Security in .Net Course Objectives • To introduce the participants to Security architecture in .NET • To explain the Authentication and Authorization • To explain cryptography and xml encryption • To explain how to write secure coding • To discuss partial trust development and Code Access Security • To introduce to Windows CardSpace ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Agenda · IIS and ASP.Net Security · Authentication · Implementing Authorization · Cryptography · XML encryption · Secure Coding · Code Access Security · Windows CardSpace ER/CORP/CRS/NE-PRBRIDGE-ED92/003 3 IIS and ASP.NET Security ASP.NET Security Architecture · IIS is the gateway to ASP.NET · ASP.NET runs under the ASPNET account which has minimal privileges Web Clients ASP.NET Applications IIS .NET Framework Windows Server 2003 family operation Systems ER/CORP/CRS/NE-PRBRIDGE-ED92/003 All Web clients communicate with ASP.NET applications through Microsoft Internet Information Services (IIS). IIS authenticates the request if required and then locates the requested resource (such as an ASP.NET application). If the client is authorized, the resource is made available. ASP.NET security settings are configured in the Machine.config and Web.config files. As with other configuration information, base settings and default settings are established in the Machine.config file in the Config subdirectory of the current .NET Framework installation. 5 Authentication Mechanisms with IIS & ASP.NET • IIS Authentication: – Anonymous Login – Guest Login – Basic Authentication – Digest Authentication – Integrated Windows Authentication – Certificate based Authentication • ASP.NET Authentication – Windows – Forms – Passport – None ER/CORP/CRS/NE-PRBRIDGE-ED92/003 6 IIS Authentication - Anonymous · Enables access to the public areas of a Web site without prompting users for a user name or password · No end-user authentication occurs in either IIS or ASP.NET · By default, the IUSR_computername account is used to allow anonymous access. · Works with all browsers · Gives highest performance, but lowest security · Pros ± Offers the best performance ± Does not require management of individual user accounts ± No browser restrictions · Cons ± Does not authenticate clients on an individual basis, least secure ER/CORP/CRS/NE-PRBRIDGE-ED92/003 With Anonymous authentication, the server does not request the client to send user credentials. It is a good choice when your site or service is publicly available and you do not need to know the identity of the caller. Additionally, there are typically no browser restrictions which stem from incompatibilities with supported authentication mechanisms. When a site is configured for Anonymous authentication, all users are allowed access. It is important to note that although you may have IIS configured for Anonymous authentication, you may be authenticating at the ASP.NET layer, which is not true Anonymous authentication. This section assumes that both IIS and the application do not require a logon. Pros Offers the best performance Does not require management of individual user accounts No browser restrictions Cons Does not authenticate clients on an individual basis, least secure Usage Good choice for publicly available web sites that do not require the identity of the caller The account used for Anonymous Authentication can be changed at the Web site, virtual directory or file level 7 IIS Authentication - Integrated Windows · Uses either NTLM challenge/response or Kerberos to authenticate users with a Windows NT Domain or Active Directory account · A Hash of the credentials is sent, the password is not sent across the network · Delegation not possible with NTLM challenge/response · Pros · Best suited for intranet · More secure since password is not sent across the network · Works out-of-the-box · Provides automatic logon/no logon dialog box · Cons · Cannot be used on internet · Delegation possible only with Kerberos · Enterprise only ± does not work through Proxy Servers (keep-alive connection required) · Configured to be compatible with older clients ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Integrated Windows authentication (using either NTLM challenge/response or Kerberos) involves authenticating a user with a Windows NT Domain or Active Directory account. Unlike Basic and Digest authentication, the encrypted password is not sent across the network, which makes this method very secure. If Active Directory Services is installed on the server and the browser is compatible with the Kerberos V5 authentication protocol, both the Kerberos V5 protocol and the challenge/response protocol are used; otherwise only the challenge/response protocol is used. It is best suited for an intranet environment, where both user and Web server computers are in the same domain and where administrators can ensure that every computer is running Microsoft Internet Explorer version 3.01 or later. 8 IIS Authentication - Basic Authentication · This slide left blank for notes continued from previous page ER/CORP/CRS/NE-PRBRIDGE-ED92/003 When IIS is configured for Basic authentication, it instructs the browser to send the user's credentials over HTTP. Passwords and user names are encoded using Base64 encoding. Although the password is encoded, it is considered insecure due its ability to be deciphered relatively easily. The browser prompts the user with a dialog box, and then reissues the original anonymous request with the supplied credentials, including the user name and password. A pop-up logon dialog box may or may not be appropriate, depending on your user interface design requirements. Most Internet browsers support Basic authentication. Base64 encoding is the scheme used to transmit binary data. Base64 processes data as 24-bit groups, mapping this data to four encoded characters. Base64 encoding is sometimes referred to as 3-to-4 encoding. Each 6 bits of the 24-bit group is used as an index into a mapping table (the base64 alphabet) to obtain a character for the encoded data. The encoded data has line lengths that are limited to 76 characters. In the Default domain box, either type the domain name you want to use, or click Select to browse to a new default logon domain. If the Default domain box is filled in, the name is used as the default domain. If the Default domain box is left empty, IIS uses the domain of the computer that is running IIS as the default domain. However, the domain specified by DefaultLogonDomain is used only when a client does not specify a domain in the logon dialog box that appears on the client computer. Optionally, you can enter a value in the Realm box, which configures the value of the Realm Metabase Property. If the Realm property is set, its value appears on the client's logon dialog box, when Basic authentication is used. The value of Realm is sent to the client for informational purposes only, and is not used to authenticate clients using Basic authentication 9 IIS Authentication - Basic Authentication · This slide is left blank for notes continued from previous page ER/CORP/CRS/NE-PRBRIDGE-ED92/003 IIS Authentication - Basic Authentication: Authentication process: IIS instructs the browser to send the user's credentials over HTTP Browser prompts the user with a dialog box User name and password entered by the user are Base64 encoded (which is NOT secure) Most browsers support Basic authentication as it is a part of the HTTP 1.0 specification Delegation is possible using Basic authentication Combine Basic authentication with SSL to prevent passwords from being deciphered Pros Least common denominator: All HTTP clients support Basic authentication Makes it possible to track individual users Delegation of security credentials possible If IIS does not control the password, can access network resources Cons Is inherently insecure unless using SSL/TLS, which impacts performance Clear text password (Base64 Encoded) Over the wire and on the server Needs to be protected via SSL (continued on next slide) 10 IIS Authentication - Digest Authentication · This slide is left blank for notes continued from previous page ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Usage Consider Basic authentication when you require: Users to have Windows NT Domain or Active Directory accounts Support for multiple browsers Support for authentication over the Internet Access to the clear text password in your application code Delegation Do not use Basic authentication when you require: Secure logon while not using a secure channel, such as Secure Sockets Layer (SSL) Storage of information in a custom database A customized form presented to the user as a logon page IIS Authentication - Digest Authentication: New to Windows 2000 and IIS 5.0 (HTTP 1.1 specification) Digest authentication sends credentials across the network as a Message Digest 5 (MD5) hash. The actual password is never sent. Platform requirements for Digest authentication Clients: Internet Explorer 5.x (or later) Server: running Active Directory with user accounts configured for Digest authentication (continued on next slide) 11 IIS Authentication - Digest Authentication · This slide is left blank for notes continued from previous page ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Password needs to be stored in clear text on separate server which is the biggest constraint Digest authentication is more secure than Basic authentication alone Pros More secure since password is not sent on network. Does not require SSL/TLS for the sake of password protection. Works through proxies Password is not known to IIS Cons Cannot delegate security credentials