WEB343 ASP.NET and IIS: New Developments in Web Security With IIS 6.0 and ASP.NET Stefan Schackow Program Manager Web Platform and Tools Team Microsoft Corporation Agenda Internet Information Services (IIS) 6.0 Authentication Modes Credential Handoff to Microsoft ASP.NET 2.0 Impersonation demo Securing ASP with ASP.NET 2.0 Wildcard mapping demo Custom HttpHandler demo ASP.NET Trust Levels Medium trust and Access demo Authentication in IIS 6.0 Authentication in IIS 6.0 Authentication mechanisms Basic Digest Windows Server 2003 has built-in support for this No longer need sub-authenticator Certificate mapping Integrated NTLM Kerberos Authentication in IIS 6.0 Choosing the right authentication Do you need to flow client identity? Integrated security to SQL Server Passing credentials to webservice and System.Net classes If you need to delegate credentials use: Integrated using Kerberos Otherwise: Basic + SSL Digest NTLM Certificate mapping IIS 6.0 Credential Handoff to ASP.NET 2.0 IIS 6.0 to ASP.NET 2.0 Handing off credentials IIS Impersonation Token Handed off to ASP.NET 2.0 via the ISAPI APIs OS thread identity Comes from application pool identity Available using Win32 APIs IIS 6.0 Worker Process Identity from Application Pool Config O/S Thread ISAPI Extension Control Block Impersonation Token comes from “Authentication Methods” tab IIS 6.0 to ASP.NET 2.0 ASP.NET 2.0 identities OS thread identity Can modify with: ASP.NET user principal Frequently not the same as the OS thread identity Available from: HttpContext.User Thread.CurrentPrincipal ASP.NET syncs both values for you Securing ASP w/ ASP.NET Authentication and authorization Failed AuthN/AuthZ ASP.NET redirects to login page AuthN/AuthZ succeeds Request reaches the handler execution step ASP.NET forwards request back out to IIS 6.0 IIS 6.0 passes request on to ASP.dll Securing ASP w/ ASP.NET Custom HttpHandler Only needed to handoff custom information from ASP.NET to ASP Role information from an IPrincipal Additional information about the user Derive from DefaultHttpHandler Configure custom handler Custom Request Handler for ASP ASP.NET Trust Levels ASP.NET Trust Levels Code access security Range of named trust levels Full trust: anything the process can High trust: no unmanaged code, still have broad permissions Medium trust: recommended default Low trust: basic set of rights Minimal trust: execute only Different apps in the same process can run at different trust levels ASP.NET Trust Levels Writing code for partial trust Do try to tweak your applications for High trust Immediate benefit: web applications can no longer call Win32 APIs May need to move code into the GAC Look into APTCA (AllowPartiallyTrustedCallerAttribute) Using Microsoft Access in Medium Trust Summary Choose the correct IIS 6.0 authentication mode Do you need Delegation? Do you need Impersonation? Context.User - OS thread identity – IIS impersonation token Wildcard mapping and ASP.NET 2.0 Lockdown your applications with trust levels Resources ASP.NET 2.0 Security Info: http://channel9.msdn.com/security Your Feedback is Important! Please Fill Out a Survey for This Session on CommNet © 2005 Microsoft Corporation All rights reserved This presentation is for informational purposes only Microsoft makes no warranties, express or implied, in this summary ASP.NET 2.0 Security Info Client impersonation OS thread switched to run as authenticated user from IIS Useful for local access checks such as file access Should use Kerberos if you need to flow the client identity off the web server ASP.NET 2.0 Security Info Application impersonation OS thread runs with the credentials configured in tag ASP.NET attempts different types of logons in sequence: Batch, service, interactive, network_cleartext, network Useful for enforcing per-app identities Configure different identities for remote database access ASP.NET 2.0 Security Info Setting the IPrincipal Forms Authentication Ignores the IIS impersonation token Choose Anonymous authentication in IIS UrlAuthorizationModule Performs access checks based on: IIdentity.Name IPrincpal.IsInRole Windows authenticated users are treated as just string values ASP.NET Trust Levels Writing code for partial trust Be aware of reduced app functionality Event logs, perf counters, registry require Full trust OleDb drivers work in Full trust by default File I/O is restricted at various trust levels Etc ... HTTP Module HTTP Module ASP.NET Managed Code App-Domain Using IIS Security Information in ASP.NET ASP.NET 2.0 Security Info Modifying OS thread identity OS thread identity and impersonation Client... trust and higher ASP.NET 2.0 Security Info Setting the IPrincipal Windows Authentication Impersonation token is wrapped in WindowsPrincipal Anonymous IIS user results in an anonymous WindowsIdentity... forwarded to main ISAPI extension associated with the request IIS 6.0 Worker Process Any wildcard mappings Default.asp IIS 6.0 IIS 6.0 Yes-transfer to ASP.NET Transfer control back To IIS 6.0 ASP Classic