ASP.NET security advice wanted

Discussion in 'ASP .Net Security' started by Bill Zack, Nov 2, 2003.

  1. Bill Zack

    Bill Zack Guest

    We have an interesting ASP.NET security design problem. I think that
    I have worked out a solution, but I want to make sure that I am not
    off base. I would appreciate any advice that anyone might be willing
    to give me.

    For a new application we have both Intranet and Extranet users. For
    Extranet user we cannot use inter-domain trusts (the normal Extranet
    design pattern) for political reasons.

    We are using Windows 2000/Active Directory. The application will be
    written in ASP.NET. SSL will be used for all requests. The server(s)
    will have certificates, but the clients will not.

    1. Extranet users
    First time Extranet users must go through an ASP.NET registration
    application. In this application IIS security is set to only allow
    request from certain IP addresses and Domains (Own and clients) IIS
    Authenticates them as an Anonymous users. ASP.NET Authenticates with
    Forms Authentication, redirecting them to a Logon page. The Logon
    page uses Impersonation with the identity of a specific user that can
    add new users to the AD domain. They are then added to the domain as
    a member of a special Extranet group with minimal/no privileges.

    Note: I realize that this will allow anyone to add themselves as
    users. Later, an administrator will use another ASP.NET application
    (using Windows Integrated Authentication) to increase their
    privileges, put them in specific groups that have specific roles, etc.
    We may also need to clean up "ghost" users periodically.

    Then, after registration, they can be authenticated using Windows
    Integrated Security as described below.

    2. Intranet users
    Intranet users (and registered Extranet users) will be authenticated
    by IIS using Windows Integrated security and ASP.NET Windows security.
    Since Intranet users are already authenticated by Windows they will
    not be required to present their credentials when entering the
    application. Extranet users will be forced to present their
    credentials when entering our domain since their passwords in their
    home and our local domain will most likely be different. (This is the
    part that I am not sure of.) Once they do they will be authenticated
    as domain users in our domain.

    Impersonation/Delegation will then be used to access a middle tier
    application that accesses an Oracle database. The Oracle database
    will use their passed credentials to limit them to seeing only their
    own data.

    Are there any holes in my logic for handling Extranet users?

    Bill Zack
    Bill Zack, Nov 2, 2003
    1. Advertisements

  2. MSFT

    MSFT Guest

    Hi Bill,

    As a supply, I think you may consider adding firewall between clients and
    IIS server, and between IIS server and Database server. For example, forbid
    some ports to avoid vicious attack from outter side.

    Microsoft Online Support

    Get Secure!
    (This posting is provided "AS IS", with no warranties, and confers no
    MSFT, Nov 3, 2003
    1. Advertisements

  3. TM

    TM Guest

    "Bill Zack" <> wrote in message

    > For a new application we have both Intranet and Extranet users. For
    > Extranet user we cannot use inter-domain trusts (the normal Extranet
    > design pattern) for political reasons.

    I would only use AD for internal authentication (your employees). I would
    seal/prevent outsiders from logging in to my AD at all if possible . I would
    use Oracle Security Authentication for outsiders (similar to MS/SQL
    Authentication method). In MS/SQL, you can design a so called "Application
    Role based" security. This way, only your application can access to certain
    part in your database. I do not know if Oracle does support Role Based
    security. It is the best so far for me.

    TM, Nov 3, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Junpei
    Jim Gibson
    May 27, 2004
  2. PCC
  3. Harvey
    Jul 16, 2004
  4. Harvey
    Jul 16, 2004
  5. Paul Hale

    ASP.NET Security Advice

    Paul Hale, Nov 10, 2006, in forum: ASP .Net Security
    Paul Hale
    Nov 10, 2006

Share This Page