* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Security Model for ASP.NET Web Applications: Authentication and
Survey
Document related concepts
Deep packet inspection wikipedia , lookup
Net neutrality wikipedia , lookup
Computer security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Wireless security wikipedia , lookup
Cross-site scripting wikipedia , lookup
TV Everywhere wikipedia , lookup
Net neutrality law wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Transcript
Security Model for ASP.NET Web Applications: Authentication and Authorization Harshavardhan Achrekar – University of Massachusetts, Lowell Member, IEEE Abstract Identities assigned to the ASP.NET worker process and to the requests that it executes play crucial roles in determining how successful an application which is considered to be secured, is in carrying out its appointed mission. While designing an application some security guidelines are to be established to help you to figure out which of them matter in application deployment scenario: If your application requires no special protection—if all of its pages can be freely browsed by anyone and none are personalized for individual users—you needn't bother about application-level security. Application's files must have “Everyone” grant access. While building an intranet application or for any application whose permissions are based on mapping incoming requests to Windows accounts on your server, you'll probably use Windows authentication and ACL authorization. In that case, you'll use operating system ACLs to restrict access to pages that aren't intended for everyone. You may or may not enable impersonation, depending on the needs of the application i.e., it becomes a design specific issue. If you're designing an Internet application that serves the general public (anonymous users) but want to secure access to certain pages, you'll most likely use forms authentication and URL authorization. In that case, you'll leave impersonation disabled and rely on credentials entered in login forms as the basis for authorizations. Issues regarding IIS and access tokens are not given a thought because you grant everyone access to the application's files and rely on URL authorizations in Web.config to protect them. A final thought to keep in mind is that if you use ACLs to limit access to files and directories in an ASP.NET application, always grant the ASPNET account—or whatever account Aspnet_wp.exe runs as—read access to them. Otherwise, ASP.NET itself will be unable to read them and you'll experience all kinds of access denied errors that you probably didn't expect. This paper has drawn a restricted scope of vision in highlighting the role that ASP.NET plays to build secure sites that server up pages after validating the genuineness’ of its user. Index terms—Forms / Passport authentication, URL authorization I. INTRODUCTION ASP.NET and Microsoft collaboratively work with each other to build Secure Website. To implement security in web applications one must know how they interrelate and the various options they provide for securing access to a website’s resources. Security is always a concern for organization running on a big network because basically the Websites are available to (subject to misuse and are vulnerable to attacks) a large population of users on the network. And when the network in place where the application is deployed is Internet then Security cannot be compromised with, bearing in mind that the potential users grow manifold times. Web Security has always been a topic of discussion. Much research work has been carried out in terms of “Hardening” of servers against attacks. Microsoft Internet Information Services (IIS) administrators are aware of the past security holes in IIS and have spend a lot of time fixing them using the patches and security updates from Redmond. II. CLASSIFICATION OF WEBSITES We can categorized websites developed using ASP.NET into - Website whose content is freely available for user to browse. - Internet commercial website with a login section which restricts access to certain part of the web content. Example in this case would be an e-commerce website like e-bay which any one can browse and view the ongoing auctions but when it comes to bidding you need to register with e-bay site and then using that username and password one can login and place a bid. Personalization of content to suit your requirement is yet another feature of websites like e-bay provided under category “My e-bay” that let’s you review auctions you’ve bid on. To obtain information about private content that is of your importance you need to log into the Web application. - Intranet sites that uploads content to a controlled population of users-like employees of a particular company who have accounts in a Windows domain. Sometimes by placing the servers hosting this websites in demilitarized zones, limited degree of Internet Access is made available and this content becomes brows able from anywhere on the internet once the user is hooked onto the internet. 2. Sites under first category requires no special protection apart from what is in built into the Web Server, but sites which belong to the other two category requires some level of Application-Security to identify authorized users and prevent illicit accesses to content. Here is where ASP.NET comes handy as it provides Application – level security and by working in conjunction with IIS and Windows security system it provides a solid base for development and deployment of secure sites with the support of Windows/Form-based login authentication, URL resource authorizations and access control list (ACL) file authorizations. The primary goal of Windows authentication is to map incoming request to user accounts on your Web Server (or on Web server’s the domain). Apart from preventing users who lack proper logon credentials from accessing parts of Website that require authenticated access, it allows you to use operating systems built in security mechanism by preventing unauthorized access by authorized users . III. UNDERSTANDING WEB SECURITY At application level web security is about securing pages that cannot be reached by unauthorized users - for e.g. preventing non-managers from viewing pages containing salary hicks and company’s tender proposals, stocks, performance data. One needs to identify the originator of the request and define rules that govern who can access which page. A web server identifies callers using a mechanism called authentication. Once identified, authorization determines which pages that particular called is allowed to view. ASP.NET supports a variety of authentication and authorization models. A. Authentication Authentication enables the recipient of a request to ascertain the caller’s identity. The caller might claim to be Harsh, but you don’t know if he really is the person he claims to be, unless you authenticate him. ASP.NET supports three types of authentication: Windows authentication, Passport Authentication, and forms authentication. When Windows authentication is selected, ASP.NET looks to IIS performs suitable actions to authenticate the caller. Then it makes the caller’s identity available to ASP.NET. Let’s say Windows Authentication is enabled and Harsh requests an ASPX page. IIS authenticates Harsh and forwards the request to ASP.NET along with an access token identifying Harsh. ASP.NET makes a check to see if Harsh has permissions to retrieve the page he requested. ASP.NET also makes the token available to the application that handles the request so that at its discretion, the application can “impersonate” Harsh i.e., temporarily assume Harsh’s identity – to prevent code executed within the request from accessing resources that Harsh Lacks permission to access. A typical example where Web Application uses windows authentication is 1. When an application is deployed on the company’s intranet and everyone who uses it has an account that they can use to log in and access network resource. When an application whose intent is to serve intranet user also wants its content to be accessible to its employees they allow the employees to log in and use the application remotely.-that is from outside the firewall. Passport Authentication is based on Microsoft Passport to authenticate users; Passport is nothing more than a web service that provides a Front end a massive database of user names and passwords which is maintained by Microsoft. Users who register with passport can be authenticated anywhere on web by applications that provides an interface which takes login credentials as parameters to call the web service. On providing valid credentials an authentication ticket is returned which the application can encode in a cookie and prevent multiple request been generated to the server for validation each time it tries to log in. (Passport SDK can be found on Microsoft website.) Forms Authentication relies on login form in Web pages to authenticate users. Windows authentication isn’t very practical in this scenario because a site like e-bay doesn’t want to assign each of its millions of users a windows account on its servers. To identify the authentication type in your application once can read the web.config file ---------------------------------------------------------------------------<configuration> <system.web> <authentication mode="Forms" /> </system.web> </configuration> ---------------------------------------------------------------------------Other valid modes include None, Passport, Windows. The default mode for window and is defined in machine.config. One cannot use two or more authentication types in a single application. B. Authorization An authentication enables trust and is of elementary important in web and network security. Authorization determines the access right to resources.ASP.NET supports two forms of authorization: ACL authorization (also known as file authorization) and URL authorization. ACL authorization is based on file system permissions. Most Web Servers that run IIS and ASP.NET use the NTFS file system. NTFS uses ACLs to protect the system resource i.e. files and directories. One can set an ACL on file that permits only system administrator to read it. On File’s property options security page remove the security principals (users and groups) that are currently listed and add administrators. If you don’t want Harsh to view a particular file you can deny Harsh read access to file in ACL and Harsh will receive access denied error when he tries to view the page. Because ACL checks are performed against access tokens representing Windows security principals, ACL authorization typically used in scenarios where windows authentication is used. inputs from user. Integrated windows authentication uses Windows credentials to authenticate the user. It requires client and server to support windows security protocols and client must validate against a domain controller that it can’t get through a firewall. V. ASP.NET SECURITY URL authorization relies on content within Web.Config file. URL authorization is a feature provided by ASP.NET, and typically it is used in forms authentication. IV. IIS SECURITY Since IIS is a Web Server, it accepts connections from remote clients and responds to HTTP request arriving through those connections. Most of the request are HTTP Post and Get commands requesting HTML files, JPEG files, ASPX files, and other file system resources. IIS Protection mechanism is as follows. 1. Web applications are deployed in virtual directories that are URL-Addressable on the server. Remote clients cannot access files outside virtual directories just like that. 2. IIS assigns each request an access token that enable the operating system to perform ACL checks on resources used in request. 3. IIS supports IP address and domain name restrictions, enabling request to be granted and denied based on the IP address or domain of Requesting user. 4. IIS supports encrypted HTTP connections using Secure Sockets Layer (SSL) family of protocols. SSL prevents eavesdropping on conversation between web servers and remote clients. IIS runs in a process named Inetinfo.exe under SYSTEM account. Request send to ASP.NET by IIS don’t run as System account but are assigned user identity. IIS allows file to be configured to allow anonymous access, authenticated access or both. Suppose a request comes for a file that supports anonymous access. By default the request executes as IUSR_machinename (a special account created when IIS is installed), where machine name is web server machine name. Request from anonymous users are tagged IUSR_machinename’s access token. Since requested file requires authenticated process, IIS assigns the request the identity of the account whose credentials the requestor supplies i.e., tag request with requestors access token. IIS ascertain a requestor's identity for authenticated accesses, using basic authentication, digest authentication, integrated Windows authentication, and SSL client certificates. For ASP.NET all fall under Windows authentication. Basic and Digest authentication rely on username and password been transmitting via HTTP once browser prompt and accepts Relationship between IIS and ASP When IIS receives a request for a file registered to ASP.NET (for example, an ASPX file), it hands the request off to an ISAPI DLL named Aspnet_isapi.dll. Aspnet_isapi.dll runs in the same process as IIS—that is, inside Inetinfo.exe. ASP.NET applications run in a separate process named Aspnet_wp.exe. Aspnet_isapi.dll forwards requests to Aspnet_wp.exe using a named pipe. When the request reaches the worker process, it is assigned to a specific application executing in a specific AppDomain. Once inside an AppDomain, the request travels through the ASP.NET HTTP pipeline, where it is examined by various HTTP modules and ultimately processed by the HTTP handler that corresponds to the resource type requested. Machine.config has list that maps file types to HTTP handlers. Aspnet_isapi.dll forwards the access token that it obtained from IIS which is an IUSR_machinename token representing an unauthenticated user, or a token representing an authenticated security principal (for example, Harsh) . Aspnet_wp.exe does the following: 1. It performs an ACL check on the requested resource using the access token presented to it. If, for example, the request is a GET command asking for Foo.aspx, the access token represents Harsh, and Foo.aspx has an ACL that denies read permission to Harsh, then ASP.NET fails the request with an access denied error. 2. It makes the access token available to the application that handles the request so that, if desired, the application can impersonate the caller and protect resources guarded by ACLs from code executed during the request. Aspnet_wp.exe runs as ASPNET, a special account that's set up when ASP.NET is installed. ASPNET is a member of the Users group, which means it's privileged enough to perform most of the actions a legitimate application might want to perform. <identity impersonate="true"/> is used to impersonate identity in system.web section. If IIS assigns a request the identity of IUSR_machinename, impersonation won't do much because IUSR_machinename is a weak account that enjoys few privileges on the host machine. But if Windows authentication is enabled and IIS presents ASP.NET with a token representing the actual requestor, impersonation ensures that the application can't do anything on the Web server that the requestor isn't allowed to do. In IIS 6.0 ASP.NET request if being forwarded to Network Service rather than ASPNET, and if you deny permissions to other security principals one ends up getting access denied on resource errors hence one needs to modify the ACL’s to allow access to NETWORK SERVICE. VI. CONCLUSION Security Architecture (reference - Secnet Article) ASP.NET applications can use the existing security features provided by Windows and IIS. The gatekeepers thus perform authorization based on the identity of the user or service calling into the gate and attempts to provide access to a specific resource. Gatekeeper Windows Operating System IIS Gates Logon rights, Access checks against secured resources such as the registry and file system. Access checks use ACLs attached to the secure resources, which specify who is and who is not allowed to access the resource and also the types of operation that may be permitted, TCP/IP filtering, IP Security Authentication (Anonymous, Basic, Digest, Integrated, Certificate) ASP.NET URL Authorization, File Authorization, Principal Permission Demands,.NET Roles References [1] Bell, J., et.al, 2001, ASP.NET Programmer's Reference, Wrox Press Ltd., USA [2] Chilakala, V., 2001, Microsoft ASP.NET Security, Microsoft Support WebCasts. [3] Gonzales, J., 2002, 15 Seconds: Using Forms Authentication in ASP.NET - Part 1 [4] Kercher, J., 2001, Authentication in ASP.NET: .NET Security Guidance, MSDN Magazine August 2001. [5] Lassan, R., Smith, E., 2002, ASP.NET Bible, Hungry Minds Inc., USA [6] Leinecker, R., 2002, Using ASP.NET, Que Corporation, Indiana [7] Prosise, J., 2002, ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2, MSDN Magazine May 2001. [8] Microsoft ASP.NET Quickstarts Tutorial. [9] .NET Framework Developer's Guide: ASP.NET Web Application Security, Link - http://msdn.microsoft.com/ library/default.asp?url=/library/en-us/cpguide/html/ cpconaspnetwebapplicationsecurity.asp [10] Kieley, J., 2001, Migrating to ASP.NET: Key Consideration, MSDN Magazine November 2001 [11] Danielle Voeller 2002, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication - Microsoft Patterns and Practices. [12] Jeff Prosise 2004, An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/de fault.aspx [13] Michele Leroux Bustamante, Designing Role - Based Security Models for .NET- - http://www.15seconds.com/ issue/041208.htm [14] Darren Neimke and Scott Mitchell , Role-Based Authorization With Forms Authentication [15] Authentication and Security Mechanisms in ASP.NET Web Applications - http://documents.iss.net /whitepapers /asp_net_whitepaper.pdf