chapter 13 – site security. internet information server asp.net applications.net framework windows...
Post on 21-Dec-2015
217 Views
Preview:
TRANSCRIPT
InternetInformation
Server
ASP.NETApplications
.NETFramework
Windows NT/2000Operating System
FormsPassportWindowsCertificates
AnonymousStandardWindowsDigest
Code Access Security
Active DirectoryFile Permissions
WebClients
SSL
WebClients
Get Default.aspx
SecurityAuthority
WindowsForms
PassportCustom
user id=GlennJ password=hi2u2!
Who are you? Provide proof.
Ok, here is Default.aspx
AuthenticationAuthentication
WebClients
GlennJ says: Select * from Orders
Is GlennJAuthorized to
retrieve theOrders?
Here are the Orders.
AuthorizationAuthorization
WorkgroupClient
WorkgroupClient
WorkgroupClient
WorkgroupClient
Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers
Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers
Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers
Directory UsersAdministratorRandyGarySueDirectory GroupsUsersManagers
DomainWorkstation
DomainWorkstation
DomainWorkstation
DomainWorkstation
Active Directory UsersAdministratorRandyGarySueActive Directory GroupsDomain UsersManagers
DomainController
Directory GroupsUsersPrinter Users
Directory GroupsUsersScanner Users
Directory GroupsUsersFile System Users
Directory GroupsUsersHR Users
Discretionary Access Control List (DACL)Discretionary Access Control List (DACL)ManagersManagers Read and Execute, WriteRead and Execute, Write
UsersUsers Read and ExecuteRead and Execute
SueSue Full Control, Member of UsersFull Control, Member of Users
GlennGlenn Deny Write, Member of Users, ManagersDeny Write, Member of Users, Managers
SalesData.xml
Glenn
Sue
Effective Permissions
Read and Execute
Effective PermissionsFull Control
Access Control Entries(ACEs)
BrowserClient
Web SiteServer
Initiate Conversation - Can we talk?
Here is an encrypted session key
Hi - here's my certificate containing the public key, signed by CA's private key
Communication with session key
ValidateDigital
Certificate
ASP.NETAuthentication
Run asUser Account
or IUSR
Run Using<processModel>
Account (ASPNET)
Internet Information Server
Authentication
IP and DomainAcceptable?
UserAuthentication
ImpersonationEnabled?
Yes
No
PerformASP.NET
Security Checks
Check WindowsDACL forResource
Permissions
Request is Authorized - Respond to User
BrowserClient
Web SiteServer1. Request protected resource
GET mydoc.aspx
3. Get login page - login.aspx?RETURNURL=/mydoc.aspx
5. POST login.aspx?RETURNURL=/mydoc.aspx
2. Redirect to login page http://www.site.com/login.aspx?RETURNURL=/mydoc.aspx
4. login.aspx
7. Redirect to mydoc.aspx with authentication cookie
6.Authenticate User
8. Request protected resource with authentication cookieGET mydoc.aspx
9. mydoc.asmx
machine.configmachine.config
allow users="*"allow users="*"
Web.config at / ( root )Web.config at / ( root )
( no entries )( no entries )
Web.config at /customersWeb.config at /customers
allow users="Joe"allow users="Joe"
deny users="*"deny users="*"
Web.config at /customers/salesWeb.config at /customers/sales
allow users="Mary"allow users="Mary"
Web.config at Web.config at /customers/sales/reports/customers/sales/reports
allow users="Mary,Joe"allow users="Mary,Joe"
deny users="*"deny users="*"
AuthenticationTypeNameIsAuthenticated
IIdentity
AuthenticationTypeNameIsAuthenticatedTicket
FormsIdentityAuthenticationTypeNameIsAuthenticatedIsGuestIsSystemTokenGetAnonymous( )GetCurrent( )Impersonate( )
WindowsIdentityAuthenticationTypeNameIsAuthenticatedHasTicketGetProfileObject( )
PassportIdentityAuthenticationTypeNameIsAuthenticated
GenericIdentity
IdentityIsInRole( )
IPrincipal
IdentityIsInRole( )
WindowsPrincipalIdentityIsInRole( )
GenericPrincipal
Permissions
Permissions
Permissions
Retrieve EvidenceFrom Assembly
Retrieve EvidenceFrom Assembly
Code Groups 3
Strong Name
My_Computer_Zone
Assign into Code Groups
UNIONed Permissions
Intersect Policy Permissions
• Enterprise• Machine• User• Application Domain
Code Access SecurityCode Access Security
top related