Module 11 Securing a Microsoft ASP.

NET Web Application

Overview
Web Application Security Overview Windows-Based Authentication Forms-Based Authentication Microsoft Passport Authentication

Lesson: Web Application Security Overview

Authentication vs. Authorization What Are ASP.NET Authentication Methods? Multimedia: ASP.NET Authentication Methods Comparing the ASP.NET Authentication Methods What Are the IIS Authentication Mechanisms?

Authentication vs. Authorization

Authentication Accepts credentials from a user Validates the credentials ( a process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority such as database. If the credentials are valid, the entity that submitted the credentials is considered as an authenticated identity. )

Authentication vs. Authorization

Authorization Given the authentication credentials supplied, determines the right to access a resource Can be assigned by user name or by role ( After an identity has been authenticated, the authorization process determines whether that identity has access to specifies resource. The authorization process limits access rights by granting or denying specific permission to an authenticated identity )

What Are ASP.NET Authentication Methods?

Windows-based authentication
Relies on the Windows operating system and IIS User requests a secure Web page and the request goes through IIS After credentials are verified by IIS, the secure Web page is returned The users must have valid Windows account.

What Are ASP.NET Authentication Methods?

Forms-based authentication
Use a custom ASP.NET page to collect credentials from users. If users attempt to access page for which they are not authorized, they will be automatically directed to the login page. User credentials can be stored in a variety of locations. Eg: Ms Sql Server, Access Database

What Are ASP.NET Authentication Methods?

Microsoft Passport authentication Centralized authentication service that offers a single logon option Microsoft Passport is an XML Web service Users can use their MSN Passport to access your application/site.

Multimedia

Windows-based Authentication
ASP.NET do not authenticate Relies on Win OS to do the authentication User request secure web page from ASP.NET web application The request go through IIS IIS compare user logon credentials with the domain If the credentials do not match as authorize users IIS rejects the request Client computer will generate logon dialog User need to enter correct credentials Again, this credential are verified by IIS If the credential is correct IIS allow users to access the web application Secure web page return to users

Form-based Authentication
IIS do not perform the authentication IIS allow anonymous users Client request secure web page IIS authenticate as anonymous user Pass the user to ASP.NET web application ASP.NET check for specific cookies on client If there is no cookies ASP.NET rejects the request and provide logon page User need to supply correct logon info Again, IIS authenticate as anonymous user and pass to ASP.NET This time ASP.NET authenticate user by credential supplied and generate a cookie The secure page and cookie return to client As long as the cookie remains valid, user can request and view other secure page use the same credential

Passport Authentication
Neither IIS or ASP.NET do not do the authentication When user request secure page Request sent to IIS IIS authenticate as anonymous user Pass to ASP.NET ASP.NET check for specific cookie, if the cookie is not present Request is rejected User is directed to Passport.com web site for authentication Passport generate the login form which is sent back to user User need to provide appropriate login info and submit back to passport site If it match with passport database passport authenticate the user and generate a cookie to the client Client redirected to initially requested page with a cookie back to ASP.NET web application ISS authenticate as anonymous ASP.NET authenticate by ticket (cookie) and return the secure page to client

Comparing the ASP.NET Authentication Methods

Method Windows-based Authentication Advantages Uses existing Windows infrastructure Controls access to sensitive information Good for Internet applications Supports all client types Disadvantages Not appropriate for most Internet applications Based on cookies

Forms-based Authentication

Based on cookies Microsoft Passport Single sign in for many Fees involved Authentication Internet sites No need to maintain a database to store user information Allows developers to customize the appearance of the registration page

What Are the IIS Authentication Mechanisms?

Mechanisms Anonymous Basic Security Level None Description No authentication occurs

Client sends username and password Low (Medium with SSL) as clear text Can be encrypted by using SSL Part of the HTTP specification and supported by most browsers

Digest

Medium

Sends information as encoded hash Requires Internet Explorer 5 or later Requires Active Directory Uses NTLM Generally good for intranets, not Internet Does not work through most firewalls

Integrated Windows

High