Download Security Model for ASP.NET Web Applications: Authentication and

Security Model for ASP.NET Web Applications:
Authentication and Authorization
Harshavardhan Achrekar – University of Massachusetts, Lowell Member, IEEE
Abstract
Identities assigned to the ASP.NET worker process and to the
requests that it executes play crucial roles in determining how
successful an application which is considered to be secured, is in
carrying out its appointed mission.
While designing an
application some security guidelines are to be established to help
you to figure out which of them matter in application
deployment scenario:
If your application requires no special protection—if all of its
pages can be freely browsed by anyone and none are
personalized for individual users—you needn't bother about
application-level security. Application's files must have
“Everyone” grant access.
While building an intranet application or for any application
whose permissions are based on mapping incoming requests to
Windows accounts on your server, you'll probably use Windows
authentication and ACL authorization. In that case, you'll use
operating system ACLs to restrict access to pages that aren't
intended for everyone. You may or may not enable
impersonation, depending on the needs of the application i.e., it
becomes a design specific issue.
If you're designing an Internet application that serves the
general public (anonymous users) but want to secure access to
certain pages, you'll most likely use forms authentication and
URL authorization. In that case, you'll leave impersonation
disabled and rely on credentials entered in login forms as the
basis for authorizations. Issues regarding IIS and access tokens
are not given a thought because you grant everyone access to the
application's files and rely on URL authorizations in Web.config
to protect them.
A final thought to keep in mind is that if you use ACLs to limit
access to files and directories in an ASP.NET application, always
grant
the
ASPNET
account—or
whatever
account
Aspnet_wp.exe runs as—read access to them. Otherwise,
ASP.NET itself will be unable to read them and you'll experience
all kinds of access denied errors that you probably didn't expect.
This paper has drawn a restricted scope of vision in highlighting
the role that ASP.NET plays to build secure sites that server up
pages after validating the genuineness’ of its user.
Index terms—Forms / Passport authentication, URL authorization
I. INTRODUCTION
ASP.NET and Microsoft collaboratively work with each other
to build Secure Website. To implement security in web
applications one must know how they interrelate and the
various options they provide for securing access to a
website’s resources. Security is always a concern for
organization running on a big network because basically the
Websites are available to (subject to misuse and are
vulnerable to attacks) a large population of users on the
network. And when the network in place where the
application is deployed is Internet then Security cannot be
compromised with, bearing in mind that the potential users
grow manifold times.
Web Security has always been a topic of discussion. Much
research work has been carried out in terms of “Hardening” of
servers against attacks. Microsoft Internet Information
Services (IIS) administrators are aware of the past security
holes in IIS and have spend a lot of time fixing them using the
patches and security updates from Redmond.
II. CLASSIFICATION OF WEBSITES
We can categorized websites developed using ASP.NET into
- Website whose content is freely available for user to
browse.
- Internet commercial website with a login section which
restricts access to certain part of the web content. Example in
this case would be an e-commerce website like e-bay which
any one can browse and view the ongoing auctions but when
it comes to bidding you need to register with e-bay site and
then using that username and password one can login and
place a bid. Personalization of content to suit your
requirement is yet another feature of websites like e-bay
provided under category “My e-bay” that let’s you review
auctions you’ve bid on. To obtain information about private
content that is of your importance you need to log into the
Web application.
- Intranet sites that uploads content to a controlled population
of users-like employees of a particular company who have
accounts in a Windows domain. Sometimes by placing the
servers hosting this websites in demilitarized zones, limited
degree of Internet Access is made available and this content
becomes brows able from anywhere on the internet once the
user is hooked onto the internet.
2.
Sites under first category requires no special protection apart
from what is in built into the Web Server, but sites which
belong to the other two category requires some level of
Application-Security to identify authorized users and prevent
illicit accesses to content. Here is where ASP.NET comes
handy as it provides Application – level security and by
working in conjunction with IIS and Windows security system
it provides a solid base for development and deployment of
secure sites with the support of Windows/Form-based login
authentication, URL resource authorizations and access
control list (ACL) file authorizations.
The primary goal of Windows authentication is to map
incoming request to user accounts on your Web Server (or on
Web server’s the domain). Apart from preventing users who
lack proper logon credentials from accessing parts of Website
that require authenticated access, it allows you to use
operating systems built in security mechanism by preventing
unauthorized access by authorized users .
III. UNDERSTANDING WEB SECURITY
At application level web security is about securing pages that
cannot be reached by unauthorized users - for e.g. preventing
non-managers from viewing pages containing salary hicks and
company’s tender proposals, stocks, performance data. One
needs to identify the originator of the request and define rules
that govern who can access which page. A web server
identifies callers using a mechanism called authentication.
Once identified, authorization determines which pages that
particular called is allowed to view. ASP.NET supports a
variety of authentication and authorization models.
A. Authentication
Authentication enables the recipient of a request to ascertain
the caller’s identity. The caller might claim to be Harsh, but
you don’t know if he really is the person he claims to be,
unless you authenticate him. ASP.NET supports three types
of authentication: Windows authentication, Passport
Authentication, and forms authentication.
When Windows authentication is selected, ASP.NET looks to
IIS performs suitable actions to authenticate the caller. Then
it makes the caller’s identity available to ASP.NET. Let’s say
Windows Authentication is enabled and Harsh requests an
ASPX page. IIS authenticates Harsh and forwards the request
to ASP.NET along with an access token identifying Harsh.
ASP.NET makes a check to see if Harsh has permissions to
retrieve the page he requested. ASP.NET also makes the
token available to the application that handles the request so
that at its discretion, the application can “impersonate” Harsh
i.e., temporarily assume Harsh’s identity – to prevent code
executed within the request from accessing resources that
Harsh Lacks permission to access. A typical example where
Web Application uses windows authentication is
1.
When an application is deployed on the company’s
intranet and everyone who uses it has an account that
they can use to log in and access network resource.
When an application whose intent is to serve intranet
user also wants its content to be accessible to its
employees they allow the employees to log in and use the
application remotely.-that is from outside the firewall.
Passport Authentication is based on Microsoft Passport to
authenticate users; Passport is nothing more than a web
service that provides a Front end a massive database of user
names and passwords which is maintained by Microsoft.
Users who register with passport can be authenticated
anywhere on web by applications that provides an interface
which takes login credentials as parameters to call the web
service. On providing valid credentials an authentication
ticket is returned which the application can encode in a
cookie and prevent multiple request been generated to the
server for validation each time it tries to log in. (Passport
SDK can be found on Microsoft website.)
Forms Authentication relies on login form in Web pages to
authenticate users. Windows authentication isn’t very
practical in this scenario because a site like e-bay doesn’t
want to assign each of its millions of users a windows account
on its servers.
To identify the authentication type in your application once
can read the web.config file
---------------------------------------------------------------------------<configuration>
<system.web>
<authentication mode="Forms" />
</system.web>
</configuration>
---------------------------------------------------------------------------Other valid modes include None, Passport, Windows. The
default mode for window and is defined in machine.config.
One cannot use two or more authentication types in a single
application.
B. Authorization
An authentication enables trust and is of elementary important
in web and network security. Authorization determines the
access right to resources.ASP.NET supports two forms of
authorization: ACL authorization (also known as file
authorization) and URL authorization.
ACL authorization is based on file system permissions. Most
Web Servers that run IIS and ASP.NET use the NTFS file
system. NTFS uses ACLs to protect the system resource i.e.
files and directories. One can set an ACL on file that permits
only system administrator to read it. On File’s property
options security page remove the security principals (users
and groups) that are currently listed and add administrators. If
you don’t want Harsh to view a particular file you can deny
Harsh read access to file in ACL and Harsh will receive
access denied error when he tries to view the page. Because
ACL checks are performed against access tokens representing
Windows security principals, ACL authorization typically
used in scenarios where windows authentication is used.
inputs from user. Integrated windows authentication uses
Windows credentials to authenticate the user. It requires
client and server to support windows security protocols and
client must validate against a domain controller that it can’t
get through a firewall.
V. ASP.NET SECURITY
URL authorization relies on content within Web.Config file.
URL authorization is a feature provided by ASP.NET, and
typically it is used in forms authentication.
IV. IIS SECURITY
Since IIS is a Web Server, it accepts connections from remote
clients and responds to HTTP request arriving through those
connections. Most of the request are HTTP Post and Get
commands requesting HTML files, JPEG files, ASPX files,
and other file system resources. IIS Protection mechanism is
as follows.
1. Web applications are deployed in virtual directories
that are URL-Addressable on the server. Remote
clients cannot access files outside virtual directories
just like that.
2. IIS assigns each request an access token that enable
the operating system to perform ACL checks on
resources used in request.
3. IIS supports IP address and domain name
restrictions, enabling request to be granted and
denied based on the IP address or domain of
Requesting user.
4. IIS supports encrypted HTTP connections using
Secure Sockets Layer (SSL) family of protocols.
SSL prevents eavesdropping on conversation
between web servers and remote clients.
IIS runs in a process named Inetinfo.exe under SYSTEM
account. Request send to ASP.NET by IIS don’t run as
System account but are assigned user identity. IIS allows file
to be configured to allow anonymous access, authenticated
access or both.
Suppose a request comes for a file that supports anonymous
access.
By
default
the
request
executes
as
IUSR_machinename (a special account created when IIS is
installed), where machine name is web server machine name.
Request
from
anonymous
users
are
tagged
IUSR_machinename’s access token. Since requested file
requires authenticated process, IIS assigns the request the
identity of the account whose credentials the requestor
supplies i.e., tag request with requestors access token. IIS
ascertain a requestor's identity for authenticated accesses,
using basic authentication, digest authentication, integrated
Windows authentication, and SSL client certificates. For
ASP.NET all fall under Windows authentication. Basic and
Digest authentication rely on username and password been
transmitting via HTTP once browser prompt and accepts
Relationship between IIS and ASP
When IIS receives a request for a file registered to ASP.NET
(for example, an ASPX file), it hands the request off to an
ISAPI DLL named Aspnet_isapi.dll. Aspnet_isapi.dll runs in
the same process as IIS—that is, inside Inetinfo.exe.
ASP.NET applications run in a separate process named
Aspnet_wp.exe. Aspnet_isapi.dll forwards requests to
Aspnet_wp.exe using a named pipe. When the request reaches
the worker process, it is assigned to a specific application
executing in a specific AppDomain. Once inside an
AppDomain, the request travels through the ASP.NET HTTP
pipeline, where it is examined by various HTTP modules and
ultimately processed by the HTTP handler that corresponds to
the resource type requested. Machine.config has list that maps
file types to HTTP handlers.
Aspnet_isapi.dll forwards the access token that it obtained
from IIS which is an IUSR_machinename token representing
an unauthenticated user, or a token representing an
authenticated security principal (for example, Harsh) .
Aspnet_wp.exe does the following:
1.
It performs an ACL check on the requested resource
using the access token presented to it. If, for
example, the request is a GET command asking for
Foo.aspx, the access token represents Harsh, and
Foo.aspx has an ACL that denies read permission to
Harsh, then ASP.NET fails the request with an
access denied error.
2. It makes the access token available to the application
that handles the request so that, if desired, the
application can impersonate the caller and protect
resources guarded by ACLs from code executed
during the request.
Aspnet_wp.exe runs as ASPNET, a special account that's set
up when ASP.NET is installed. ASPNET is a member of the
Users group, which means it's privileged enough to perform
most of the actions a legitimate application might want to
perform. <identity impersonate="true"/> is used to
impersonate identity in system.web section.
If IIS assigns a request the identity of IUSR_machinename,
impersonation won't do much because IUSR_machinename is
a weak account that enjoys few privileges on the host
machine. But if Windows authentication is enabled and IIS
presents ASP.NET with a token representing the actual
requestor, impersonation ensures that the application can't do
anything on the Web server that the requestor isn't allowed to
do. In IIS 6.0 ASP.NET request if being forwarded to
Network Service rather than ASPNET, and if you deny
permissions to other security principals one ends up getting
access denied on resource errors hence one needs to modify
the ACL’s to allow access to NETWORK SERVICE.
VI. CONCLUSION
Security Architecture
(reference - Secnet Article)
ASP.NET applications can use the existing security
features provided by Windows and IIS. The gatekeepers
thus perform authorization based on the identity of the
user or service calling into the gate and attempts to provide
access to a specific resource.
Gatekeeper
Windows Operating System
IIS
Gates
Logon rights, Access checks
against secured resources
such as the registry and file
system. Access checks use
ACLs attached to the secure
resources, which specify who
is and who is not allowed to
access the resource and also
the types of operation that
may be permitted, TCP/IP
filtering, IP Security
Authentication (Anonymous,
Basic, Digest, Integrated,
Certificate)
ASP.NET
URL Authorization, File
Authorization,
Principal
Permission Demands,.NET
Roles
References
[1] Bell, J., et.al, 2001, ASP.NET Programmer's Reference,
Wrox Press Ltd., USA
[2] Chilakala, V., 2001, Microsoft ASP.NET Security,
Microsoft Support WebCasts.
[3] Gonzales, J., 2002, 15 Seconds: Using Forms
Authentication in ASP.NET - Part 1
[4] Kercher, J., 2001, Authentication in ASP.NET: .NET
Security Guidance, MSDN Magazine August 2001.
[5] Lassan, R., Smith, E., 2002, ASP.NET Bible, Hungry
Minds Inc., USA
[6] Leinecker, R., 2002, Using ASP.NET, Que Corporation,
Indiana
[7] Prosise, J., 2002, ASP.NET Security: An Introductory
Guide to Building and Deploying More Secure Sites with
ASP.NET and IIS, Part 2, MSDN Magazine May 2001.
[8] Microsoft ASP.NET Quickstarts Tutorial.
[9] .NET Framework Developer's Guide: ASP.NET Web
Application Security, Link - http://msdn.microsoft.com/
library/default.asp?url=/library/en-us/cpguide/html/
cpconaspnetwebapplicationsecurity.asp
[10] Kieley, J., 2001, Migrating to ASP.NET: Key
Consideration, MSDN Magazine November 2001
[11] Danielle Voeller 2002, Building Secure ASP.NET
Applications: Authentication, Authorization, and Secure
Communication - Microsoft Patterns and Practices.
[12] Jeff Prosise 2004, An Introductory Guide to Building
and Deploying More Secure Sites with ASP.NET and IIS http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/de
fault.aspx
[13] Michele Leroux Bustamante, Designing Role - Based
Security Models for .NET- - http://www.15seconds.com/
issue/041208.htm
[14] Darren Neimke and Scott Mitchell , Role-Based
Authorization With Forms Authentication
[15] Authentication and Security Mechanisms in ASP.NET
Web Applications - http://documents.iss.net /whitepapers
/asp_net_whitepaper.pdf