Developing Secure Web Sites with ASP.NET and IIS: Part I

Introduction

Developing security for a site is like paying tax. You know it should be done at the end of financial year. But you keep it for the last and some time expect you should never have to do it. It is a similar kind of situation when building a web site. There are some web sites available to general public that can be access by any one. The security for these sites can be minimum or none at all. There are some web sites that publish and hold important information that have to be secure one way or another.

Understanding Web Security

The sites those are freely available for the general public does not require special protection beyond what web server provides. There are some sites that require login before using the site or have an account in a windows domain to access the site. These kinds of sites need some kind of application level security to identify authorized users. ASP.NET does support application level security. The next step is to make sure the authorized users have access for the resources they are requiring for. ASP.NET works with the IIS and Windows security subsystem to provide solid foundation for the secure web sites. A web server identifies a valid user from authentication. Once a user is identified, authorization determine the resources that particular user can access.

Authentication

Authentication is the act of validating a client's identity. In a distributed application environment ability to identify someone that is claiming to be is very critical. It is the starting point of giving access to vital resources in site. Generally this is done by user providing some kind of evidence that known as credentials. Typically, credentials includes a username and a password that use for authentication. Both Internet Information Server (IIS) and ASP.NET provides several authentication schemas. ASP.NET supports four kind of authentication.

  1. Windows Authentication
  2. Passport Authentication
  3. Form Authentication
  4. None

When implementing a site, we can select from above four authentication mechanisms.

IIS provides the following authentication schemas

  1. Anonymous
  2. Basic
  3. Digest
  4. Integrated Windows authentication
  5. Client Certificate Mapping

1. Windows Authentication

Every time when creating an ASP.NET Web application or Web services the default authentication model will be Windows Authentication. To make use of the Windows Authentication, the Web.config file needs to be configured as below:

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</
configuration>

The windows authentication provider relies upon Internet Information Server (IIS) to perform the required authentication for a user. Then after the user gets authenticated, IIS passes a security token to ASP.NET. There are several ways that you can use windows authentication, Basic Authentication, Digest Authentication, Integrated Windows Authentication (NTL/Kerberos) or X.509 Client Certificates. To use these authentication options the user need a valid account in windows domain or within Active Directory.

To use Windows Authentication, you need to configure the IIS to turn off the anonymous access. Allowing anonymous access is the default for authentication. It can be done as shown below.

Click Start > Run > type inetmgr. This will open the Internet Information Services window. Select the Default Web Sites and navigate to the virtual directory of interest. Select all the files by selecting the virtual directory or the particular file (.aspx, .asmx) and right click the directory or file. Select Properties > Directory Security (Figure 1).

DecSecWebStImg1.jpg

Figure 1

Now under the Anonymous access and authentication control, click the Edit button. The Authentication Methods dialog box will display as shown in Figure 2

DecSecWebStImg2.jpg

Figure 2

Using the Authentication Method dialog box configure how a user can access the virtual directory or files. To pass the users credentials via HTTP headers, you can use Basic authentication or Digest authentication.

Anonymous Authentication

Anonymous authentication is perfect for public sites that dose not required identifying the users. The user doesn't need to pass a username and a password to server to access the information. In this scenario all users have access for the site and there won't be any restrictions for the users. When anonymous authentications is used the application thread will run either

  1. Anonymous internet account IUSR_MACHINENAME
  2. A account configured at IIS for anonymous users
  3. or IIS system account

This mechanism wont be suitable if user need to restrict from accessing recourse on base of there credentials.

To implement the Anonymous authentication select the Anonymous access in the Authentication methods window at IIS. (A sample of Authentication methods window is displayed in figure 2) At the same time configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</
configuration>

Basic Authentication

Basic authentication is an HTTP standard. The username and password that passes through the channel is clear text. This uses the base64 encoding. This is human readable and there are no secret keys being used for encoding. IIS will check the user name and password to an account on the web server and produce an access token.

This token will be used to do an ACL base security check. When user try to access a file or a directory that allows Basic authentication unauthorized, it will display an error message with 401 status codes indicating that authentication is required. Windows authentication works virtually with all browsers and it works well with firewalls.

The downside is using unencrypted channel for gain access for the server there is noting to prevent request from being intercepted. Because of this the credentials should be passes in a secure channel using SSL to make it less venerable for interception.

To implement the Basic authentication select the Basic Authentication in the Authentication methods window at IIS. At the same time users should have "log on locally" privilege on the web server. (A sample of Authentication methods window is displayed in figure 2). Configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</
configuration>

A Dialog box will display to enter credentials when user tries to access the protected site.

DecSecWebStImg3.jpg

Figure 3

User will get access for the resources if he/she authenticated. Otherwise the following error message will be displayed.

DecSecWebStImg4.jpg

Figure 4

Digest Authentication
 
This is bit similar to the Basic authentication. When user tries to access a file or a directory protected by Digest authentication a pop up dialog box will be displays asking for the user name and the password. Then the credentials that user enter will assign an identity to the request. The biggest different with Basic and Digest is the Digest doesn't transmit information in clear text. It transmits information in a cryptographically secure way. The advantage is you can use it over unencrypted channel.

When user enters the user name and password in the dialog box the user name will be transmit to the server with a hash or "digest" computed from the combined user name, password and nonce. Then the server will create its own hash on the user name, password and nonce and authenticate against each. The password that server use dose not coming from the user, it is what stored in the server side for that particular user name. If the both hashes are matched, the user will be authenticated and grant permission to requested resources from the server. It is also compatible with proxy servers and it works with firewalls.

To use Digest authentication user needs a browser with Internet Explorer V5.0 or higher. It doesn't support delegation on windows 2000 server. Because of these limitations it is not widely used for authentication purposes.

To implement the Digest authentication select the Digest Authentication for windows domain servers in the Authentication methods window at IIS. (A sample of Authentication methods window is displayed in figure 2). Configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</
configuration>

A Dialog box will display to enter credentials when user tries to access the protected site

DecSecWebStImg5.jpg

Figure 5

User will get access for the resources if he/she authenticated. Otherwise an error message will be displayed as shown in Figure 4

Integrated Windows Authentication.

Integrated Windows Authentication will authenticate a user against Windows NT Domain or Active Directory account. This authentication mechanism is very secure because the encrypted password is not sent across the network like in Basic or Digest authentication. It uses either NT LAN Manager (NTLM) or Kerberos authentication.

This authentication is much more suitable for intranet environment that runs behind a fire wall. This schema is not suitable for internet because it only supports windows client. At the same time if user accounts details are stored in external database rather than in a Windows NT domain or Active directory database, this authentication mechanism should not be used for security reasons.

To implement the Integrated Windows authentication select the Integrated Windows Authentication in the Authentication methods window at IIS. (A sample of Authentication methods window is displayed in figure 2). Configure the ASP.NET using Web.config file to use Windows authentication as shown below.

<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</
configuration>

Client Certificate Mapping

A certificate is a digital key in user's computer. When user access a resources from the server this key will be automatically pass in for authentication. User won't have to enter any username and password for authentication. This makes it more attractive option for automated business processes. The client certificates can be mapped to windows accounts or to Active Directory. At the same time developer can implement custom authentication in ASP.NET by using a unique field like email address contained within the certificate.

You need to physically deploy the client certificate to the client machine. At the same time issuing and managing client certificate can be expensive. These are the some of issues that stop using this authentication method widely.

Authenticating an individual user can be done by one-to-one mapping where a certificate is mapped to an individual account. There is no limit of one-to-one mapping if Active directory mapping is used. Many-to-many mapping can be used to authenticate all of the users from particular group or organization.

2. Passport Authentication

Passport authentication is a centralized authorization mechanism provided by Microsoft. It is using a cookie mechanism. This supports a single sign on approach across multiple domains and users will be able to access many passport authentication supported site by single sign on. Because of this the user won't have to input their credentials again and aging to access different passport supported sites. The developers won't be needed to create their own login pages and manage user names and passwords. They simply forward the users to Microsoft passport site for authentication if they haven't authenticated already. When the user get authenticated user will be assign a cookie. This cookie is pass to rest of the passport supported site to get access with out have to enter any credentials.

If you are not interested in maintaining your own user names and pass words database and your site will be used together with other passport supported sites, passport authentication will be perfect for your . Using SSL with Passport authentication can make it more secure.

To implement passport authentication you need to install the Passport SDK on your server and have to register with Microsoft Passport to access their service. At the same time configure web.config file as shown below.

<configuration>
<system.web>
<authentication mode="Passport" />
</system.web>
</
configuration>

3. Form Authentication

The user will have to pass username and password details directly to the application using HTTP. If the user gets authenticated he/she will be assign with a cookie that will grant access to protected recourse. If the user fails in authentication he/she will be redirected to the login page to enter their username and password. When authenticating the credentials they can be store in a number of ways. Ex: in configuration file, xml file or in a SQL database. The main advantage is it doesn't need a windows account for authentication. To make it more secure we can use SSL when passing the credentials.

To implement the Form authentication the developers will have to create their own login pages and have to manage usernames and passwords. IIS need to be configured allowing Anonymous Authentication. At the same time configure web.config file as shown below.

<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
</forms>
</authentication>
</system.web>

</configuration>

I won't be going for much details about Form Authentication because I am planning to publishing a article in near future about Form Authentication.

4. None (Custom Authentication)

This will allow to develop custom authentication mechanisms. For a example creating your own authentication schema. It offers the total control of the authentication process and provides great flexibility. But it requires extra work to implement custom authentication schemas.

To implement no authentication or to build your own authentication configure the Web.config file as shown below

<configuration>
<system.web>
<authentication mode="None" />
</system.web>
</
configuration>

At the same time it will increase the performance if you don't implement any authentication process.

Conclusion

I hope above details will help you to understand the ASP.NET Authentication mechanism. It's only just a drop of the whole ocean of ASP.NET security.