12 provider model.pptx
DESCRIPTION
Part of the Web Application Security CourseTRANSCRIPT
![Page 1: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/1.jpg)
Provider Model
Best practices for user and group management
![Page 2: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/2.jpg)
Sarah Palin's email was hacked o David Kernell, 22 who goes by the hacker tag 'rubico' , son of Mike
Kernell, a Tennessee state legislator broke into Sarah Palin's Yahoo! account during her 2008 campaign
o He confessed ... o It took seriously 45 mins on wikipedia and google to find the info,
Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
o the second was somewhat harder, the question was “where did you meet your spouse?”
o I found out ... that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
o it finally set in, THIS internet was serious business, yes I was behind a proxy, only one, if this [stuff] ever got to the FBI I was [in trouble], I panicked, i still wanted the stuff out there but I didn’t know how to [compress] all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state
o Convicted on several counts in April of 2010.
![Page 3: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/3.jpg)
Use strong passwords
o Part of Broken authentication and session management
o Lots of great tools available in .Net o Wanted to show best practices to you
![Page 4: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/4.jpg)
Topics
o The membership and role provider model o ASP.NET Login controls
• CreateUserWizard • Login • LoginStatus • ChangePassword • PasswordRecovery
o Best practices
![Page 5: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/5.jpg)
The provider model provides authentication
o ASP.NET has a robust and simple way to handling authentication; The membership and role provider model
o Configured in web.config (or the ASP.NET Configuration Tool)
o It is highly extensible! Can customize it via some programming
o Much more secure than home-grown ways o Uses good design patterns o Abstracts away most user functions
![Page 6: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/6.jpg)
The provider model can work with existing authentication providers like Active Directory
and LDAP
<authentication mode="Windows"/>!<authorization>! <allow roles="AD_GROUP, AD_GROUP2" />! <allow users="USERS" />! <deny users="?" /> !</authorization>!
![Page 7: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/7.jpg)
Coding with the Provider Model o All features are simple ... MembershipCreateStatus status; Membership.CreateUser(
"dschrute", //username "recyclops", //password "[email protected]", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status
); if (status != MembershipCreateStatus.Success)
throw new Exception("Fail!");
o Other features are similarly easy o Best feature, though is ... o No programming necessary with the Login
controls!
![Page 8: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/8.jpg)
ASP.NET Login controls
o CreateUserWizard o Login o LoginStatus o ChangePassword o PasswordRecovery
![Page 9: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/9.jpg)
CreateUserWizard
![Page 10: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/10.jpg)
Login
![Page 11: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/11.jpg)
LoginStatus
![Page 12: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/12.jpg)
ChangePassword
![Page 13: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/13.jpg)
PasswordRecovery
![Page 14: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/14.jpg)
... and all with no coding!
o Unless you just want to
![Page 15: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/15.jpg)
Passwords can be compromised
![Page 16: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/16.jpg)
Best practices
o Avoid canned questions o When resetting the password, never email it o Don't allow the website to "Remember me" o Turn autocomplete off so the username and/
or password can't be pulled from the browser cache
o Use strong passwords
![Page 17: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/17.jpg)
Allow the user to set his own password reset question.
o Never force from a small list
o Too easy to research • High school mascot • Mother's maiden name • Pet's name • Birth city
o Too easy to guess • Favorite color
![Page 18: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/18.jpg)
Remember me is convenient but it opens security holes
o Worst option is to save username and password in a cookie
o If you must remember me, do it like Microsoft's provider does and store it in a persistent authentication cookie
![Page 19: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/19.jpg)
Turn browser caching off
o Guessing a username is half the battle o If the form helps the user to fill a username
he has a major leg up o And if we do that for a password, that would
be horrible o Turn remembering off like this: <form id="f1" autocomplete="off">
![Page 20: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/20.jpg)
Sometimes Often Usually our efforts to increase security actually decrease it
![Page 21: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/21.jpg)
Password rules are enforced on backend
o Set in web.config in membership - providers:
<add name="AspNetSqlMembershipProvider" type="..."
minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordStrengthRegularExpression="" />
![Page 22: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/22.jpg)
Best passwords are pass phrases
![Page 23: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/23.jpg)
Summary
o Good authentication practices go a long way toward establishing security
o Use a role provider based on Microsoft's o Use Microsoft's built-in controls o Enforce strong passwords, but don't go crazy
![Page 24: 12 provider model.pptx](https://reader033.vdocuments.us/reader033/viewer/2022051514/5492a1f8ac7959222e8b468f/html5/thumbnails/24.jpg)
Further study
o Modifying the membership provider: • http://bit.ly/ModifyingMembershipProvider
o Article on passwords: • http://bit.ly/BrokenAuthentication
o Hacker broke into military computers via easy-to-guess passwords: • http://bit.ly/WorldsBiggestHackerCaught