WebSite security

Discussion in 'ASP .Net' started by Islay Rodriguez Jr., Sep 22, 2009.

  1. I would like to be able to dynamically setup “file security†for the folders
    on the file system of my website (hosting site). The website will store
    product information for vendors that needs to be secure from the other
    vendors (or anyone else) on the same website. Each vendor will have the
    authority to allow access to his information to potential customers.

    Is there a way, from ASP.NET (VB.NET), to setup up secured groups which will
    have exclusive access to certain to areas of the file system? Each group will
    require an administrator (the Vendor) for that group, with the ability to
    add/delete members to his group, along with other administrative tasks.

    Can anyone point me in the right direction please?

    I’m not sure which forum this question should go to.

    --
    Islay
    Islay Rodriguez Jr., Sep 22, 2009
    #1
    1. Advertising

  2. =?Utf-8?B?SXNsYXkgUm9kcmlndWV6IEpyLg==?= <> wrote
    in news::

    > I would like to be able to dynamically setup “file security†for
    > the folders on the file system of my website (hosting site). The
    > website will store product information for vendors that needs to be
    > secure from the other vendors (or anyone else) on the same website.
    > Each vendor will have the authority to allow access to his information
    > to potential customers.


    Trust me that you do not want file level security for an Internet site
    (see below).

    > Is there a way, from ASP.NET (VB.NET), to setup up secured groups
    > which will have exclusive access to certain to areas of the file
    > system? Each group will require an administrator (the Vendor) for that
    > group, with the ability to add/delete members to his group, along with
    > other administrative tasks.


    On the file system, you can do it in a granular way with windows logons,
    but that will not work if you want customers to see the information when
    hte vendor allows it, as it is a maintenance nightmare to control logon
    access for millions of people (potentially). Once you get past a few
    thousand, you end up with a full time networking staff to manage people.

    But, you can set up your own access rules if you will store the
    information in a database. You can then set up the information so it can
    only be viewed by a person in the admin role of the vendor connected to
    the data until the vendor says it can be accessed by others.

    > Can anyone point me in the right direction please?


    I would look at the Membership bits in ASP.NET. You should consider a
    custom provider if it does not fit all your needs.

    The next thing is a bit of database design. You will need a design that
    allows data access rules. You will then have to set up your
    authentication and authorization bits to respect what the database says.

    The route you would like to go is fine if you can create windows logins
    for all of the users. As you mention the word "customers", it becomes
    completely unmanageable as windows logins.

    peace and grace,


    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    My vacation and childhood cancer awareness site:
    http://www.crazycancertour.com

    *******************************************
    | Think outside the box! |
    *******************************************
    Gregory A. Beamer, Sep 22, 2009
    #2
    1. Advertising

  3. Thanks for the Quick response.

    I'm currently using ASP Membership roles on my site and I'm using an SQL
    server 2005 database.However the data I'm trying to protect is on the domain
    host file system. I use Membership roles to limit legitimate access
    requests (through web pages) to the file system, however since I had to allow
    write access to some roles (for file creation/ deletion of files), I don't
    know how to stop unauthoized users/intruders from viewing/modify those files
    and directories.

    Using the combination of "CompanyID" and the membership roles, the VB.NET
    "code behind" restricts users from access to other vendors data directories,
    however an unauthorized intruder would have not those resrictions.

    I known that on a normal windows logon, the user has certain "access
    rights"/priviliges that restrict his ability to perform certain tasks or
    access certain directories. The logged on user also belongs to secuirty
    groups ("admin","Guest", "User", etc.) that define what he is able to do. Is
    there a way to programatically provide this functionality to a WebSite and
    the hosting file system ?

    For instance when Vendor "x" logs on to the website, his Windows security
    group would be changed to group "x" and Vendor "y"'ssecurity group would be
    changed to group "y". Aslo the subdirectories for these vendors,when
    created, would belong to the appropriate group. These priviliges/"access
    rights" need to be changed using the VB.Net "code behind" software.

    Does this functionality exist with .NET?
    --
    Thanks much,
    Islay


    "Gregory A. Beamer" wrote:

    > =?Utf-8?B?SXNsYXkgUm9kcmlndWV6IEpyLg==?= <> wrote
    > in news::
    >
    > > I would like to be able to dynamically setup “file security†for
    > > the folders on the file system of my website (hosting site). The
    > > website will store product information for vendors that needs to be
    > > secure from the other vendors (or anyone else) on the same website.
    > > Each vendor will have the authority to allow access to his information
    > > to potential customers.

    >
    > Trust me that you do not want file level security for an Internet site
    > (see below).
    >
    > > Is there a way, from ASP.NET (VB.NET), to setup up secured groups
    > > which will have exclusive access to certain to areas of the file
    > > system? Each group will require an administrator (the Vendor) for that
    > > group, with the ability to add/delete members to his group, along with
    > > other administrative tasks.

    >
    > On the file system, you can do it in a granular way with windows logons,
    > but that will not work if you want customers to see the information when
    > hte vendor allows it, as it is a maintenance nightmare to control logon
    > access for millions of people (potentially). Once you get past a few
    > thousand, you end up with a full time networking staff to manage people.
    >
    > But, you can set up your own access rules if you will store the
    > information in a database. You can then set up the information so it can
    > only be viewed by a person in the admin role of the vendor connected to
    > the data until the vendor says it can be accessed by others.
    >
    > > Can anyone point me in the right direction please?

    >
    > I would look at the Membership bits in ASP.NET. You should consider a
    > custom provider if it does not fit all your needs.
    >
    > The next thing is a bit of database design. You will need a design that
    > allows data access rules. You will then have to set up your
    > authentication and authorization bits to respect what the database says.
    >
    > The route you would like to go is fine if you can create windows logins
    > for all of the users. As you mention the word "customers", it becomes
    > completely unmanageable as windows logins.
    >
    > peace and grace,
    >
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    >
    > Twitter: @gbworld
    > Blog: http://gregorybeamer.spaces.live.com
    >
    > My vacation and childhood cancer awareness site:
    > http://www.crazycancertour.com
    >
    > *******************************************
    > | Think outside the box! |
    > *******************************************
    >
    Islay Rodriguez Jr., Sep 22, 2009
    #3
  4. =?Utf-8?B?SXNsYXkgUm9kcmlndWV6IEpyLg==?= <> wrote
    in news::

    > Thanks for the Quick response.
    >
    > I'm currently using ASP Membership roles on my site and I'm using an
    > SQL server 2005 database.However the data I'm trying to protect is on
    > the domain host file system. I use Membership roles to limit
    > legitimate access requests (through web pages) to the file system,
    > however since I had to allow write access to some roles (for file
    > creation/ deletion of files), I don't know how to stop unauthoized
    > users/intruders from viewing/modify those files and directories.
    >
    > Using the combination of "CompanyID" and the membership roles, the
    > VB.NET "code behind" restricts users from access to other vendors
    > data directories, however an unauthorized intruder would have not
    > those resrictions.


    If you make it so the files are always served up by a page, rather than
    by http://mysite/hackme.doc, would that solve the problem?

    http://mysite/trytohack.aspx?doc=hackme

    Sorry, you don't have access.

    > I known that on a normal windows logon, the user has certain "access
    > rights"/priviliges that restrict his ability to perform certain tasks
    > or access certain directories. The logged on user also belongs to
    > secuirty groups ("admin","Guest", "User", etc.) that define what he is
    > able to do. Is there a way to programatically provide this
    > functionality to a WebSite and the hosting file system ?


    No, because users, by default, all map to one account. you can make them
    map to windows accounts, but there is no automagic tool (except perhaps
    Commerce server) to create the windows accounts for you, so it is a
    maintenance nightmare.

    > For instance when Vendor "x" logs on to the website, his Windows
    > security group would be changed to group "x" and Vendor "y"'ssecurity
    > group would be changed to group "y". Aslo the subdirectories for
    > these vendors,when created, would belong to the appropriate group.
    > These priviliges/"access rights" need to be changed using the VB.Net
    > "code behind" software.
    >
    > Does this functionality exist with .NET?


    You can create rules and use the membership bits, but to go about this
    with directory security gets pretty sticky. Let's take just two vendors.

    Vendor 1 has 200 customers, vendor2 has 300.

    SO, now you set up directory security and file security. Initially,
    vendor1 is the only one with directory access to his directory and
    vendor2 with his. They both allow fileX in their directory to be served
    up by their customers.

    So, you now have to create windows logons for 500 additional people and
    somehow map them to users.

    This can be done with Commerce server quite easily, but I am not sure it
    is still supported. And it does a strange proxy kind of thing.

    A better solution would be to store the data in a database. A secondary
    solution is have the actual file stored in the database. If you are
    using SQL 2008, you can store it on the local drive with access from SQL
    only, if that is what you desire. Then you can restrict based on roles.

    As for a built in .NET secure files and directories and map to user
    accounts in membership? There is none.

    The short story is you are going to have to compromise somewhere. Either
    compromise how you serve the doc, where you store the doc or work with
    something like Commerce Server to serve up.

    The only other way I can think of is SharePoint and using its CMS
    features, but this means 100% of the customers have to be registered
    users.

    Peace and Grace,

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    My vacation and childhood cancer awareness site:
    http://www.crazycancertour.com

    *******************************************
    | Think outside the box! |
    *******************************************
    Gregory A. Beamer, Sep 22, 2009
    #4
  5. I appreciate the time that you have taken to respond to my questions. I'm new
    to website programming so there is allot that I don't understand. From what
    you describing to me, I can't get different access rights for different user,
    so I'll drop that idea.

    You suggested the following:

    If you make it so the files are always served up by a page, rather than
    > by http://mysite/hackme.doc, would that solve the problem?
    >
    > http://mysite/trytohack.aspx?doc=hackme
    >
    > Sorry, you don't have access.


    I'm assuming "hackme.doc" is the document the user is trying to display. How
    does "trytohack.aspx" display "hackme.doc" ?

    Again thanks for your help.

    Islay






    --
    Islay


    "Gregory A. Beamer" wrote:

    > =?Utf-8?B?SXNsYXkgUm9kcmlndWV6IEpyLg==?= <> wrote
    > in news::
    >
    > > Thanks for the Quick response.
    > >
    > > I'm currently using ASP Membership roles on my site and I'm using an
    > > SQL server 2005 database.However the data I'm trying to protect is on
    > > the domain host file system. I use Membership roles to limit
    > > legitimate access requests (through web pages) to the file system,
    > > however since I had to allow write access to some roles (for file
    > > creation/ deletion of files), I don't know how to stop unauthoized
    > > users/intruders from viewing/modify those files and directories.
    > >
    > > Using the combination of "CompanyID" and the membership roles, the
    > > VB.NET "code behind" restricts users from access to other vendors
    > > data directories, however an unauthorized intruder would have not
    > > those resrictions.

    >
    > If you make it so the files are always served up by a page, rather than
    > by http://mysite/hackme.doc, would that solve the problem?
    >
    > http://mysite/trytohack.aspx?doc=hackme
    >
    > Sorry, you don't have access.
    >
    > > I known that on a normal windows logon, the user has certain "access
    > > rights"/priviliges that restrict his ability to perform certain tasks
    > > or access certain directories. The logged on user also belongs to
    > > secuirty groups ("admin","Guest", "User", etc.) that define what he is
    > > able to do. Is there a way to programatically provide this
    > > functionality to a WebSite and the hosting file system ?

    >
    > No, because users, by default, all map to one account. you can make them
    > map to windows accounts, but there is no automagic tool (except perhaps
    > Commerce server) to create the windows accounts for you, so it is a
    > maintenance nightmare.
    >
    > > For instance when Vendor "x" logs on to the website, his Windows
    > > security group would be changed to group "x" and Vendor "y"'ssecurity
    > > group would be changed to group "y". Aslo the subdirectories for
    > > these vendors,when created, would belong to the appropriate group.
    > > These priviliges/"access rights" need to be changed using the VB.Net
    > > "code behind" software.
    > >
    > > Does this functionality exist with .NET?

    >
    > You can create rules and use the membership bits, but to go about this
    > with directory security gets pretty sticky. Let's take just two vendors.
    >
    > Vendor 1 has 200 customers, vendor2 has 300.
    >
    > SO, now you set up directory security and file security. Initially,
    > vendor1 is the only one with directory access to his directory and
    > vendor2 with his. They both allow fileX in their directory to be served
    > up by their customers.
    >
    > So, you now have to create windows logons for 500 additional people and
    > somehow map them to users.
    >
    > This can be done with Commerce server quite easily, but I am not sure it
    > is still supported. And it does a strange proxy kind of thing.
    >
    > A better solution would be to store the data in a database. A secondary
    > solution is have the actual file stored in the database. If you are
    > using SQL 2008, you can store it on the local drive with access from SQL
    > only, if that is what you desire. Then you can restrict based on roles.
    >
    > As for a built in .NET secure files and directories and map to user
    > accounts in membership? There is none.
    >
    > The short story is you are going to have to compromise somewhere. Either
    > compromise how you serve the doc, where you store the doc or work with
    > something like Commerce Server to serve up.
    >
    > The only other way I can think of is SharePoint and using its CMS
    > features, but this means 100% of the customers have to be registered
    > users.
    >
    > Peace and Grace,
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    >
    > Twitter: @gbworld
    > Blog: http://gregorybeamer.spaces.live.com
    >
    > My vacation and childhood cancer awareness site:
    > http://www.crazycancertour.com
    >
    > *******************************************
    > | Think outside the box! |
    > *******************************************
    >
    Islay Rodriguez Jr., Sep 23, 2009
    #5
  6. =?Utf-8?B?SXNsYXkgUm9kcmlndWV6IEpyLg==?= <> wrote
    in news::

    > I appreciate the time that you have taken to respond to my questions.
    > I'm new to website programming so there is allot that I don't
    > understand. From what you describing to me, I can't get different
    > access rights for different user, so I'll drop that idea.
    >
    > You suggested the following:
    >
    > If you make it so the files are always served up by a page, rather
    > than
    >> by http://mysite/hackme.doc, would that solve the problem?
    >>
    >> http://mysite/trytohack.aspx?doc=hackme
    >>
    >> Sorry, you don't have access.

    >
    > I'm assuming "hackme.doc" is the document the user is trying to
    > display. How does "trytohack.aspx" display "hackme.doc" ?
    >
    > Again thanks for your help.



    One way to do this is to have the page take the id and serve the page up.
    Here are examples (in VB) of serving up a page:

    http://snippets.dzone.com/posts/show/3510
    http://aspalliance.com/259

    I will have to find a C# example. The biggest takeaways are setting the
    type must be set (Response.ContentType) and then you output the document in
    the response stream (in the second example, the author is using WriteFile).

    If these don't quite fit, there are people who use something like this:

    http://mysite/imageProcessor.aspx?id=1

    to serve up images. The process is identical, except the MIME type
    (Response.ContentType) changes. You are still writing bytes to the reponse
    stream so the user can view them as a document.

    Peace and Grace,


    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    My vacation and childhood cancer awareness site:
    http://www.crazycancertour.com

    *******************************************
    | Think outside the box! |
    *******************************************
    Gregory A. Beamer, Sep 23, 2009
    #6
  7. Thanks,

    This sounds like what I need.

    I'm going to try to implement this, but It will take me alittle time to
    assimilate this new concept.

    I may have further questions later.

    Thanks,
    --
    Islay


    "Gregory A. Beamer" wrote:

    > =?Utf-8?B?SXNsYXkgUm9kcmlndWV6IEpyLg==?= <> wrote
    > in news::
    >
    > > I appreciate the time that you have taken to respond to my questions.
    > > I'm new to website programming so there is allot that I don't
    > > understand. From what you describing to me, I can't get different
    > > access rights for different user, so I'll drop that idea.
    > >
    > > You suggested the following:
    > >
    > > If you make it so the files are always served up by a page, rather
    > > than
    > >> by http://mysite/hackme.doc, would that solve the problem?
    > >>
    > >> http://mysite/trytohack.aspx?doc=hackme
    > >>
    > >> Sorry, you don't have access.

    > >
    > > I'm assuming "hackme.doc" is the document the user is trying to
    > > display. How does "trytohack.aspx" display "hackme.doc" ?
    > >
    > > Again thanks for your help.

    >
    >
    > One way to do this is to have the page take the id and serve the page up.
    > Here are examples (in VB) of serving up a page:
    >
    > http://snippets.dzone.com/posts/show/3510
    > http://aspalliance.com/259
    >
    > I will have to find a C# example. The biggest takeaways are setting the
    > type must be set (Response.ContentType) and then you output the document in
    > the response stream (in the second example, the author is using WriteFile).
    >
    > If these don't quite fit, there are people who use something like this:
    >
    > http://mysite/imageProcessor.aspx?id=1
    >
    > to serve up images. The process is identical, except the MIME type
    > (Response.ContentType) changes. You are still writing bytes to the reponse
    > stream so the user can view them as a document.
    >
    > Peace and Grace,
    >
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    >
    > Twitter: @gbworld
    > Blog: http://gregorybeamer.spaces.live.com
    >
    > My vacation and childhood cancer awareness site:
    > http://www.crazycancertour.com
    >
    > *******************************************
    > | Think outside the box! |
    > *******************************************
    >
    Islay Rodriguez Jr., Sep 23, 2009
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Flip
    Replies:
    1
    Views:
    433
    Karl Seguin
    Nov 22, 2005
  2. Shawn

    Website on a website.

    Shawn, Jan 15, 2006, in forum: ASP .Net
    Replies:
    3
    Views:
    483
    Shawn
    Jan 15, 2006
  3. sck10
    Replies:
    1
    Views:
    416
    Michael Kolias
    Apr 13, 2006
  4. Adrian Wood

    Update website via website?

    Adrian Wood, Feb 22, 2004, in forum: HTML
    Replies:
    13
    Views:
    698
    Adrian Wood
    Feb 25, 2004
  5. A Leon
    Replies:
    4
    Views:
    481
    A Leon
    Mar 4, 2004
Loading...

Share This Page