WEB343 ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NET Stefan Schackow Program Manager Web Platform and Tools Team Microsoft Corporation.
Download
Report
Transcript WEB343 ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NET Stefan Schackow Program Manager Web Platform and Tools Team Microsoft Corporation.
WEB343
ASP.NET and IIS: New
Developments in Web Security
With IIS 6.0 and ASP.NET
Stefan Schackow
Program Manager
Web Platform and Tools Team
Microsoft Corporation
Agenda
Internet Information Services (IIS) 6.0
Authentication Modes
Credential Handoff to Microsoft
ASP.NET 2.0
Impersonation demo
Securing ASP with ASP.NET 2.0
Wildcard mapping demo
Custom HttpHandler demo
ASP.NET Trust Levels
Medium trust and Access demo
Authentication in IIS 6.0
Authentication in IIS 6.0
Authentication mechanisms
Basic
Digest
Windows Server 2003 has built-in
support for this
No longer need sub-authenticator
Certificate mapping
Integrated
NTLM
Kerberos
Authentication in IIS 6.0
Choosing the right authentication
Do you need to flow client identity?
Integrated security to SQL Server
Passing credentials to webservice and
System.Net classes
If you need to delegate credentials use:
Integrated using Kerberos
Otherwise:
Basic + SSL
Digest
NTLM
Certificate mapping
IIS 6.0 Credential Handoff to
ASP.NET 2.0
IIS 6.0 to ASP.NET 2.0
Handing off credentials
IIS Impersonation Token
Handed off to ASP.NET 2.0 via the
ISAPI APIs
OS thread identity
Comes from application pool identity
Available using Win32 APIs
IIS 6.0 Worker Process
Identity from
Application
Pool Config
O/S Thread
ISAPI Extension Control Block
Impersonation Token comes
from “Authentication
Methods” tab
IIS 6.0 to ASP.NET 2.0
ASP.NET 2.0 identities
OS thread identity
Can modify with:
<identity impersonate=“true” … />
ASP.NET user principal
Frequently not the same as the OS thread
identity
Available from:
HttpContext.User
Thread.CurrentPrincipal
ASP.NET syncs both values for you
IIS 6.0 Worker Process
O/S Thread
ASP.NET ISAPI
Extension
Impersonation Token
HTTP Module
HTTP
Context
User
Property
HTTP Module
Set
IPrincipal
HTTP Module
HTTP Module
HTTP Module
HTTP Module
ASP.NET Managed Code App-Domain
Using IIS Security Information
in ASP.NET
ASP.NET 2.0 Security Info
Modifying OS thread identity
OS thread identity and impersonation
Client impersonation:
<identity impersonate=“true” />
Application impersonation:
<identity impersonate=“true”
user=“some user”
password=“some password />
Both modes change the OS thread
identity
IIS 6.0 Worker Process
Client Impersonation
O/S Thread
Set Thread
Token
Impersonation Token
Enter Pipeline with
New Client Impersonation
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
ASP.NET App-Domain
IIS 6.0 Worker Process
Application Impersonation
<identity
user=
password=
O/S Thread
Web.Config
Logon User
Impersonation Token
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
ASP.NET App-Domain
ASP.NET 2.0 Security Info
Setting HttpContext.User
The user depends on:
Authentication mode set in ASP.NET
IIS impersonation token
Can get impersonation token
regardless of authentication mode
Request.LogonUserIdentity
Available at Medium trust and higher
ASP.NET 2.0 Security Info
Setting the IPrincipal
Windows Authentication
Impersonation token is wrapped in
WindowsPrincipal
Anonymous IIS user results in an
anonymous WindowsIdentity
FileAuthorizationModule
Useful with Windows Authentication
ALWAYS uses IIS impersonation token
Ignores WindowsPrincipal on the context
IIS 6.0 Worker Process
O/S Thread
Set Thread
Token
Impersonation Token
HTTP
Content
User
Property
Impersonation
Token Used
Enter Pipeline with
New Client Impersonation
Wrap
Token
Windows Auth Module
Windows
Principal
&
Windows
Other HTTP Modules
Identity
File Auth Module
ASP.NET App-Domain
Impersonation and
Windows Authentication
Securing ASP with ASP.NET 2.0
Securing ASP w/ ASP.NET
Wildcard mapping
IIS 6.0 introduces wildcard mapping
Can easily map content requests to
arbitrary ISAPI extensions
Means you can easily map ASP requests
to ASP.NET
Not supported on earlier versions
Requires both ASP.NET 2.0 and IIS 6.0
Securing ASP w/ ASP.NET
Wildcard mapping
Wildcard mapped requests first run
through one or more mapped
extensions
Then the request is forwarded to main
ISAPI extension associated with the
request
IIS 6.0 Worker Process
Any wildcard
mappings
Default.asp
IIS 6.0
Yes-transfer
to ASP.NET
ASP.NET
App-Domain
Transfer control back
IIS 6.0
Execution Phase
To IIS 6.0
ASP Classic
Runs
ASP.dll
Chance for
ASP.NET
to run after
ASP is done
ASP.NET
App-Domain
Request Completes
Wildcard Mapping
Securing ASP w/ ASP.NET
Authentication and authorization
Can protect ASP with ASP.NET Forms
authentication
Request first runs through the “front
half” of the ASP.NET pipeline
This includes authentication and
authorization events:
AuthenticateRequest
AuthorizeRequest
Securing ASP w/ ASP.NET
Authentication and authorization
Failed AuthN/AuthZ
ASP.NET redirects to login page.
AuthN/AuthZ succeeds
Request reaches the handler execution
step
ASP.NET forwards request back out to IIS
6.0
IIS 6.0 passes request on to ASP.dll
Securing ASP w/ ASP.NET
Custom HttpHandler
Only needed to handoff custom
information from ASP.NET to ASP
Role information from an IPrincipal
Additional information about the user
Derive from DefaultHttpHandler
Configure custom handler
<httpHandlers>
<add … />
</httpHandlers>
Custom Request Handler
for ASP
ASP.NET Trust Levels
ASP.NET Trust Levels
Code access security
Range of named trust levels
Full trust: do anything the process can
High trust: no unmanaged code, still have
broad permissions
Medium trust: recommended default
Low trust: basic set of rights
Minimal trust: execute only
Different apps in the same process can
run at different trust levels
ASP.NET Trust Levels
Writing code for partial trust
Do try to tweak your applications for
High trust
Immediate benefit: web applications can
no longer call Win32 APIs
May need to move code into the GAC
Look into APTCA
(AllowPartiallyTrustedCallerAttribute)
Using Microsoft Access in
Medium Trust
Summary
Choose the correct IIS 6.0
authentication mode
Do you need Delegation?
Do you need Impersonation?
Context.User - OS thread identity – IIS
impersonation token
Wildcard mapping and ASP.NET 2.0
Lockdown your applications with trust
levels
Resources
ASP.NET 2.0 Security Info:
http://channel9.msdn.com/security
Your Feedback
is Important!
Please Fill Out a Survey for
This Session on CommNet
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
ASP.NET 2.0 Security Info
Client impersonation
OS thread switched to run as
authenticated user from IIS
Useful for local access checks such as
file access
Should use Kerberos if you need to
flow the client identity off the web
server
ASP.NET 2.0 Security Info
Application impersonation
OS thread runs with the credentials
configured in <identity /> tag
ASP.NET attempts different types of
logons in sequence:
Batch, service, interactive,
network_cleartext, network
Useful for enforcing per-app identities
Configure different identities for remote
database access
ASP.NET 2.0 Security Info
Setting the IPrincipal
Forms Authentication
Ignores the IIS impersonation token
Choose Anonymous authentication in IIS
UrlAuthorizationModule
Performs access checks based on:
IIdentity.Name
IPrincpal.IsInRole
Windows authenticated users are treated
as just string values
ASP.NET Trust Levels
Writing code for partial trust
Be aware of reduced app functionality
Event logs, perf counters, registry require
Full trust
OleDb drivers work in Full trust by default
File I/O is restricted at various trust levels
Etc..