Security design question

Discussion in 'ASP .Net Security' started by John Lee, Jan 12, 2005.

  1. John Lee

    John Lee Guest

    Hi,

    Here is the environment related context:
    =========================================================================
    Website are hosted in DMZ - subdomain created dmz.companydomain.com
    We have our web farm (3-5 web servers) running under one NT Domain account
    with least privileges.
    Website all 3 level of access: anonymous, registered and verified
    We will use form authentication to authenticate registered and verified user
    SQL server will be used to host user authentication information and Session
    state
    All Line of business web services are hosted internally with Windows
    authentication only
    AzMan is used to perform access check on all public web methods
    =========================================================================
    My question are:

    Is this a good practice? Any obvious flaw?
    What is the best way to encrypt session state because it might contain
    sensitive data?
    If the internal web service trust the NT domain account that hosts the web
    site, it means that if someone gain access/control to the site then he could
    possibly call any of the web service methods, is this correct? how to
    prevent it from happening?
    What is the best way to secure public access website that will
    retrieve/update internal business data?

    Thanks very much!
    John
    John Lee, Jan 12, 2005
    #1
    1. Advertising

  2. John Lee

    [MSFT] Guest

    Hi John,

    From the design, you may consider add some firewall between outside and
    your web site, either, between your web server and Web serivce
    server/database. This can help block the attcks. Here are some good
    articles on ASP.NET security, you may take a look first to see they will
    help:


    Securing Your ASP.NET Application and Web Services
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
    ml/THCMCh19.asp

    Securing .NET Web Applications in an Intranet Environment
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html
    /secmod05.asp

    An Introductory Guide to Building and Deploying More Secure Sites with
    ASP.NET and IIS
    http://msdn.microsoft.com/msdnmag/issues/02/04/aspsec/default.aspx

    Luke
    [MSFT], Jan 13, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    339
    John C. Bollinger
    Aug 4, 2003
  2. Ryan Pape

    J2EE Security Design Question

    Ryan Pape, Sep 12, 2003, in forum: Java
    Replies:
    1
    Views:
    374
    Bryce (Work)
    Sep 12, 2003
  3. dave
    Replies:
    5
    Views:
    580
    William Brogden
    Jul 17, 2004
  4. Bartholomew Simpson

    class design/ design pattern question

    Bartholomew Simpson, Jun 12, 2007, in forum: C++
    Replies:
    2
    Views:
    440
    Daniel T.
    Jun 12, 2007
  5. Jeremy Chapman

    Security design question

    Jeremy Chapman, Apr 19, 2006, in forum: ASP .Net Security
    Replies:
    3
    Views:
    134
    Joe Kaplan \(MVP - ADSI\)
    Apr 20, 2006
Loading...

Share This Page