WEB343 ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NET

WEB343ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NETStefan SchackowProgram ManagerWeb Platform and Tools TeamMicrosoft CorporationAgendaInternet Information Services (IIS) 6.0 Authentication ModesCredential Handoff to Microsoft ASP.NET 2.0	Impersonation demoSecuring ASP with ASP.NET 2.0Wildcard mapping demoCustom HttpHandler demoASP.NET Trust LevelsMedium trust and Access demoAuthentication in IIS 6.0Authentication in IIS 6.0Authentication mechanismsBasicDigestWindows Server 2003 has built-in support for thisNo longer need sub-authenticatorCertificate mappingIntegratedNTLMKerberosAuthentication in IIS 6.0Choosing the right authenticationDo you need to flow client identity?Integrated security to SQL ServerPassing credentials to webservice and System.Net classesIf you need to delegate credentials use:Integrated using KerberosOtherwise:Basic + SSLDigestNTLMCertificate mappingIIS 6.0 Credential Handoff to ASP.NET 2.0IIS 6.0 to ASP.NET 2.0Handing off credentialsIIS Impersonation TokenHanded off to ASP.NET 2.0 via the ISAPI APIsOS thread identityComes from application pool identityAvailable using Win32 APIsIIS 6.0 Worker ProcessO/S ThreadISAPI Extension Control BlockIdentity fromApplication Pool ConfigImpersonation Token comes from “AuthenticationMethods” tabIIS 6.0 to ASP.NET 2.0ASP.NET 2.0 identitiesOS thread identity Can modify with:ASP.NET user principalFrequently not the same as the OS thread identityAvailable from:HttpContext.UserThread.CurrentPrincipalASP.NET syncs both values for youIIS 6.0 Worker ProcessImpersonation TokenO/S ThreadASP.NET ISAPIExtensionASP.NET Managed Code App-DomainHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleHTTP ContextUserPropertySetIPrincipalUsing IIS Security Information in ASP.NETASP.NET 2.0 Security InfoModifying OS thread identityOS thread identity and impersonationClient impersonation:Application impersonation:Both modes change the OS thread identityIIS 6.0 Worker ProcessClient ImpersonationImpersonation TokenO/S ThreadSet Thread TokenASP.NET App-DomainHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleEnter Pipeline withNew Client ImpersonationIIS 6.0 Worker ProcessApplication Impersonation Impersonation TokenO/S ThreadLogon UserASP.NET App-DomainHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleHTTP ModuleHTTP Module	 Custom Request Handler for ASPASP.NET Trust LevelsASP.NET Trust LevelsCode access securityRange of named trust levelsFull trust: do anything the process canHigh trust: no unmanaged code, still have broad permissionsMedium trust: recommended defaultLow trust: basic set of rightsMinimal trust: execute onlyDifferent apps in the same process can run at different trust levelsASP.NET Trust LevelsWriting code for partial trustDo try to tweak your applications for High trustImmediate benefit: web applications can no longer call Win32 APIsMay need to move code into the GACLook into APTCA (AllowPartiallyTrustedCallerAttribute)Using Microsoft Access in Medium TrustSummaryChoose the correct IIS 6.0 authentication modeDo you need Delegation?Do you need Impersonation?Context.User - OS thread identity – IIS impersonation tokenWildcard mapping and ASP.NET 2.0Lockdown your applications with trust levelsResourcesASP.NET 2.0 Security Info:  Feedbackis Important!Please Fill Out a Survey forThis Session on CommNet© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.ASP.NET 2.0 Security InfoClient impersonationOS thread switched to run as authenticated user from IISUseful for local access checks such as file accessShould use Kerberos if you need to flow the client identity off the web serverASP.NET 2.0 Security InfoApplication impersonationOS thread runs with the credentials configured in tagASP.NET attempts different types of logons in sequence:Batch, service, interactive, network_cleartext, networkUseful for enforcing per-app identitiesConfigure different identities for remote database accessASP.NET 2.0 Security InfoSetting the IPrincipalForms AuthenticationIgnores the IIS impersonation tokenChoose Anonymous authentication in IISUrlAuthorizationModulePerforms access checks based on:IIdentity.NameIPrincpal.IsInRoleWindows authenticated users are treated as just string valuesASP.NET Trust LevelsWriting code for partial trustBe aware of reduced app functionalityEvent logs, perf counters, registry require Full trustOleDb drivers work in Full trust by defaultFile I/O is restricted at various trust levels Etc..