Hardening Security in ASP.NET Applications & Services. Rick G. Garibay

Hardening Security in ASP.NET Applications & Services Rick G. Garibay

Agenda Identities & Resources Security Design & Deployment Models Gatekeepers & Gates Resource Access Models Authentication Authorization.NET Principals & Identities Demo - WindowsPrincipal, WindowsIdentity PrincipalPermissionAttribute Demo - Implementing Trusted Subsystem Model within the Intranet

About Me St. Edwards Graduate! U.S. Army Veteran Microsoft Certified Application Developer -.NET Framework Microsoft Certified Professional 7+ years professional experience developing Microsoft solutions for the retail and financial services industry Architect, Program Manager for ESS, a Microsoft Gold Partner ISV in Phoenix, AZ Speaker, leadership team Phoenix.NET User Group Get this deck and code samples at http://

Question What are your design goals? Availability Reliability Scalability Interoperability Performance Security is not optional.

Identities & Resources Who will access resources? Original caller s identity Process identity Service account Custom identity What will your identity access? Files, folders Applications, Services Databases Objects, methods

Security Design & Deployment Models Security begins with good design Authentication Boundary Authorization Boundary

Security Design & Deployment Models Standalone Web/Application Server Model

Security Design & Deployment Models Distributed Web and Application Model

Gatekeepers & Gates Gatekeeper Gates Logon rights Local & domain policies Windows ACL TCP/IP filtering IP Security Authentication (Anonymous, Basic, Digest, Integrated, Certificate) IIS IP address and domain name filtering. Web permissions NTFS permissions URL Authorization ASP.NET File Authorization Principal Permission Demands.NET Roles Windows (NTLM / Kerberos) authentication COM+ Enterprise Services Enterprise Services (COM+) roles Impersonation levels Web Services Remoting ADO.NET SQL Server Uses gates provided by IIS and ASP.NET Uses gates provided by the host. If hosted in ASP.NET it uses the gates provided by IIS and ASP.NET. If hosted in a Windows service, then you must develop a custom solution. Connection strings. Credentials may be explicit (SQL Server Authentication) or you may use Windows authentication (Trusted/SSPI) Server logins Database logins Database object permissions

Resource Access Models - Impersonation & Delegation Impersonation Win32 thread takes on the identity of the user or system (WindowsIdentity.GetCurrent()) Delegation Take the impersonated identity of the client and flow the identity downstream. Pros Provides for very tight control of resources. Facilitates granular auditing. Impersonation is easy to implement. Cons Can introduce severe maintenance overhead. Delegation is not trivial to implement. Significant scalability impacts can arise.

Resource Access Models - Trusted Subsystem Model Authenticate users Map users to roles Authorize based on role membership Access downstream resource manager using a fixed trusted identity Pros Very scalable (connection pooling). Minimal administrative effort to maintain. Users do not have access to resources. Cons Limited auditing Risk of further reaching consequences in event of breach.

Authentication What is authentication? ASP.NET Authentication Modes Windows Forms Passport None <system.web> <authentication mode="windows"/> <identity impersonate="false"/> // Default </system.web>

Authentication Windows Mode Windows Authentication Mechanisms Basic Digest Integrated Windows Authentication Certificate Anonymous

Authentication ASP.NET Authentication Modes Forms Very extensible Passport Single Sign On Limited implementations None IIS and NTFS will do the right thing regardless of this setting

ASP.NET Authentication Considerations Authentication Type IE Required Forms No Passport No Integrated Windows (Kerberos or NTLM) Yes Basic No Digest Yes Certificate No

More ASP.NET Authentication Considerations Authentication Type Anonymous Basic Digest Integrated Windows Client Certificates Supports Delegation Depends Yes No Depends Depends Notes If the anonymous account (by default IUSR_MACHINE) is configured in IIS as a local account, it cannot be delegated unless the local (Web server) and remote computer have identical local accounts (with matching usernames and passwords). If the anonymous account is a domain account it can be delegated. If Basic authentication is used with local accounts, it can be delegated if the local accounts on the local and remote computers are identical. Domain accounts can also be delegated. Integrated Windows authentication either results in NTLM or Kerberos (depending upon the version of operating system on client and server computer). NTLM does not support delegation. Kerberos supports delegation with a suitably configured environment. Can be delegated if used with IIS certificate mapping and the certificate is mapped to a local account that is duplicated on the remote computer or is mapped to a domain account. This works because the credentials for the mapped account are stored on the local server and are used to create an Interactive logon session (which has network credentials). Active Directory certificate mapping does not support delegation.

Identity Matrix 1 IIS Anonymous Authentication

Identity Matrix IIS Windows Integrated Authentication

Authorization What is authorization? Authorization Strategies Role-based (Intra-application or process) Operations such as viewing a web page or enabling a button. Class or Method level using System.Security.Permissions.PrincipalPermissionAttribute attribute. [PrincipalPermissionAttribute(SecurityAction.Demand, Authenticated=true, Role=@ Domain\HRGeneralists")] public bool IncreaseSalary(float percentincrease); { } m_currentsalary + = (m_currentsalary * percentincrease)

Authorization & Authorization Strategies Resource-based (extra-application or process) NTFS file resources Database resources Business Services (SOAP, Remoting, WCF, etc) Who will access resources? Original caller s identity Process identity Service Account Custom identity

Tying Authentication & Authorization Together IIS Authentication Basic Digest Integrated Windows Certificate Anonymous ASP.NET Authentication Windows Forms Passport None Authentication Windows (SSPI) SQL Server Authentication/Authorization (COM+) RPC/COM+ Roles, NTFS Permissions Authorization NTFS IIS Permissions.NET Roles.NET Principal Authorization Logins Permissions Roles

Principals IPrincipal Interface (System.Security.Principal) public interface IPrincipal(); { } IIdentity Identity {get;} bool IsInRole(string role);

Identities IIdentity Interface (System.Security.Principal) public interface IIdentity(); { } string Name {get;} string auhenticationtype {get;} bool isauthenticated {get;}

System.Security.Principal Principal & Identity Classes in.net

RGG1 Authentication Context Win32 Thread System.Security.Principal.WindowsIdentity.GetCurrent() // Always ensure safe cast IIdentity identity = WindowsIdentity.GetCurrent(); // Access Members... NET Thread System.Web.HttpContext.User System.Threading.Thread.CurrentPrincipal // the following lines are functionaly equivelent string m_username = HttpContext.Current.User.Identity.Name; m_username = Thread.CurrentPrincipal.Identity.Name // Always ensure safe cast IPrincipal principal = HttpContext.Current.User // Access Members...

Slide 25 RGG1 Rick G. Garibay, 4/27/2006

Demo WindowsPrincipal and WindowsIdentity

Implementing Trusted Subsystem Model within the Intranet ASP.NET SOAP Web Services SQL Server Trust Boundary

Demo - Implementing Trusted Subsystem Model within the Intranet

Other Important Security Topics Secure Communication Applications are no longer islands unto themselves. Application security is meaningless if the your messages are wide open. Familiarize yourself with mechanisms for authenticating, authorizing and encrypting messages that cross process boundaries, especially in B2B scenarios. Code Access Security Addresses a different kind of security problem.

References