淄博万昌科技股份有限公司(.pptVIP

ASP.NET Security Part 1 Dave Glover dglover@ Developer Platform Group Microsoft Australia. Resources /security /security/guidance/default.mspx /resources/practices/ Patterns and Practices Proven Practices Predictable Results Available from your Book Stores Free download from MSDN as PDFs Today’s ASP.NET Agenda Part 1 ASP.NET Security Part 2 ASP.NET Security cont Web Services Security ASP.NET Whidbey Logon Support Agenda IIS Security and Process Model Validating Input Securing Forms Authentication Data Security and Process Model IIS 5 6.0 Architecture Security and Process Models ASP.NET Process Identity Windows? 2000: Default is ASPNET (local service account) Can also run as System or configured account using processModel New for the Fx 1.1 release: Support for DPAPI encrypted credentials in processModel Aspnet_setreg.exe for 1.0 Framework Windows? Server 2003 Uses IIS 6 process model Process identity is configurable Default identity is ‘Network Service’ IIS Security ASP.NET Security Authentication Anonymous Integrated Windows Authentication IE Challenge/Response (NTLM/Kerberos) Digest – More secure than Basic Basic - Clear text must be over SSL/TLS Impersonation Impersonation Impersonation Off (Default) Work done in the context of the ASP.NET Worker Process Required for connection pooling Impersonation On Work done based on the Callers Identity System level Auditing No connection pool Web.Config identity impersonate=true / Authorization Strategies Windows Security and ACLs ACLs checked for Windows auth URL Authorization Enterprise Services/COM+ Roles Require impersonation Windows Server 2003 AuthZ Framework Task Based Authorisation Declarative and Programmatic Checks Authorisation Profile Application Block Role Based Authorisation /patterns Request Processing Intranet Applications Internet Applications Demo 1 Validating Input All Input is Evil!! All uncontrolled inputs must either be checked or encoded Eg TextBox.Text URI parameters and cookies Encoding