web application security

Discussion in 'ASP .Net' started by Stephen, Mar 22, 2005.

  1. Stephen

    Stephen Guest

    I have my intranet setup on our web server. It contains multiple
    applications, but none are set up in the default application pools. In
    other words, I create a webform and plop it into a directory on the web
    server. My question revolves around security models for the
    applications. I have been rethinking my current security strategy,
    which is basically as follows:

    dim strUser as string=ucase(User.Identity.Name)
    dim boolAccess as boolean = false
    if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3" then
    boolAccess=true
    end if

    if boolAccess = false then
    response.write(strUser & "-You are not authorized to access this
    area.")
    response.end
    end if

    This validates the user on the page load event. The only problem with
    this is now I have about 50+ web forms and managing this is getting to
    be an issue, not to mention if someone new needs access to the webform,
    someone (me) has to go into the code and add them. This isn't
    (obviously) an ideal situation, as I would like to make it so the sys
    admin can add/remove users/roles from a webform. Here is what I have
    contrived in my puny head about my options:

    1.Create (application) roles in AD, then use this code to restrict
    access in each of the webforms that need it:

    string strUser =User.Identity.Name.ToUpper();
    bool boolAccess = false;
    if (User.IsInRole("DOMAIN\\RoleName")) {
    <Allow access>
    }
    else {
    <Deny access>
    }
    return;

    2. Set the permissions (AD role based) on the files in IIS (I think
    this is called file authorization)

    There are a couple others such as URL Author & .Net Roles of which I no
    little about. Option 1 above has the problem of still requiring
    manipulating code if roles need adding or removing, so I don't much
    like this option except for very specific functions. Option 2 seems
    like the best for controlling access to a entire webform from an
    non-developer admin point. The other two options I need some educating
    on.

    Our intranet uses integrated windows authentication with anonymous
    access turned off. I don't forsee ever needing to allow
    non-authenticated users access to this site.

    I have downloaded information on asp.net security, but there is a
    mountain of information to wade through. I was hoping someone could
    give me some pointers on implementing a simple security model and maybe
    share some experiences they've had. Some of this is driven by
    compliance with Sarbanes-Oxley.

    Any help is appreciated.
    Stephen, Mar 22, 2005
    #1
    1. Advertising

  2. Stephen

    ashish Guest

    you can use forms authentication with active directory, then you wont
    have to worry about anything

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod16.asp


    hth
    -ashish


    Stephen wrote:
    > I have my intranet setup on our web server. It contains multiple
    > applications, but none are set up in the default application pools. In
    > other words, I create a webform and plop it into a directory on the web
    > server. My question revolves around security models for the
    > applications. I have been rethinking my current security strategy,
    > which is basically as follows:
    >
    > dim strUser as string=ucase(User.Identity.Name)
    > dim boolAccess as boolean = false
    > if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3" then
    > boolAccess=true
    > end if
    >
    > if boolAccess = false then
    > response.write(strUser & "-You are not authorized to access this
    > area.")
    > response.end
    > end if
    >
    > This validates the user on the page load event. The only problem with
    > this is now I have about 50+ web forms and managing this is getting to
    > be an issue, not to mention if someone new needs access to the webform,
    > someone (me) has to go into the code and add them. This isn't
    > (obviously) an ideal situation, as I would like to make it so the sys
    > admin can add/remove users/roles from a webform. Here is what I have
    > contrived in my puny head about my options:
    >
    > 1.Create (application) roles in AD, then use this code to restrict
    > access in each of the webforms that need it:
    >
    > string strUser =User.Identity.Name.ToUpper();
    > bool boolAccess = false;
    > if (User.IsInRole("DOMAIN\\RoleName")) {
    > <Allow access>
    > }
    > else {
    > <Deny access>
    > }
    > return;
    >
    > 2. Set the permissions (AD role based) on the files in IIS (I think
    > this is called file authorization)
    >
    > There are a couple others such as URL Author & .Net Roles of which I no
    > little about. Option 1 above has the problem of still requiring
    > manipulating code if roles need adding or removing, so I don't much
    > like this option except for very specific functions. Option 2 seems
    > like the best for controlling access to a entire webform from an
    > non-developer admin point. The other two options I need some educating
    > on.
    >
    > Our intranet uses integrated windows authentication with anonymous
    > access turned off. I don't forsee ever needing to allow
    > non-authenticated users access to this site.
    >
    > I have downloaded information on asp.net security, but there is a
    > mountain of information to wade through. I was hoping someone could
    > give me some pointers on implementing a simple security model and maybe
    > share some experiences they've had. Some of this is driven by
    > compliance with Sarbanes-Oxley.
    >
    > Any help is appreciated.
    >
    ashish, Mar 22, 2005
    #2
    1. Advertising

  3. Stephen,

    Because your existing intranet uses Windows Integrated security you are
    already on the right track. ALWAYS resist the temptation to apply any kind of
    security to a specific user, create a role and validate membership within the
    role to secure the item. Typically I find myself doing a lot of role checking
    in the presentation tier, for instance I have an application that everyone in
    the organization uses but some users only get to read, others get to update
    others get to audit and so on depending on role membership. When you start
    authenticating users to the database using Integrated Security you'll run
    into the limitations of NTLM and you'll have to use kerberos, ultimately this
    is what your dba's will want because it shifts the user management piece to
    the network administrators. I will post more later I have an urgent task that
    just came up...




    "Stephen" wrote:

    > I have my intranet setup on our web server. It contains multiple
    > applications, but none are set up in the default application pools. In
    > other words, I create a webform and plop it into a directory on the web
    > server. My question revolves around security models for the
    > applications. I have been rethinking my current security strategy,
    > which is basically as follows:
    >
    > dim strUser as string=ucase(User.Identity.Name)
    > dim boolAccess as boolean = false
    > if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3" then
    > boolAccess=true
    > end if
    >
    > if boolAccess = false then
    > response.write(strUser & "-You are not authorized to access this
    > area.")
    > response.end
    > end if
    >
    > This validates the user on the page load event. The only problem with
    > this is now I have about 50+ web forms and managing this is getting to
    > be an issue, not to mention if someone new needs access to the webform,
    > someone (me) has to go into the code and add them. This isn't
    > (obviously) an ideal situation, as I would like to make it so the sys
    > admin can add/remove users/roles from a webform. Here is what I have
    > contrived in my puny head about my options:
    >
    > 1.Create (application) roles in AD, then use this code to restrict
    > access in each of the webforms that need it:
    >
    > string strUser =User.Identity.Name.ToUpper();
    > bool boolAccess = false;
    > if (User.IsInRole("DOMAIN\\RoleName")) {
    > <Allow access>
    > }
    > else {
    > <Deny access>
    > }
    > return;
    >
    > 2. Set the permissions (AD role based) on the files in IIS (I think
    > this is called file authorization)
    >
    > There are a couple others such as URL Author & .Net Roles of which I no
    > little about. Option 1 above has the problem of still requiring
    > manipulating code if roles need adding or removing, so I don't much
    > like this option except for very specific functions. Option 2 seems
    > like the best for controlling access to a entire webform from an
    > non-developer admin point. The other two options I need some educating
    > on.
    >
    > Our intranet uses integrated windows authentication with anonymous
    > access turned off. I don't forsee ever needing to allow
    > non-authenticated users access to this site.
    >
    > I have downloaded information on asp.net security, but there is a
    > mountain of information to wade through. I was hoping someone could
    > give me some pointers on implementing a simple security model and maybe
    > share some experiences they've had. Some of this is driven by
    > compliance with Sarbanes-Oxley.
    >
    > Any help is appreciated.
    >
    >
    =?Utf-8?B?QWxpZW4yXzUx?=, Mar 22, 2005
    #3
  4. Stephen

    Stephen Guest

    I happen to be the dba too. One on many jobs I have here :).

    I agree with you. The only problem I can see is the number of
    potential roles getting out of hand. After doing some reading I am
    looking into a solution using web.config files and roles. I will check
    back and see what else you have to say.

    Alien2_51 wrote:
    > Stephen,
    >
    > Because your existing intranet uses Windows Integrated security you

    are
    > already on the right track. ALWAYS resist the temptation to apply any

    kind of
    > security to a specific user, create a role and validate membership

    within the
    > role to secure the item. Typically I find myself doing a lot of role

    checking
    > in the presentation tier, for instance I have an application that

    everyone in
    > the organization uses but some users only get to read, others get to

    update
    > others get to audit and so on depending on role membership. When you

    start
    > authenticating users to the database using Integrated Security you'll

    run
    > into the limitations of NTLM and you'll have to use kerberos,

    ultimately this
    > is what your dba's will want because it shifts the user management

    piece to
    > the network administrators. I will post more later I have an urgent

    task that
    > just came up...
    >
    >
    >
    >
    > "Stephen" wrote:
    >
    > > I have my intranet setup on our web server. It contains multiple
    > > applications, but none are set up in the default application pools.

    In
    > > other words, I create a webform and plop it into a directory on the

    web
    > > server. My question revolves around security models for the
    > > applications. I have been rethinking my current security strategy,
    > > which is basically as follows:
    > >
    > > dim strUser as string=ucase(User.Identity.Name)
    > > dim boolAccess as boolean = false
    > > if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3"

    then
    > > boolAccess=true
    > > end if
    > >
    > > if boolAccess = false then
    > > response.write(strUser & "-You are not authorized to access this
    > > area.")
    > > response.end
    > > end if
    > >
    > > This validates the user on the page load event. The only problem

    with
    > > this is now I have about 50+ web forms and managing this is getting

    to
    > > be an issue, not to mention if someone new needs access to the

    webform,
    > > someone (me) has to go into the code and add them. This isn't
    > > (obviously) an ideal situation, as I would like to make it so the

    sys
    > > admin can add/remove users/roles from a webform. Here is what I

    have
    > > contrived in my puny head about my options:
    > >
    > > 1.Create (application) roles in AD, then use this code to restrict
    > > access in each of the webforms that need it:
    > >
    > > string strUser =User.Identity.Name.ToUpper();
    > > bool boolAccess = false;
    > > if (User.IsInRole("DOMAIN\\RoleName")) {
    > > <Allow access>
    > > }
    > > else {
    > > <Deny access>
    > > }
    > > return;
    > >
    > > 2. Set the permissions (AD role based) on the files in IIS (I think
    > > this is called file authorization)
    > >
    > > There are a couple others such as URL Author & .Net Roles of which

    I no
    > > little about. Option 1 above has the problem of still requiring
    > > manipulating code if roles need adding or removing, so I don't much
    > > like this option except for very specific functions. Option 2

    seems
    > > like the best for controlling access to a entire webform from an
    > > non-developer admin point. The other two options I need some

    educating
    > > on.
    > >
    > > Our intranet uses integrated windows authentication with anonymous
    > > access turned off. I don't forsee ever needing to allow
    > > non-authenticated users access to this site.
    > >
    > > I have downloaded information on asp.net security, but there is a
    > > mountain of information to wade through. I was hoping someone

    could
    > > give me some pointers on implementing a simple security model and

    maybe
    > > share some experiences they've had. Some of this is driven by
    > > compliance with Sarbanes-Oxley.
    > >
    > > Any help is appreciated.
    > >
    > >
    Stephen, Mar 23, 2005
    #4
  5. Hi Stephen,

    Just one thing I'd like to add, IIS is already authenticating clients
    against AD, they have access by virtue of being logged into the domain and
    the ACL permissions on the web server, there's no sense in having them
    authenticate again using a forms authentication scenerio.

    "Stephen" wrote:

    > I happen to be the dba too. One on many jobs I have here :).
    >
    > I agree with you. The only problem I can see is the number of
    > potential roles getting out of hand. After doing some reading I am
    > looking into a solution using web.config files and roles. I will check
    > back and see what else you have to say.
    >
    > Alien2_51 wrote:
    > > Stephen,
    > >
    > > Because your existing intranet uses Windows Integrated security you

    > are
    > > already on the right track. ALWAYS resist the temptation to apply any

    > kind of
    > > security to a specific user, create a role and validate membership

    > within the
    > > role to secure the item. Typically I find myself doing a lot of role

    > checking
    > > in the presentation tier, for instance I have an application that

    > everyone in
    > > the organization uses but some users only get to read, others get to

    > update
    > > others get to audit and so on depending on role membership. When you

    > start
    > > authenticating users to the database using Integrated Security you'll

    > run
    > > into the limitations of NTLM and you'll have to use kerberos,

    > ultimately this
    > > is what your dba's will want because it shifts the user management

    > piece to
    > > the network administrators. I will post more later I have an urgent

    > task that
    > > just came up...
    > >
    > >
    > >
    > >
    > > "Stephen" wrote:
    > >
    > > > I have my intranet setup on our web server. It contains multiple
    > > > applications, but none are set up in the default application pools.

    > In
    > > > other words, I create a webform and plop it into a directory on the

    > web
    > > > server. My question revolves around security models for the
    > > > applications. I have been rethinking my current security strategy,
    > > > which is basically as follows:
    > > >
    > > > dim strUser as string=ucase(User.Identity.Name)
    > > > dim boolAccess as boolean = false
    > > > if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3"

    > then
    > > > boolAccess=true
    > > > end if
    > > >
    > > > if boolAccess = false then
    > > > response.write(strUser & "-You are not authorized to access this
    > > > area.")
    > > > response.end
    > > > end if
    > > >
    > > > This validates the user on the page load event. The only problem

    > with
    > > > this is now I have about 50+ web forms and managing this is getting

    > to
    > > > be an issue, not to mention if someone new needs access to the

    > webform,
    > > > someone (me) has to go into the code and add them. This isn't
    > > > (obviously) an ideal situation, as I would like to make it so the

    > sys
    > > > admin can add/remove users/roles from a webform. Here is what I

    > have
    > > > contrived in my puny head about my options:
    > > >
    > > > 1.Create (application) roles in AD, then use this code to restrict
    > > > access in each of the webforms that need it:
    > > >
    > > > string strUser =User.Identity.Name.ToUpper();
    > > > bool boolAccess = false;
    > > > if (User.IsInRole("DOMAIN\\RoleName")) {
    > > > <Allow access>
    > > > }
    > > > else {
    > > > <Deny access>
    > > > }
    > > > return;
    > > >
    > > > 2. Set the permissions (AD role based) on the files in IIS (I think
    > > > this is called file authorization)
    > > >
    > > > There are a couple others such as URL Author & .Net Roles of which

    > I no
    > > > little about. Option 1 above has the problem of still requiring
    > > > manipulating code if roles need adding or removing, so I don't much
    > > > like this option except for very specific functions. Option 2

    > seems
    > > > like the best for controlling access to a entire webform from an
    > > > non-developer admin point. The other two options I need some

    > educating
    > > > on.
    > > >
    > > > Our intranet uses integrated windows authentication with anonymous
    > > > access turned off. I don't forsee ever needing to allow
    > > > non-authenticated users access to this site.
    > > >
    > > > I have downloaded information on asp.net security, but there is a
    > > > mountain of information to wade through. I was hoping someone

    > could
    > > > give me some pointers on implementing a simple security model and

    > maybe
    > > > share some experiences they've had. Some of this is driven by
    > > > compliance with Sarbanes-Oxley.
    > > >
    > > > Any help is appreciated.
    > > >
    > > >

    >
    >
    =?Utf-8?B?QWxpZW4yXzUx?=, Mar 23, 2005
    #5
  6. Stephen

    Stephen Guest

    I was under the impression that forms auth was meant primarily for
    anomous access.

    I didn't realize the breadth of security issues and methodologies
    surrounding web applications. I downloaded a 600+ page document that
    covered asp.net security alone.


    Alien2_51 wrote:
    > Hi Stephen,
    >
    > Just one thing I'd like to add, IIS is already authenticating clients


    > against AD, they have access by virtue of being logged into the

    domain and
    > the ACL permissions on the web server, there's no sense in having

    them
    > authenticate again using a forms authentication scenerio.
    >
    Stephen, Mar 24, 2005
    #6
  7. Stephen

    Brock Allen Guest

    > I was under the impression that forms auth was meant primarily for
    > anomous access.


    If you wanted anonymous access then you'd not use any authentication at all.
    Forms is for authenticating users when you have your own username/password
    store for such thing. Typically it's used when your users are not windows/domain
    users.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
    Brock Allen, Mar 24, 2005
    #7
  8. Stephen

    Stephen Guest

    That makes sense, anonymous is anonymous. I thought it had something
    to do with AD non-authenticated users.

    Thanks.

    Brock Allen wrote:
    > > I was under the impression that forms auth was meant primarily for
    > > anomous access.

    >
    > If you wanted anonymous access then you'd not use any authentication

    at all.
    > Forms is for authenticating users when you have your own

    username/password
    > store for such thing. Typically it's used when your users are not

    windows/domain
    > users.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    Stephen, Mar 25, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CES
    Replies:
    1
    Views:
    533
  2. Earl Teigrob
    Replies:
    3
    Views:
    555
    John Saunders
    Jun 10, 2004
  3. Sam Vanderstraeten

    Setting up security on my web application

    Sam Vanderstraeten, Aug 12, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    330
  4. Andy B
    Replies:
    0
    Views:
    272
    Andy B
    Aug 13, 2008
  5. Michael Randrup
    Replies:
    3
    Views:
    284
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page