WEB343 ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NET Stefan Schackow Program Manager Web Platform and Tools Team Microsoft Corporation.
Download ReportTranscript WEB343 ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NET Stefan Schackow Program Manager Web Platform and Tools Team Microsoft Corporation.
WEB343 ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NET Stefan Schackow Program Manager Web Platform and Tools Team Microsoft Corporation Agenda Internet Information Services (IIS) 6.0 Authentication Modes Credential Handoff to Microsoft ASP.NET 2.0 Impersonation demo Securing ASP with ASP.NET 2.0 Wildcard mapping demo Custom HttpHandler demo ASP.NET Trust Levels Medium trust and Access demo Authentication in IIS 6.0 Authentication in IIS 6.0 Authentication mechanisms Basic Digest Windows Server 2003 has built-in support for this No longer need sub-authenticator Certificate mapping Integrated NTLM Kerberos Authentication in IIS 6.0 Choosing the right authentication Do you need to flow client identity? Integrated security to SQL Server Passing credentials to webservice and System.Net classes If you need to delegate credentials use: Integrated using Kerberos Otherwise: Basic + SSL Digest NTLM Certificate mapping IIS 6.0 Credential Handoff to ASP.NET 2.0 IIS 6.0 to ASP.NET 2.0 Handing off credentials IIS Impersonation Token Handed off to ASP.NET 2.0 via the ISAPI APIs OS thread identity Comes from application pool identity Available using Win32 APIs IIS 6.0 Worker Process Identity from Application Pool Config O/S Thread ISAPI Extension Control Block Impersonation Token comes from “Authentication Methods” tab IIS 6.0 to ASP.NET 2.0 ASP.NET 2.0 identities OS thread identity Can modify with: <identity impersonate=“true” … /> ASP.NET user principal Frequently not the same as the OS thread identity Available from: HttpContext.User Thread.CurrentPrincipal ASP.NET syncs both values for you IIS 6.0 Worker Process O/S Thread ASP.NET ISAPI Extension Impersonation Token HTTP Module HTTP Context User Property HTTP Module Set IPrincipal HTTP Module HTTP Module HTTP Module HTTP Module ASP.NET Managed Code App-Domain Using IIS Security Information in ASP.NET ASP.NET 2.0 Security Info Modifying OS thread identity OS thread identity and impersonation Client impersonation: <identity impersonate=“true” /> Application impersonation: <identity impersonate=“true” user=“some user” password=“some password /> Both modes change the OS thread identity IIS 6.0 Worker Process Client Impersonation O/S Thread Set Thread Token Impersonation Token Enter Pipeline with New Client Impersonation HTTP Module HTTP Module HTTP Module HTTP Module HTTP Module HTTP Module ASP.NET App-Domain IIS 6.0 Worker Process Application Impersonation <identity user= password= O/S Thread Web.Config Logon User Impersonation Token HTTP Module HTTP Module HTTP Module HTTP Module HTTP Module HTTP Module ASP.NET App-Domain ASP.NET 2.0 Security Info Setting HttpContext.User The user depends on: Authentication mode set in ASP.NET IIS impersonation token Can get impersonation token regardless of authentication mode Request.LogonUserIdentity Available at Medium trust and higher ASP.NET 2.0 Security Info Setting the IPrincipal Windows Authentication Impersonation token is wrapped in WindowsPrincipal Anonymous IIS user results in an anonymous WindowsIdentity FileAuthorizationModule Useful with Windows Authentication ALWAYS uses IIS impersonation token Ignores WindowsPrincipal on the context IIS 6.0 Worker Process O/S Thread Set Thread Token Impersonation Token HTTP Content User Property Impersonation Token Used Enter Pipeline with New Client Impersonation Wrap Token Windows Auth Module Windows Principal & Windows Other HTTP Modules Identity File Auth Module ASP.NET App-Domain Impersonation and Windows Authentication Securing ASP with ASP.NET 2.0 Securing ASP w/ ASP.NET Wildcard mapping IIS 6.0 introduces wildcard mapping Can easily map content requests to arbitrary ISAPI extensions Means you can easily map ASP requests to ASP.NET Not supported on earlier versions Requires both ASP.NET 2.0 and IIS 6.0 Securing ASP w/ ASP.NET Wildcard mapping Wildcard mapped requests first run through one or more mapped extensions Then the request is forwarded to main ISAPI extension associated with the request IIS 6.0 Worker Process Any wildcard mappings Default.asp IIS 6.0 Yes-transfer to ASP.NET ASP.NET App-Domain Transfer control back IIS 6.0 Execution Phase To IIS 6.0 ASP Classic Runs ASP.dll Chance for ASP.NET to run after ASP is done ASP.NET App-Domain Request Completes Wildcard Mapping Securing ASP w/ ASP.NET Authentication and authorization Can protect ASP with ASP.NET Forms authentication Request first runs through the “front half” of the ASP.NET pipeline This includes authentication and authorization events: AuthenticateRequest AuthorizeRequest Securing ASP w/ ASP.NET Authentication and authorization Failed AuthN/AuthZ ASP.NET redirects to login page. AuthN/AuthZ succeeds Request reaches the handler execution step ASP.NET forwards request back out to IIS 6.0 IIS 6.0 passes request on to ASP.dll Securing ASP w/ ASP.NET Custom HttpHandler Only needed to handoff custom information from ASP.NET to ASP Role information from an IPrincipal Additional information about the user Derive from DefaultHttpHandler Configure custom handler <httpHandlers> <add … /> </httpHandlers> Custom Request Handler for ASP ASP.NET Trust Levels ASP.NET Trust Levels Code access security Range of named trust levels Full trust: do anything the process can High trust: no unmanaged code, still have broad permissions Medium trust: recommended default Low trust: basic set of rights Minimal trust: execute only Different apps in the same process can run at different trust levels ASP.NET Trust Levels Writing code for partial trust Do try to tweak your applications for High trust Immediate benefit: web applications can no longer call Win32 APIs May need to move code into the GAC Look into APTCA (AllowPartiallyTrustedCallerAttribute) Using Microsoft Access in Medium Trust Summary Choose the correct IIS 6.0 authentication mode Do you need Delegation? Do you need Impersonation? Context.User - OS thread identity – IIS impersonation token Wildcard mapping and ASP.NET 2.0 Lockdown your applications with trust levels Resources ASP.NET 2.0 Security Info: http://channel9.msdn.com/security Your Feedback is Important! Please Fill Out a Survey for This Session on CommNet © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. ASP.NET 2.0 Security Info Client impersonation OS thread switched to run as authenticated user from IIS Useful for local access checks such as file access Should use Kerberos if you need to flow the client identity off the web server ASP.NET 2.0 Security Info Application impersonation OS thread runs with the credentials configured in <identity /> tag ASP.NET attempts different types of logons in sequence: Batch, service, interactive, network_cleartext, network Useful for enforcing per-app identities Configure different identities for remote database access ASP.NET 2.0 Security Info Setting the IPrincipal Forms Authentication Ignores the IIS impersonation token Choose Anonymous authentication in IIS UrlAuthorizationModule Performs access checks based on: IIdentity.Name IPrincpal.IsInRole Windows authenticated users are treated as just string values ASP.NET Trust Levels Writing code for partial trust Be aware of reduced app functionality Event logs, perf counters, registry require Full trust OleDb drivers work in Full trust by default File I/O is restricted at various trust levels Etc..