We served 2,120,289 users last month
 How to submit Articles to C# Corner
  Blue Theme Orange Theme Green Theme Red Theme
 
Home | Forums | Videos | Photos | Downloads | Blogs | Interviews | Jobs | Beginners | Training
 | Consulting  
Submit an Article Submit a Blog 
 Jump to
Skip Navigation Links
TechnologyExpand Technology
WebsiteExpand Website
Sponsored by
Safari Books Online
Become a Sponsor
 Resources  
Close
 Our Network  
Close
Search :       Advanced Search »
Home » Security in .NET » Developing Secure Web Sites with ASP.NET and IIS: Part I

Developing Secure Web Sites with ASP.NET and IIS: Part I

By  Gayan Peiris March 04, 2003

Developing security for a site is like paying tax. You know it should be done at the end of financial year. But you keep it for the last and some time expect you should never have to do it. It is a similar kind of situation when building a web site. There are some web sites available to general public that can be access by any one. The security for these sites can be minimum or none at all. There are some web sites that publish and hold important information that have to be secure one way or another.
Total page views :  11631
Total downloads : 
   Print Read/Post comments Post a comment  Similar Articles  
   Email to a friend  Bookmark  Author's other articles  
 
Sponsored by
Become a Sponsor

Introduction

Developing security for a site is like paying tax. You know it should be done at the end of financial year. But you keep it for the last and some time expect you should never have to do it. It is a similar kind of situation when building a web site. There are some web sites available to general public that can be access by any one. The security for these sites can be minimum or none at all. There are some web sites that publish and hold important information that have to be secure one way or another.

Understanding Web Security

The sites those are freely available for the general public does not require special protection beyond what web server provides. There are some sites that require login before using the site or have an account in a windows domain to access the site. These kinds of sites need some kind of application level security to identify authorized users. ASP.NET does support application level security. The next step is to make sure the authorized users have access for the resources they are requiring for. ASP.NET works with the IIS and Windows security subsystem to provide solid foundation for the secure web sites. A web server identifies a valid user from authentication. Once a user is identified, authorization determine the resources that particular user can access.

Authentication

Authentication is the act of validating a client's identity. In a distributed application environment ability to identify someone that is claiming to be is very critical. It is the starting point of giving access to vital resources in site. Generally this is done by user providing some kind of evidence that known as credentials. Typically, credentials includes a username and a password that use for authentication. Both Internet Information Server (IIS) and ASP.NET provides several authentication schemas. ASP.NET supports four kind of authentication.

  1. Windows Authentication
  2. Passport Authentication
  3. Form Authentication
  4. None

When implementing a site, we can select from above four authentication mechanisms.

IIS provides the following authentication schemas

  1. Anonymous
  2. Basic
  3. Digest
  4. Integrated Windows authentication
  5. Client Certificate Mapping

1. Windows Authentication

Every time when creating an ASP.NET Web application or Web services the default authentication model will be Windows Authentication. To make use of the Windows Authentication, the Web.config file needs to be configured as below:

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>

The windows authentication provider relies upon Internet Information Server (IIS) to perform the required authentication for a user. Then after the user gets authenticated, IIS passes a security token to ASP.NET. There are several ways that you can use windows authentication, Basic Authentication, Digest Authentication, Integrated Windows Authentication (NTL/Kerberos) or X.509 Client Certificates. To use these authentication options the user need a valid account in windows domain or within Active Directory.

To use Windows Authentication, you need to configure the IIS to turn off the anonymous access. Allowing anonymous access is the default for authentication. It can be done as shown below.

Click Start > Run > type inetmgr. This will open the Internet Information Services window. Select the Default Web Sites and navigate to the virtual directory of interest. Select all the files by selecting the virtual directory or the particular file (.aspx, .asmx) and right click the directory or file. Select Properties > Directory Security (Figure 1).

Figure 1

Now under the Anonymous access and authentication control, click the Edit button. The Authentication Methods dialog box will display as shown in Figure 2

Figure 2

Using the Authentication Method dialog box configure how a user can access the virtual directory or files. To pass the users credentials via HTTP headers, you can use Basic authentication or Digest authentication.

Anonymous Authentication

Anonymous authentication is perfect for public sites that dose not required identifying the users. The user doesn't need to pass a username and a password to server to access the information. In this scenario all users have access for the site and there won't be any restrictions for the users. When anonymous authentications is used the application thread will run either

  1. Anonymous internet account IUSR_MACHINENAME
  2. A account configured at IIS for anonymous users
  3. or IIS system account

This mechanism wont be suitable if user need to restrict from accessing recourse on base of there credentials.

To implement the Anonymous authentication select the Anonymous access in the Authentication methods window at IIS. (A sample of Authentication methods window is displayed in figure 2) At the same time configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>

Basic Authentication

Basic authentication is an HTTP standard. The username and password that passes through the channel is clear text. This uses the base64 encoding. This is human readable and there are no secret keys being used for encoding. IIS will check the user name and password to an account on the web server and produce an access token.

This token will be used to do an ACL base security check. When user try to access a file or a directory that allows Basic authentication unauthorized, it will display an error message with 401 status codes indicating that authentication is required. Windows authentication works virtually with all browsers and it works well with firewalls.

The downside is using unencrypted channel for gain access for the server there is noting to prevent request from being intercepted. Because of this the credentials should be passes in a secure channel using SSL to make it less venerable for interception.

To implement the Basic authentication select the Basic Authentication in the Authentication methods window at IIS. At the same time users should have "log on locally" privilege on the web server. (A sample of Authentication methods window is displayed in figure 2). Configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>

A Dialog box will display to enter credentials when user tries to access the protected site.

Figure 3

User will get access for the resources if he/she authenticated. Otherwise the following error message will be displayed.

Figure 4

Digest Authentication
 
This is bit similar to the Basic authentication. When user tries to access a file or a directory protected by Digest authentication a pop up dialog box will be displays asking for the user name and the password. Then the credentials that user enter will assign an identity to the request. The biggest different with Basic and Digest is the Digest doesn't transmit information in clear text. It transmits information in a cryptographically secure way. The advantage is you can use it over unencrypted channel.

When user enters the user name and password in the dialog box the user name will be transmit to the server with a hash or "digest" computed from the combined user name, password and nonce. Then the server will create its own hash on the user name, password and nonce and authenticate against each. The password that server use dose not coming from the user, it is what stored in the server side for that particular user name. If the both hashes are matched, the user will be authenticated and grant permission to requested resources from the server. It is also compatible with proxy servers and it works with firewalls.

To use Digest authentication user needs a browser with Internet Explorer V5.0 or higher. It doesn't support delegation on windows 2000 server. Because of these limitations it is not widely used for authentication purposes.

To implement the Digest authentication select the Digest Authentication for windows domain servers in the Authentication methods window at IIS. (A sample of Authentication methods window is displayed in figure 2). Configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>

A Dialog box will display to enter credentials when user tries to access the protected site

Figure 5

User will get access for the resources if he/she authenticated. Otherwise an error message will be displayed as shown in Figure 4

Integrated Windows Authentication.

Integrated Windows Authentication will authenticate a user against Windows NT Domain or Active Directory account. This authentication mechanism is very secure because the encrypted password is not sent across the network like in Basic or Digest authentication. It uses either NT LAN Manager (NTLM) or Kerberos authentication.

This authentication is much more suitable for intranet environment that runs behind a fire wall. This schema is not suitable for internet because it only supports windows client. At the same time if user accounts details are stored in external database rather than in a Windows NT domain or Active directory database, this authentication mechanism should not be used for security reasons.

To implement the Integrated Windows authentication select the Integrated Windows Authentication in the Authentication methods window at IIS. (A sample of Authentication methods window is displayed in figure 2). Configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>

Client Certificate Mapping

A certificate is a digital key in user's computer. When user access a resources from the server this key will be automatically pass in for authentication. User won't have to enter any username and password for authentication. This makes it more attractive option for automated business processes. The client certificates can be mapped to windows accounts or to Active Directory. At the same time developer can implement custom authentication in ASP.NET by using a unique field like email address contained within the certificate.

You need to physically deploy the client certificate to the client machine. At the same time issuing and managing client certificate can be expensive. These are the some of issues that stop using this authentication method widely.

Authenticating an individual user can be done by one-to-one mapping where a certificate is mapped to an individual account. There is no limit of one-to-one mapping if Active directory mapping is used. Many-to-many mapping can be used to authenticate all of the users from particular group or organization.

2. Passport Authentication

Passport authentication is a centralized authorization mechanism provided by Microsoft. It is using a cookie mechanism. This supports a single sign on approach across multiple domains and users will be able to access many passport authentication supported site by single sign on. Because of this the user won't have to input their credentials again and aging to access different passport supported sites. The developers won't be needed to create their own login pages and manage user names and passwords. They simply forward the users to Microsoft passport site for authentication if they haven't authenticated already. When the user get authenticated user will be assign a cookie. This cookie is pass to rest of the passport supported site to get access with out have to enter any credentials.

If you are not interested in maintaining your own user names and pass words database and your site will be used together with other passport supported sites, passport authentication will be perfect for your . Using SSL with Passport authentication can make it more secure.

To implement passport authentication you need to install the Passport SDK on your server and have to register with Microsoft Passport to access their service. At the same time configure web.config file as shown below.

<configuration>
<system.web>
<authentication mode="Passport" />
</system.web>
</configuration>

3. Form Authentication

The user will have to pass username and password details directly to the application using HTTP. If the user gets authenticated he/she will be assign with a cookie that will grant access to protected recourse. If the user fails in authentication he/she will be redirected to the login page to enter their username and password. When authenticating the credentials they can be store in a number of ways. Ex: in configuration file, xml file or in a SQL database. The main advantage is it doesn't need a windows account for authentication. To make it more secure we can use SSL when passing the credentials.

To implement the Form authentication the developers will have to create their own login pages and have to manage usernames and passwords. IIS need to be configured allowing Anonymous Authentication. At the same time configure web.config file as shown below.

<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
</forms>
</authentication>
</system.web>

</configuration>

I won't be going for much details about Form Authentication because I am planning to publishing a article in near future about Form Authentication.

4. None (Custom Authentication)

This will allow to develop custom authentication mechanisms. For a example creating your own authentication schema. It offers the total control of the authentication process and provides great flexibility. But it requires extra work to implement custom authentication schemas.

To implement no authentication or to build your own authentication configure the Web.config file as shown below

<configuration>
<system.web>
<authentication mode="None" />
</system.web>
</configuration>

At the same time it will increase the performance if you don't implement any authentication process.

Conclusion

I hope above details will help you to understand the ASP.NET Authentication mechanism. It's only just a drop of the whole ocean of ASP.NET security.

Login to add your contents and source code to this article
 About the author
 
Gayan Peiris
Gayan Peiris is an ASP.NET Developer for Department of Employment and Workplace Relations in Canberra, Australia. He has designed and developed Microsoft Web and Windows solutions since 1999. His expertise lies in developing scalable, high-performance web and windows solutions. His core skills are ADO.NET, ASP.NET, and C #, VB.NET, Web Services, XML, Ibuyspy Portals, DNA and SQL Server.
Looking for C# Consulting?
C# Consulting is founded in 2002 by the founders of C# Corner. Unlike a traditional consulting company, our consultants are well-known experts in .NET and many of them are MVPs, authors, and trainers. We specialize in Microsoft .NET development and utilize Agile Development and Extreme Programming practices to provide fast pace quick turnaround results. Our software development model is a mix of Agile Development, traditional SDLC, and Waterfall models.
Click here to learn more about C# Consulting.
 
Introducing MaxV - one click. infinite control. Hyper-V Hosting from MaximumASP.
Finally – a virtual platform that delivers next-generation Windows Server 2008 Hyper-V virtualization technology from a managed hosting partner you can truly depend on. Visit www.maximumasp.com/max for a FREE 30 day trial. Hurry offer ends soon. Climb aboard the MaxV platform and take advantage of High Availability, Intelligent Monitoring, Recurrent Backups, and Scalability – with no hassle or hidden fees. As a managed hosting partner focused solely on Microsoft technologies since 2000, MaximumASP is uniquely qualified to provide the superior support that our business is built on. Unparalleled expertise with Microsoft technologies lead to working directly with Microsoft as first to offer IIS 7 and SQL 2008 betas in a hosted environment; partnering in the Go Live Program for Hyper-V; and product co-launches built on WS 2008 with Hyper-V technology.
Dynamic PDF
ceTE software specializes in components for dynamic PDF generation and manipulation. The DynamicPDF™ product line allows you to dynamically generate PDF documents, merge PDF documents and new content to existing PDF documents from within your applications.
SQL and .NET performance profiling in one place
Investigate SQL and .NET code side-by-side with ANTS Performance Profiler 6, so you can see which is causing the problem without switching tools.
Go.NET
Build custom interactive diagrams, network, workflow editors, flowcharts, or software design tools. Includes many predefined kinds of nodes, links, and basic shapes. Supports layers, scrolling, zooming, selection, drag-and-drop, clipboard, in-place editing, tooltips, grids, printing, overview window, palette. 100% implemented in C# as a managed .NET Control. Document/View/Tool architecture with many properties&events. Optional automatic layout.
Dundas Software
Dundas Chart for .NET is the most advanced .NET charting package available today.  With an extremely complete feature set, elegant architecture and easy implementation, Dundas Chart can quickly add advanced Charting functionality to enhance and transform ASP.NET and Windows Forms applications.  Whether you are implementing charting into internal projects, or building applications for clients, Dundas Chart offers advanced technology and advanced results to get the most out of data.
60 FREE UI Controls from DevExpress
Register for your FREE copy on over 60 free presentation controls from DevExpress - Absolutely Free-of-Charge without any royalties or distribution costs. Visit Devexpress.com/60 today. Free controls include advanced lists box, dropdown calendar, rich text edit, spin edit, tab control and so much more!

DevExpress engineers feature rich presentation controls and reporting tools for WinForms, ASP.NET, WPF, and Silverlight. Our technologies help you build your best, see complex software with greater clarity and deliver compelling business solutions for Windows and the web in the shortest possible time.
Clickatell's SMS Gateway
Clickatell's Developer Solutions allow you to SMS enable any website or application via a range of API's. Learn More about our API connections.
Free access to .NET Memory Management video
Everything you need to know about Garbage Collection, Temporary Objects, Fragmentation, Finalization and common causes of memory leaks in .NET. Watch the video here.
Microsoft Visual Studio 2010
Visualize your workspace with new multiple monitor support, powerful Web development, new SharePoint support with tons of templates and Web parts, and more accurate targeting of any version of the .NET Framework. Get set to unleash your creativity.
Nevron Chart for .NET 2010.1 Now Available
The leading .NET charting control now features PDF, Flash and Silverlight export, visualization of large datasets and more. Deliver true charting functionality to your BI, Scorecard, Presentation or Scientific apps. Download evaluation now.
Developer-Ready ASP.NET 2.0 Web Hosting with 3 MONTHS FREE
Now supporting .NET 3.0 Framework with Windows Workflow Foundation, Windows Communication Foundation (WCF), Windows Presentation Foundation (WPF), windows CardSpace (WCS)! Providing more flexibility for Developers with Web Services Support and a User/Permission Manger. Also supporting MS SQL 2005/2000 with Real-Time Backups, FREE Automated Attach .MDF Tool, FREE SQL Restore and Shrink SQL DB Tools, and SQL
Read the Top 10 Books for Microsoft Developers, 15 Days FREE
Read the Top 10 Books for Microsoft Developers, 15 Days FREE
Try Safari Books Online - 15 Days FREE + 15% Off for 1 Year
Try Safari Books Online - 15 Days FREE + 15% Off for 1 Year
 
 Post a Feedback, Comment, or Question about this article
Subject:
Comment:
Sponsored by
Become a Sponsor
 Comments
ANTS Performance Profiler 6.0
 Hosted by MaximumASP  |  Found a broken link?  |  Contact Us  |  Terms & conditions  |  Privacy Policy  |  Site Map  |  Suggest an Idea  |  Media Kit
Current Version: 5.2010.8.14
 © 2010  contents copyright of their authors. Rest everything copyright Mindcracker. All rights reserved.