server" in this guide. Configuring IPsec between web servers and database servers See "How to: Use IPsec to Provide Secure Communication Between Two Servers" in this guide. analysis
• ASP.NET and Enterprise Services run as the least amount of accounts, so the potential hazard is greatly reduced once it is attacked. When any party's process identification is attacked, the range of hazards is reduced because the account has only limited permissions. In addition, in ASP.NET, if the malicious script is injected, the potential hazard can also be restricted. • To transfer the security context of the original call to Enterprise Services components (to support Enterprise Services (COM ) roles), you must configure the ASP.NET application to support simulation. If simulated, the process identifier (ie the ASP.NET assist process) is not checked. The simulation impact is granted an object of resource access. • System resource check is performed for the ASP.NET process logo when there is no simulation. In the simulation, system resource check is performed for the original call. For more information on accessing system resources from ASP.NET, see "ASP.NET Security" in this guide. • Push access check to the intermediate layer (where the location of the business logic) is performed by using the Enterprise Services (COM ) role. In this case, check the support at the entry, map it to the role, as well as the role call service logic. This avoids unnecessary backend calls. Another advantage of the Enterprise Services (COM ) role is that you can create and manage roles when you can use the Component Services Manager when deploying. • Windows authentication for SQL means that you can avoid storage credentials in the file and transfer over the network. • When the firewall is set (this point you can not open), you can still use the local account to run Enterprise Services applications, as well as using a duplicate account on the database server. Windows authentication and domain accounts may not be used in this scenario.
defect
• Use a duplicate Windows account on the database server (accounts matching with the Enterprise Services process account) will result in an increased management burden. The password should be manually updated and synchronized regularly. • Because security based on .NET role is based on Windows group member identity, this solution relies on setting up Windows groups with the correct granularity to match with user categories of access applications (share the same security permissions).
ASP.NET to Web Services to SQL Server
In this scenario, the web server running the ASP.NET page is connected to the web service on the remote server. This server is connected to the remote database server. For example, see a Human Resources web application that provides user-specific confidential data. This application relies on the Web service for data retrieval. Figure 5 shows the basic model of this application solution.
Figure 5. ASP.NET to Remote Web Services to SQL Server
Web services discloses a way to allow individual employees to retrieve his or her personal details. You must use a web application to provide details for individuals through authentication. The Web service also provides a method that supports any employee details. This feature can only be used by members of the human resources or wage sector. In this scenario, divide employees into three Windows groups:
• HRDEPT (Member of Human Resources) This group can retrieve more information about any employee. • PayrollDept (Member of the Wages) This group can retrieve more information about any employee. • Employees (All Employees) The group can only retrieve their own details.
Since the confidentiality of the data itself should ensure the security of communication between all nodes.
Characteristics
• The user has installed Internet Explorer 5.x or higher. • All computers are running Windows 2000 or higher. • The user account is located in the Active Directory of a single directory forest. • The application will pass the security context of the original call to the database. • All layers use Windows authentication. • Configure the domain user account to use delegation. • Database does not support delegation.
Protection program
In this scenario, the web server that resides the ASP.NET web application verifies the identity of the original call and passes their security context to the remote server where the WEB service is located. This allows the Web method to apply authorization checks to allow or reject access to the original modes. Database authentication Web service process identity (Database Trust Web Service). The web service is in turn calls the database and uses the stored procedure parameter to pass the user's identity at the application level.
Table 3: Safety Measures Category Details Authentication Web Application Use Integrated Windows Authentication in IIS to verify the identity of the user. Web services use integrated Windows authentication in IIS. It authenticates the original modular security context of the web application. You can use the Kerberos authentication protocol to pass the original modem security context from the web application to the web service. You can use Windows authentication, connect to the database via an ASP.NET process account. Authorized web applications perform role checks for the original call to limit access to the page. Controls access to the web service method by using a .NET role based on the original modular WINDOWS group member identity. Secure communication can protect confidential data transmitted between the original modular and web applications and web services by using SSL. The confidential data transmitted between the Web service and the database can be protected by using IPsec.
result
Figure 6 shows the recommended security configuration of this scenario.
Figure 6. Advice Security Configuration for ASP.NET to Web Services to Web Services
Safety configuration steps
Before you start, you need to view the following:
• Configure SSL on the web server (see "How to set up SSL ON A Web Server" in this guide) • Configure IPSec (see "How to use ipsec to provide secretation communication between two servers" in this guide)
Configuring a web server (which resides on the web application) Configuring IIS step more information Disable anonymous access to web applications to anonymous access to web applications Virtual root directory Enable Windows integration authentication configuration ASP.NET Steps more information Configuring the ASP.NET Web application to use Wendows authentication editing web application web.config Set
Configuring an application server (which resides in Web Services) Configuring IIS Steps For more information Disable anonymous access to Web Services Virtual root directory to enable Windows integration authentication configuration ASP.NET Steps more information ASPNET The password change is a known value ASPNET is the least permission to the local account, which is used by default to run the ASP.NET web application. Change the password of the ASPNET account to a known value by using the local user and group. Edit Machine.config in% Windir% / Microsoft.Net / Framework / V1.0.3705 / Config and reconfigure the Username = "Registry: hklm / software / yoursecureapp / ProcessModel / aspnet_setReg, Username "Password =" Registry: HKLM / Software / YouRSecureApp / ProcessModel / aspnet_setReg, Password "-> Configuring the ASP.NET Web Services to Web.config in a virtual directory that uses Windows authentication editing Web services to set the Configuring SQL Server steps More information Create a Windows account to match the ASP.NET process account username and password that matches the Web service must match the custom ASP.NET account. Give the following permissions: - Access this computer from the network - Reject local login - Configuring SQL Server in a batch job to configure SQL Server to create a SQL Server to create a SQL Server access for Windows authentication. Permission. Create a new database user and map the login name to the database user. This will grant access to a particular database. Create a new database user role and add a database user to the role to establish a database user role to a minimum of permissions Configuring Secure Communication Steps MORE INFORMATION Configuring SSLs on the web site on a web server See "How to set up ssl on a web server" in this guide. Configuring IPsec between web servers and database servers See "How to Use IPsec to Provide Secure Communication Between Two Servers" in this guide. analysis • In this scenario, integrated Windows authentication in IIS is ideal. This is because all users use Windows 2000 or higher, Internet Explorer 5.x or higher, and all users use the Active Directory account, so that the Kerberos Authentication Protocol (which supports delegation) has been used. Tody, you can pass the user's security context across computer boundary. • In Active Directory, the end user account cannot be marked as "sensitive, can not be delegated". In Active Directory, the web server computer account must be marked as "can delegate other accounts." For more information, see "How to Implement Kerberos Delegation for Windows 2000" in this guide. • The ASP.NET on the web server and the application server runs as the least permission to run the local account (local ASPNET account), so that the potential hazard is greatly reduced once it is attacked. • Configure the Web service and web applications to use Windows authentication. Configure IIS on both computers to use integrated Windows authentication. • When you call a Web service from a web application, credentials are not delivered by default. The credentials must be used in response to the network authentication challenge issued by IIS on the downstream web server. The following method must be used to set the Credentials property of the web service agent to explicitly specify this: wsproxy.credentials = credentialcache.defaultcredentials; For more information on using credentials, see "Web Service Security" in this guide. • Configure web applications to use simulation. Therefore, when the Web service is called from the web application, the security context of the original call is passed, and the web service is allowed to authenticate (and authorization) for the original call. • Use the .NET role in a Web service, authorize the user based on the Windows group (HRDEPT, PayrollDept, and Employees) to which the user belongs. HRDEPT and PAYROLDEPT members can retrieve any employee's employee details, and members of the Employees group have only retrieve their own details. You can use the PrincipalPermissionAttribute class to add a comment in a web method to query a specific role member identity, as shown in the following code example. Note that you can use B> PrincipalPermission instead of PrincipalPermissionAttribute. This is a common feature of all .Net attribute types. [WebMethod] [PrincipalPermission (SecurityAction.Demand, Role = @ "DomainName / hrdept)] Public DataSet RetrieveemPloyeedetails () { } The attribute shown in the above code is represented, only Members of the DomainName / Hrdept Windows group is allowed to call the RetrieveEMPloyeDetails method. If any non-member tries to call this method, security exception occurs. • ASP.NET File Authorization (in Web Applications and Web Services) Check whether any file types are mapped to ASPNET_ISAPI.dll in the IIS metadata in the IIS metadata in the ACL. IIS checks that there is no static file type (for example, .jpg, .gif, .htm, etc.) of the ISAPI mapping, the same use is an ACL attached to the file. • Because the web application is configured to use analog, the ACL must be used to configure the resources accessed by the application itself to give the original modes at least awarded read permissions. • Web services do not use simulation or delegation; therefore, it uses the ASP.NET process identifier to access local system resources and databases. Therefore, all calls are done using a single process account. Therefore, you can use the database connection pool. It is best to choose this solution if the database does not support delegates (such as SQL Server 7.0 or lower). • Windows authentication for SQL Server means that you don't have to store credentials on the web server, but it means that you do not have to send credentials to the SQL Server computer via the network. • SSL protection between original modes and web servers is passed to and data from the web application. • The IPSec protection between the downstream web server and the database passes the data from the database. defect • Use a duplicate Windows account on the database server (accounts that match the ASP.NET process account) will result in an increased management burden. The password should be manually updated and synchronized regularly. Another way is to consider the least use of the minimum domain account. For more information on selecting an ASP.NET process identity, see "ASP.NET Security" in this guide. • Because of the security of the .NET role, this solution needs to match the user categories that will access the application (share the same security permissions) based on the Windows group in the respective hierarchy. • The Kerberos delegation is unrestricted, so it is necessary to strictly control the application ID running on the web server. In order to improve the security threshold, you should delete the domain account from the Domain User group to limit the area of the domain account, and only provide access from the corresponding computer. For more information, see the "Default Access Control Settings" on the Microsoft Web website http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp. Question and answer Database I don't know who is the original caller. How can I create an audit record? Review the end user activity in the web service, or use the user's identity as the parameters of the data access call to clearly pass. Related program If you need to connect to a non-SQL Server database, or now SQL authentication, you must use the connection string to explicitly deliver the database account credentials. If you do this, make sure to securely store the connection string. For more information, see "Secure Storage Connection Strings" in Data Access Security in this guide. ASP.NET to Remoting to SQL Server In this scenario, the web server running the ASP.NET page is safely connected to the remote component on the remote application server. The web server communicates with the component by using the .NET Remoting in the HTTP channel. Remote components reside by ASP.NET. Figure 7 shows this scheme. Figure 7. ASP.NET to Remoting Using .NET Remoting to SQL Server Characteristics • Users use different types of web browsers. • Remote components reside by ASP.NET. • The web application communicates with the remote components using the HTTP channel. • ASP.NET application calls .NET remote components, and pass the credentials of the original modes for authentication. Basic authentication provides these features. • Due to the confidentiality of the data itself, the data is secured between the process and the computer. Protection program In this scenario, the web server that resides the ASP.NET web application verifies the identity of the original call. Web applications can retrieve the invigilance authentication credentials (usernames and passwords) from the HTTP server variable. The web application then uses these credentials to connect to the application server where the remote component is connected by configuring the Remote Component Agent. The database uses Windows authentication to verify the identity of the ASP.NET process (ie, database trust remote components). Remote components in turn call the database and use the stored procedure parameters to pass the original ID. Table 4: Safety Measures Category Details Authentication Use basic authentication in IIS to authenticate users (except SSL). Windows authentication is used in remote components (ASP.NET / IIS). ASP.NET account with the least amount of weight, is connected to the database via Windows authentication. Authorization executes ACL check on the original call on the web server. Perform a role check for the original modulus in the remote component. Grant ASP.NET (Remote Components) ID access to the database. Secure communication uses SSL to protect confidential data transmitted between web applications and remote objects that reside in users and IIS. Use IPSec to protect confidential data transmitted between web servers and databases. result Figure 8 shows the recommended security configuration of this scenario. Figure 8. Advice Security Configuration for ASP.NET to remote web services to the Intranet solution of SQL Server Safety configuration steps Before you start, you need to view the following: • Create a database account for permissions (see "Data Access Security" in this guide) • Configure SSL on the web server (see "How to set up ssl on a web server" in this guide this guide) • Configure IPsec (see "How to use ipsec to provide secretation") in this guide) Configuring Web Server Configuring IIS Steps MORE INFORMATION Disable anonymous access to web applications Virtual root directory Enable Basic Authentication Using SSL Protect Basic Authentication Credentials. Configuring ASP.NET Steps MORE INFORMATION Configuring the ASP.NET Web application to use the web.config under the virtual root directory of the Windows authentication editing application to set the Configuring an application server Configuring IIS step more information Disable anonymous access to web applications Anonymous Access Enable Integration Windows Authentication Configuring ASP.NET Steps Multi-Information Configuring Remote Components (in ASP.NET) to use Windows Authentication Edit Remote Components Web.config under the virtual root directory Set Username = "Registry: hklm / software / yoursecureapp / ProcessModel / aspnet_setReg, Username "Password =" Registry: HKLM / Software / YouRSecureApp / ProcessModel / aspnet_setReg, Password "-> Note that the ASPNET_SETREG.EXE tool is used to store in the registry in the encrypted password. Make sure the simulation is off by default, the simulation is turned off; but please check it, make sure it is closed in Web.config, as shown below: Deleting Configuring SQL Server steps MORE INFORMATION Create a Windows account on the SQL Server computer so that the ASP.NET process account T username and password that matches the Web service must match the custom ASP.NET account. Give the following permissions: - Access this computer from the network - Reject local login - Configuring SQL Server in a batch job to configure SQL Server to create a SQL Server to create a SQL Server access for Windows authentication. Permissions Create a new database user and map the login name to the database user. This will grant access to the specified database to create a new database user role and add the database user to the role to establish a database user role. Database permission. Minimum Authority Configuring Security Communication Steps MORE INFORMATION Configuring SSLs for Web Sites on a web server [see "How to set up SSL ON A Web Server" in this guide. Configuring the SSL of the Web site on the application server See "How to set up SSL ON A Web Server" in this guide. Configuring IPsec between application servers and database servers See "How to Use IPsec to Provide Secure Communication Between Two Servers" in this guide. analysis • The ASP.NE on the web server and the application server runs the least the local account of the permission, so the potential hazard is greatly reduced once it is attacked. In both cases, all default ASPNET accounts are used. Use the ASPNET local account (having a duplicate account on the SQL Server computer) further reduces potential security risks. Repeating Windows accounts on a database server allows you to run remote components on an ASP.NET account at least with a minimum of permissions on the application server. • On the web server, basic authentication allows web applications to use users' credentials to respond to Windows authentication challenges from application servers. To call remote components for credentials using the caller, the web application configures the remote component agent as shown below. String PWD = Request.serverVariables ["auth_password"]; string uid = request.servervariables ["auth_user"]; IDictionary channelproperties = ChannelServices.getchannenenesinkProperties (Proxy); NetWorkcredential Credentials; Credentials = New NetworkCredential (UID, PWD); Objref ObjectReference = RemotingServices.Marshal (Proxy); URI Objecturi = New URI (ObjectReference.uri); Credentialcache Credcache = New CredentialCache (); Credcache.Add (Objecturi, "Negotiate", Credentials; ChannelProperties ["CREDENTIALS"] = CREDCACHE; ChannelProperties ["preauthenticate"] = TRUE; For more information on transferring security credentials to remote components, see ".NET Remoting Security" in this guide. • Disable usage simulations in the ASP.NET web application, because the remote processing agent is specifically configured with user credentials obtained by basic authentication. Any other resources accessed by the web application use the security context provided by the ASP.NET process account. • SSL protection between users and web servers is passed to or from the data of the web server, and also protects the basic credentials delivered in a clear text during authentication. • On the application server, integrate Windows authentication provides a .NET role check for the original modes. The role corresponds to the Windows group. Even if there is no simulation, a role-based check can be performed. • ASP.NET File Authorization For the caller checks to map any file type to ASPNET_ISAPI.DLL in the IIS metadata in the IIS metadata. IIS performs access checks for static files (not mapped to ISAPI extensions in IIS). • Because no simulation is enabled on the application server, any local or remote resource access performed by remote components uses ASPNET security context. The ACL should be set accordingly. • Windows authentication for SQL Server means that you don't have to store credentials on the application server, which means that you do not have to send credentials to the SQL Server computer over the network. defect • Use a duplicate Windows account on the database server (accounts that match the ASP.NET process account) will result in an increased management burden. The password should be manually updated and synchronized regularly. • Because of the security of the .NET role, this solution needs to match the user categories that will access the application (share the same security permissions) based on the Windows group in the respective hierarchy. Related program The web server uses Kerberos to verify the identity of the caller. Using the Kerberos delegate to pass the original modes of security context to remote components on the application server. This method requires all user accounts to be configured as a delegation. The web application is also configured to use analog, and the web application uses DEFAULTCredentials to configure the remote component agent. The "Transfer Original Model" in this guide discusses the technology in depth. Pass the original call to the database The previously discussed programs use trusted subsystem models, and in all cases, databases trust the application server or web server to correctly authenticate and authorize the user correctly. Although trusted subsystem models have many advantages, some programs (mostly for review reasons) may require you to use analog / delegate model, and cross your computer boundary to pass the original modular security context to the database. Typical reasons that need to be passed to the database to the database include: • You need to subdivision database access, and permission is subject to object restrictions. A particular user or group can read individual objects, while other users or groups can write individual objects. This is opposite to no subdivision and task-based licensing, the latter determines the reading and writing skills of a particular object by the role member. • You may need to use the platform's audit feature instead of passing the identity and executing an audit at the application level. If you really choose an analog / delegate model (or because the company's security policy must be done), and transfer the original modular context passes to the backend through the application layer, you must consider delegation and network access issues ( This problem is important when crossing multiple computers). A shared resource pool (such as a database connection) is also a key issue, which may significantly reduce the scalability of the application. This part shows how to simulate / delegate for two most common applications: • ASP.NET to SQL Server • ASP.NET to Enterprise Services to SQL Server For more information on trusted subsystem models and simulation / delegation models and relative advantages, see "Authentication and Authorization Design" in this guide. ASP.NET to SQL Server In this scenario, the database is called using the security context of the original modes. The authentication options described in this section include basic authentication and integrated Windows authentication. The "ASP.NET to Enterprise Services to the SQL Server" section describes the Kerberos delegation scheme. Basic authentication is used on the web server The following basic authentication configuration settings allow the original call party to be transferred to the database. Table 5: Safety Measures Category Details Authentication Use basic authentication in IIS to verify users. Windows authentication in ASP.NET. Enable simulation in ASP.NET. Use Windows Authentication to communicate with SQL Server. Authorization ACL check is performed on the web server. If the original modifier is mapped to a Windows group (based on the application requirements, such as Managers, Tellers, etc.), you can check the original .NET role check to limit access to the method. Secure communication uses SSL to protect the plaintext credentials transmitted between the web server and the database. To protect all confidential data transmitted between web applications and databases, use IPSec. In this method, be sure to pay attention to the following: • Basic authentication Use the pop-up dialog prompting users, users can type credentials (usernames and passwords) in this dialog. • The database must identify the original call. If the Web server and database are in different domains, the corresponding trust relationship must be enabled to allow the database to authenticate the original call. Use integrated Windows authentication on the web server Integrated Windows Authentication results in NTLM or Kerberos authentication, depending on the configuration of the client and server computer. NTLM authentication does not support delegation, so it is not allowed to pass the security context of the original call from the Web server to a physical remote database. A single network relay point is used between the browser and the web server for NTLM authentication. To use NTLM authentication, you must install SQL Server on a web server, which may only apply to a small intranet application. ASP.NET to Enterprise Services to SQL Server In this scenario, the ASP.NET page calls the business component resides in the remote Enterprise Services application, and these components are connected to the database. The original adjustment party security context is transferred from the browser to the database. This is shown in Figure 9. Figure 9. ASP.NET calls a component in Enterprise Services, which calls the database Characteristics • The user has installed Internet Explorer 5.x or higher. • All computers are running Windows 2000 or higher. • The user account is saved in the Active Directory of a single directory forest. • The application will pass the security context of the original call (operating system level) to the database. • All layers use Windows authentication. • Configure the domain user account to use the delegation, and the account that must be used to run the Enterprise Services application is "can delegate other accounts" in Active Directory. Protection program In this scenario, the web server verifies the identity of the caller. You must then configure ASP.NET to use simulations to pass the original modes of security context to the remote Enterprise Services application. In an Enterprise Services application, component code must explicitly analog caller (using coimpersonateClient) to ensure that the caller's context is delivered to the database. Table 6: Safety Measures Category Details Documentation Authentication All layers support Kerberos authentication (web server, application server, and database server). Authorization is authorized to perform an authorization check in the intermediate layer using the logo of the original call. Secure communication uses SSL between browser and web servers to protect confidential data. Use RPC packet confidentiality (providing encryption) between the service components in the ASP.NET and the remote Enterprise Services application. Use IPSec between service components and databases. result Figure 10 shows the recommended security configuration of this scheme. [CAPTION] Figure 10. ASP.NET invokes one component in Enterprise Services, which calls the database. The original modem's security context is passed to the database. Safety configuration steps Before you begin, you should pay attention to the following configuration issues: • In Active Directory, the Enterprise Services process account must be marked as "I can delegate other accounts", and the end user account is not "sensitive and cannot be dedicated". For more information, see "How TO: Implement Kerberos Delegation for Windows 2000" in this guide. • All computers require WINDOWS 2000 or higher. This includes client (browser) computers and all servers. • All computers must be in Active Directory and must belong to a single directory. • Application Server residing Enterprise Services must run Windows 2000 SP3. • If you use Internet Explorer 6.0 on Windows 2000, it uses NTLM authentication by default, not the required Kerberos authentication. To enable Kerberos delegation, see Microsoft Knowledge Base Article Q299838 "Unable to NEGOTIATE KERBEROS Authentication After Upgrading to Internet Explorer 6" (Kerberos authentication) (Kerberos authentication) is not negotiated after upgrading to Internet Explorer 6. Configuring a Web Server (IIS) Step MORE INFORMATION Disables anonymous access to web applications Anonymous access Enable Windows Integration Authentication Configuration Web Server (ASP.NET) Steps More Information Configure the ASP.NET web application to use Windows authentication editing Web application's virtual root of web applications Web.config Set [DLLIMPORT ("ole32.dll", charset = charset.auto)] Public static extern long coimpersonateclient (); [DLLIMPORT ("ole32.dll", charset = charset.auto)] Public Static Extern long CorevertToself (); } These external functions are called before calling remote resources: comsec.coimpersonateclient (); Comsec.coreventtoself (); For more information, see "Enterprise Services Security" in this guide. Configuring Enterprise Services applications to server applications This can be configured by using the Component Services tool or by the following .NET properties located below the service component set. [assmbly: ApplicationActivation (ActivationOption.server)] Configure Enterprise Services applications to use packet confidential authentication (in order to provide secure communication with encryption) to the following .NET properties to the service component set. [assmbly: ApplicationAccessControl (Authentication = AuthenticationOption.privacy]] Configure the Enterprise Services application to get the component-level role-based security to configure roles in process and component levels (including interfaces and classes), use the following properties. [assmbly: ApplicationAccessControl (AccessChecksLevel = AccessChecksLevelOption. ApplicationComponent] Decorate Classes with the folowing attribute: [ComponentAccessControl (TRUE)] For more information on configuring interfaces and method-level roles, see "Configuring Security" in "Enterprise Services Security" in this guide. Create a custom account for running Enterprise Services, and tag it as "to delegate other accounts" in Active Directory, you need to use a domain account that is marked as "can delegate other accounts" ENTERPRISE SERVICES application. . For more information, see "How to Implement Kerberos Delegation for Windows 2000" in this guide. Configuring Enterprise Services to run with a custom account must be configured using the Component Services tool or script. You cannot use the .NET property in the service component assembly. Configuring the Database Server step MORE INFORMATION Configure SQL Server to create a SQL Server login for Windows groups to which users belong. This will grant access to SQL Server. Access control policies handle the Windows group by role. For example, you can set a group similar to B> Employees, hrdept, and payrolldept. Creating a new database user for each SQL Server Login This will grant access to a specific database. For more information to the database user, you have a minimum of the permissions to grant your minimum, please refer to "Data Access Security" in this guide. analysis • The key to passing the original caller security context is Kerberos authentication (which generates a delegate order). When the server process (IIS) receives the delegation level token, it can pass the token to any other process that runs on the same account on the same computer without changing its delegation level. It is not important to use a local account or a domain account run auxiliary process. Important is the way IIS running. If it is not running using the localsystem account, you need to mark the account that is running it in Active Directory is "can delegate other accounts." If IIS is running using the Localsystem account, you must mark your computer account as "I can delegate other accounts." For more information, see "How to Implement Kerberos Delegation for Windows 2000" in this guide. • In this scenario, since all users use a Windows account and use Internet Explorer 5.x or higher, it is best to use Integrated Windows Authentication (with Kerberos) in IIS. The advantage of integrating Windows authentication is that the user's password is transmitted from the network. In addition, login is transparent because Windows uses the login session of the current interactive user. • ASP.NET constructs a WindowsPrincipal object and attaches it to the current Web request context (httpContext.user). If you need to perform an authorization check in a web application, you can use the following code. WindowsPrincipal WP = (httpContext.current.user as windowsprincipal); if (WP.Isinrole ("Manager")) { // User is authorized to Perform Manager-Specific FunctionAlicity } ASP.NET FILEAUTHORIZATIONMODULE checks the ASP.NET file type mapped to the ASPNET_ISAPI.DLL in IIS in the ACL. For static file types (for example, .jpg, .gif, and .htm files), IIS acts as a validity, which performs access checks using the origin of the original call. • Over SQL uses Windows authentication, you can avoid storage credentials in the application server file, or avoid passing them over the network. For example, in the connection string contains trusted_connection attribute: constr = "Server = Yourserver; Database = YourDatabase; trusted_connection = yes;" • The context of the original call is passed through all layers, which makes the audit very easy. You can use a platform-level audit (for example, the audit feature provided by Windows and SQL Server). defect • If Internet Explorer 6.0 is used on Windows 2000, the default authentication mechanism for negotiation is NTLM (not Kerberos). For more information, see Microsoft Knowledge Base Article Q299838 "Unable to Negotiate Kerberos Authentication Instal Upgrading to Internet Explorer 6" (Kerberos authentication) is not negotiated after upgrading to Internet Explorer 6. • Cross-layer delegated users in performance and application scalability compared to the trusted subsystem model. You cannot take advantage of the database connection pool because the database connection is bound to the security context of the original modes, so the pool processing cannot be effectively performed. • This method also depends on Windows group granules that meet the security needs of the application. That is, the Windows group must be set in the correct particle size level to match the user category (shared security permissions of the application). summary This chapter describes how to protect a common set of intranet applications. For the Extranet and Internet Application scenarios, see "Protecting the .NET Web Application in the EXTRANET Environment" in this guide and "Protecting the .NET Web Application in the Internet Environment."
