How to configure and deploy secure .NET three-story application original: Zhou Mengjie November 10, 2003 1. Foreword As .NET Technology's new year-changing development and Windows2003's launch, more and more people began to be familiar with .NET development product. Our programmers often ignore security importance during the development of .NET procedures, thinking that as long as it is a good product, or blindly pushed the security .NET environment to solve. This is completely wrong. The .NET environment provides a complete set of safety protection measures, we must use these security measures and run through every aspect of development and deployment to achieve the expected security effect. The security we mentioned in this article is mainly for the use of .NET technology development, 3-tier application based on three-layer architecture. Briefly introduce the application developed by three-layer architecture. This article is suitable for familiar with .NET development, familiar with SQL Server 2000, and assembles the readers of Windows 2003. 2. The full name of the three-layer architecture application of the three-layer architecture is "Three-Tier Application Using An XML Web Service" For details, please refer to MSDN. Which three floors do? First layer: Client application layer (including browser page). Layer 2: Web Service layer. Layer 3: Database layer. See Figure 1 for details. (Figure 1) The benefits of this are: 1. Developers can quickly and easily develop programs. 2. Users can apply applications where anything that can be connected to the Internet. 3. Data Access Layers Concentrate on Web Service for updating maintenance, without upgrading clients. 4. Data Access is separated from the front desk. 3. Demonstration of this article is a brief summary of how secure the deployment .NET three-tier application, not how to develop. So this demonstration is not described in detail. This is a small demonstration program that lists all customers from the database and queries each customer order. Directory: root directory / demo subdirectory / demo / demo_client application database / demo / demo_database database / demo_webservice web service note: Due to emphasis on security, the interaction with the database is implemented by the stored procedure. Click here to download the demo. The client is as follows: (Figure 2) 4. Configure your system 4.1. Total the security architecture, access to access, try to use a dedicated identity, and should set the permissions to "just enough" Minimize authorization. It is mainly considered from four aspects. (1). Client anonymous users access IIS as IUSR_MACHINENAME. (2). III executes Web Service as an identity set by Application Pool (By default, NT Authority / Network Service). (3). If there is no new role play, or configure it in Web.config, Web Service accesss SQL Server to execute it. (4). SQL Server Accesses resources with a particular restricted user (in our example, _sqlser_). 4.2. Separates a user from SQL Server 2000. 2.2.1. Reason, built two accounts for IIS in Windows, IUSR_MACHINENAME, IWAM_MACHINENAME (Start IIS Process Account). The benefits of doing this are that due to the low permissions of these two accounts (usually only IIS), even if IIS is invaded, the loss can be minimized.
In SQL Server, there is no similar private account. When installing SQL Server, the account of the access resource for SQL Server is usually set to the local system (NT Authority / Local System), this identity has more privileges than Administrator . This is too high for SQL Server, once it is captured, the consequences are unimaginable. We can manually build a user and give it the lowest permissions for SQL Server (refer to it to access the database file). Now I will start from the beginning. 4.2.2. New user new users are shown in Figure 3: (Figure 3) Note: 1. This is the new user dialog box for the standard Windows 2003. 2. The username can be casually, here is _sqlserver_, full name is SQL Server Jail User means that this dedicated user is turned into "prison". 3. The password should be as long as possible (64 bytes), as complicated as possible (including uppercase, numbers, special symbols, etc., preferably randomly generated). Don't Panic This password is only once, so it is best to write in the document. 4. Also selecting users cannot change the password and password never expire. 4.2.3. Give this user privilege modification permission is shown in Figure 4: (Figure 4) Note: 1. Right-click _SQLServer_ users, select attributes. 2. Enter the "belonging to" page and delete the UserS group. This _SQLServer_ is not part of any group, this user does not have any permissions. Note: For Windows 2000, some additional configurations are required for the default Everyone fully controlled authorization on all drives. 4.3. It is recommended to reinstall your SQL Server 4.3.1. Reason to re-establish secure SQL Server. Make sure SQL Server accesss your computer resources as SQL Server Jail User. Make sure SQL Server only trusts a nomenclature. So it is recommended to reload SQL Server. 4.3.2. Modifying the SQL Server service account is a step in installing SQL Server to specify what SQL Server service is running. As shown in Figure 5: (Figure 5) Note: 1. Here the SQL Server Jail User we just added as Services Accounts. 2. Fill in "_sqlserver_" in UserName; copy the password to the password. 3. Thoroughly delete files that record passwords, this password is only once. This user is like being entered into the SQL Server prison, except for SQL Server without programs, you can use it. 4. Click Next 4.3.3. Specify SQL Server login verification mode and network connection method as shown in Figure 6, Figure 7: (Figure 6) Note: 1. We don't trust SA login mode, only trust Windows Authentication mode 2 .Sa identity has a lot of disadvantages: (1) .sa identity has no expiration time. (2). SA identity No user locks, so that the SA password is ultimately exhausted. (3). SA identity is too high, one but the SA password is acquired, and any program can be run as SQL Server. (Figure 7) Note: 1. Do not trust any network connection other than named pipe 2. Cancel the default selected TCP / IP Sockets (if you need to run in a distributed environment, you should configure the Active Directory domain). 3. The principle is that unless otherwise needed, please do not select 4.3.4. Installing SQL Server SP3 When you install SP3, you will prompt you to specify the SA password, because when you install SQL Server, it is not allowed to use SA identity. Log in, so the SA password is empty.
SP3 thinks that the SA password is empty is unsafe (even if SA cannot be used as a login). What we have to do is to enter a string of as long and complicated passwords. 5. Start deploying the Demo program (minimum of permissions) 5.1. Before deploying 5.1.1. Copy the DEMO directory to 5.1.2 in the "C: / Sample /" directory 5.1.2. First match the security of the Sample directory, make Sample directory and all subdirectories and files can only be fully controlled by members of the Administrators group. Other default access control deletes. Figure eight. (Figure 8) Note: 1. Right-click the Sample folder, click "Properties"; select the Security page. The default has four identities to access the folder. Click "Advanced" as shown in Figure 8. 2. Send the "Allowing the Inheritance of Parents ... ..." check box. This will pop up a dialog box and click the "Remove" button. 3. This will remove all permissions from the parent directory inheritance. Only the Administrators group has access. As shown in Figure 9: (Figure 9) 5.1.3. Additional Database Additional Database in SQL Server Enterprise Manager, will find the database when selecting the database, File Browser cannot traverse the Sample folder. This is because SQL Server is running as _sqlserver_ identity, _SQLServer_ identity cannot access the Sample folder and database file, next to _SQLServer_ traverse the folder permission and full control of the database file. Similarly, in "Security" of Sample "Properties", click "Advanced", pop up the "Sample's Advanced Security Settings" dialog box, click "Add", enter "_SQLServer_" Click the "OK" button, in the permission project table Select "_SQLServer_", click the "Edit" button, pop up the "Permissions Project" setting dialog. Select "Only the folder" in the "Apply to" drop-down box; select "Allow" after the "List Folder / Read Data check box. Exit according to "OK". Figure 10. Follow this method to clarify the Sample, Demo, Demo_Database file. Finally, give the database file "demo_db_data.mdf" and "demo_db_ldf" dispatcher, here SQL Server needs to perform various operations, all the access rights to _SQLServer_ identity. Tonpeted with the above-mentioned distribution ration method, in the last step, "complete control" is selected. Figure 11. Go back to the SQL Server Enterprise Manager to attach a database. Set the Special Database Owner to _SQLServer_. Figure 12. (Fig. 10) (Fig. 12) 5.2. Deploy Web Service 5.2.1. New application pool for Web Service I recommend establishing an application pool for each Web Service. It is very simple to create an application pool in IIS 6.0. Start IIS6.0, right-click Application Pool, select "New" Application Pool, popup Add Application Pool dialog box, enter the application pool name. Figure 13. (Figure 13) Provides permissions to AppPool-Demo application pool, right-click "AppPool-Demo" Select Properties pop-up attribute dialog. You can set some application properties here. We care about the "Identification" page to make sure the predefined account of the application pool security account is "Network Service" (ie NetWork Service Account). Figure 14.
(Figure 14) 5.2.2. Add a virtual directory virtual directory for Web Service to Demo, the corresponding path is "c: / sample / demo / demo_webservice". New virtual directory is no longer detailed. Now give the virtual directory dispatcher, the Web Service is performed by IIS as the identity of Application Pool (Network Service). So you should give the Network Service to run and run the virtual directory permission. Right-click the Demo virtual directory in IIS, select "Permissions", pop up the security settings dialog of the directory. Add a "NetWork Service" account. And select "read and run" permissions. Figure 15. Give Web Service An application pool, right-click the Demo virtual directory, select Properties. Select the Appppool-demo that is just created in the AppPoL-Demo. Now try the Web Service works normally. Click the "DEMO" virtual directory in IIS, in the list of files, right-click "Demo.asmx" to select "Browse". Check if the web service is normal. As shown in Figure 16, the Web Service is normal. If you don't normal, please check each step described above. (Fig. 15) (Fig. 16) 5.3. Configure the database 5.3.1. Add access database users to open the SQL Server Enterprise Manager, expand the DEMO_DB tree, right-click "User". Select "New Database User", pop up the new user dialog box, select "New" in the "Login Name" drop-down box, then pop up a dialog, manually fill in the "NAME" drop-down box "NT Authority / Network Service ". (Note: You must manually fill in the full name in SQL Server. This user cannot be searched. In this regard, I also said it will not solve it). Select the database "DEMO_DB". Click the "OK" button. As Figure 17 retreats to the first dialog, select "NT Authority / Network Service" in the "Login Name" drop-down box and give "public" permissions. Click the "OK" button. (Figure 17) 5.3.2. To expand the "Demo" database directory in SQL Server Enterprise Manager, click "Users", right-click "NT Authority / Network Service" in the user list in the right of the right. The "Properties" pop-up dialog box, click the "Permissions" button, pop-up the permission dialog, point "Exec" permission to "Exec" permissions of the two user-defined stored procedures. Figure 18. Note: A secure application, all access to database tables and views should be processed by stored procedures. So we should only give access to the stored procedure when setting the permissions, no access to the table and view permissions. In the database, it is considered that there is no permission access, so only two stored procedures are painted. (Figure 18) 6. Run the client program 6.1. Run this time the program will not be able to run, pop up an Error dialog, as shown in Figure 19. (Figure 19) This is because the client program is a network resource accessed by IUSR_MACHINENAME. Before the Web Server is run as an Application pool, IIS is read as IUSR_MACHINENAME, until IIS discoverates The resource is a web server program that performs Web Server as the identity specified by Application Pool.
