IIS and .Net security

Document Sample
IIS and .Net security Powered By Docstoc
					IIS and .Net security

                  -Vasudha Bhat
What is IIS?
Why do we need IIS?

   Internet Information Services (IIS) is a Web server, its primary job is to accept
    connections from remote clients and respond to HTTP requests arriving through
    those connections.

   IIS provides integrated, reliable, scalable, secure, and manageable Web server
    capabilities over an intranet and the Internet

   Organizations of all sizes use IIS to host and manage Web pages on the
    Internet or on their intranet.
ASP.NET Architecture Integrating with IIS

As the illustration shows, all Web clients communicate with ASP.NET applications through
    Microsoft Internet Information Services (IIS).

   IIS authenticates callers and creates a Windows access token for the caller. Through the IIS
    configuration manager found under Administrative Tools, IIS permits authentication control
    to be applied to individual files and directories. A given file or directory can be configured to
    allow anonymous access (access by unauthenticated users), authenticated access, or both.
IIS and ASP.NET Processing

   If anonymous access is enabled within IIS, then a Windows access token for the
    anonymous Internet user account (typically, IUSR_MACHINE) is created by IIS where
    machine is the Web server's machine name. IUSR_machinename is a special account that's
    created when IIS is installed. [1- Administrative tools-> Computer management -> Users]

                  Figure 1. IIS and ASP.NET communication
    Figure 1. IIS passes the Windows access token to the ASP.NET worker process. The
    ASP.NET Windows authentication module uses this to construct a WindowsPrincipal
    object and the ASP.NET File authorization module uses it to perform Windows access
    checks to ensure the caller is authorized to access the requested file.
IIS and .Net security

   IIS is not installed by default on the operating systems in the Windows Server 2003 family.
    Administrators must explicitly select and install IIS.

    IIS installs by default in a locked-down state, capable of serving only static content. Using
    the Web Service Extensions node, Web site administrators can Configuring IIS For Dynamic
    Content IIS functionality based on the individual needs of their organization.

    IIS security features include the following security-related tasks:
    •Authentication in IIS 6.0 [2- Example -> Presentation (Virtual Directory)]
       Anonymous Authentication
       Basic Authentication
       Integrated Windows Authentication
       .NET Passport Authentication
       Digest Authentication
•Auditing in IIS 6.0 [3 – Event Log]
   Once IIS logging is enabled, you can configure how and when log files are created and

•Access Control : It supports two forms of authorization:

 ACL authorization (also known as file authorization): It checks the access control list (ACL) of
the .aspx or .asmx handler file to determine whether a user should have access to the file.
 ACL Default permissions –
Location Access               type       Account     Comments
>>%SystemRoot%\System32          Read      Process      Contains system DLLs loaded by the .NET Framework.
>>Web application directory      Read      Process     This is the location for application files.
>>Web directory\App_Data        Read/write Process     This is the default location for data files in an ASP.NET Web
URL authorization :With URL authorization, you explicitly allow or deny access to a particular
directory by user name or role. To do so, you create an authorization section in the
configuration file for that directory.

  <allow users="Kim"/>
  <allow roles="Admins"/>
  <deny users="John"/>
  <deny users=“*"/>

•Certificates [4 – IIS Directory Security]
•Each Web site can have only one server certificate assigned to it.
•One certificate can be assigned to multiple Web sites.
ASP.NET Authentication:

ASP.NET implements additional authentication schemes using authentication providers, which
are separate from and apply only after the IIS authentication schemes. ASP.NET supports the
following authentication providers:
    Windows (default)
    Forms
    Passport
    None

To enable an authentication provider for an ASP.NET application, use the authentication element
     in either machine.config or Web.config as follows:
<!-- mode=[Windows|Forms|Passport|None] -->
<authentication mode="Windows" />
The security section of a Web.config file is organized as follows.

<authentication mode="[Windows|Forms|Passport|None]">
<forms name="[name]"
       timeout="[minutes]" requireSSL="[true|false]“
      slidingExpiration="[true|false]"> <credentials passwordFormat="[Clear|MD5|SHA1]">
     <user name="[UserName]" password="[password]"/> </credentials> </forms> <passport

  <allow users="[comma separated list of users]“
         roles="[comma separated list of roles]"/>
   <deny users="[comma separated list of users]“
          roles="[comma separated list of roles]"/>
<identity impersonate ="[true|false]“

<trust level="[Full|High|Medium|Low|Minimal]"

  <trustLevel name="Full" policyFile="internal"/>
  <trustLevel name="High" policyFile="web_hightrust.config"/>
  <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
  <trustLevel name="Low" policyFile="web_lowtrust.config"/>
  <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
Authentication providers:

   Windows (default)
   Authenticates using Windows accounts, so you do not need to write any custom
    authentication code.
   May require the use and management of individual Windows user accounts.

   Forms
   Makes it possible for custom authentication schemes using arbitrary criteria.
   Does not require corresponding Windows accounts.
   Is only applicable for resources mapped to Aspnet_isapi.dll.
      Passport
      Supports single sign-in across multiple domains.
      Compatible with all browsers.
      Places an external dependency for the authentication process.

      None
      Offers total control of the authentication process providing the greatest flexibility.
      Provides the highest performance if you do not implement an authentication method.
      Requires extra work to custom-build an authentication scheme.

          Create a .Net web application
          Create a virtual directory
          Authentication and access control

                            Basic Authentication
Integrated Authentication

          Domain Restrictions
          Grant Permissions
          Event Logs
          Server Certificates
          Connections to the webpage

   Installing IIS : http://adamv.com/dev/articles/iis-on-xp-home

   IIS and .Net Security reference:

   IIS 6.0 Reference :

   Complete reference - IIS security features:
Questions ??????

Shared By: