Scribd Logo
Upload

Welcome to Scribd!

  • Securing A Microsoft

    Uploaded by

    Guillermo Pardos Vázquez
    2 views23 pages
    This document discusses securing Microsoft ASP.NET web applications. It covers authentication methods like Windows-based and forms-based authentication. Windows-based authentication relies on Windows credentials while forms-based authentication redirects unauthenticated users to a login form. The document also discusses IIS authentication mechanisms like anonymous, basic, digest and integrated Windows authentication. It demonstrates configuring authentication in IIS and ASP.NET.

    Original Description:

    Original Title

    A_2310C_16

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses securing Microsoft ASP.NET web applications. It covers authentication methods like Windows-based and forms-based authentication. Windows-based authentication relies on Windows credentials while forms-based authentication redirects unauthenticated users to a login form. The document also discusses IIS authentication mechanisms like anonymous, basic, digest and integrated Windows authentication. It demonstrates configuring authentication in IIS and ASP.NET.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views23 pages

    Securing A Microsoft

    Uploaded by

    Guillermo Pardos Vázquez
    This document discusses securing Microsoft ASP.NET web applications. It covers authentication methods like Windows-based and forms-based authentication. Windows-based authentication relies on Windows credentials while forms-based authentication redirects unauthenticated users to a login form. The document also discusses IIS authentication mechanisms like anonymous, basic, digest and integrated Windows authentication. It demonstrates configuring authentication in IIS and ASP.NET.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Securing a Microsoft

    ASP.NET Web Application


    Module 16: Securing a Microsoft ASP.NET Web
    Application
    • Web Application Security Overview

    • Windows-Based Authentication

    • Forms-Based Authentication
    Lesson: Web Application Security Overview
    • Authentication vs. Authorization

    • What Are ASP.NET Authentication Methods?

    • Comparing the ASP.NET Authentication Methods

    • What Are the IIS Authentication Mechanisms?

    • Demonstration: IIS Authentication Mechanisms

    • What Is Secure Sockets Layer?


    Authentication vs. Authorization
    • Authentication
     Accepts credentials from a user
     Validates the credentials

    • Authorization
     Given the authentication credentials supplied, determines the
    right to access a resource
     Can be assigned by user name or by role
    What Are ASP.NET Authentication Methods?
    • Windows-based authentication
     Relies on the Windows operating system and IIS
     User requests a secure Web page and the request goes
    through IIS
     After credentials are verified by IIS, the secure Web page is
    returned

    • Forms-based authentication
     Unauthenticated requests are redirected to an HTML form
     User provides credentials and submits the HTML form
     After credentials are verified, an authentication cookie is
    issued
    Comparing the ASP.NET Authentication Methods

    Method Advantages Disadvantages

     Uses existing
     Not
    Windows
    Windows- appropriate
    infrastructure
    based for most
     Controls access to
    Authentication Internet
    sensitive
    applications
    information

     Good for Internet


    Forms-based applications  Based on
    Authentication  Supports all client cookies
    types
    What Are the IIS Authentication Mechanisms?
    Mechanisms Security Level Description
    Anonymous None  No authentication occurs
     Client sends username and
    password as clear text
    Low
     Can be encrypted by using
    (Medium
    Basic SSL
    with SSL)
     Part of the HTTP
    specification and supported
    by most browsers
     Sends information as
    encoded hash
    Digest Medium  Requires Internet Explorer
    5 or later
     Requires Active Directory
     Uses either NTLM or
    Kerberos
    Integrated
     Generally good for
    Windows High
    intranets, not Internet
     Does not work through
    Demonstration: IIS Authentication Mechanisms
    • Right-click Mod16 and then click Properties
    • Click Directory Security tab
    • Click Edit
    • Show the authentication methods
    What Is Secure Sockets Layer?
    • SSL is a protocol used for transmitting data
    securely across a network. SSL secures data
    through:
     Data encryption
    • Ensures that the data sent is read only by a secure target
    server
     Server authentication
    • Ensures that data is sent to the correct server
    • Uses the server and client certificates
     Data integrity
    • Protects the integrity of the data
    • Includes a message authentication code that detects
    whether a message is altered
    • Uses Hypertext Transfer Protocol Secure to retrieve an
    ASP.NET Web page
    Lesson: Windows-Based Authentication
    • Enabling Windows-Based Authentication

    • Reading User Information


    Enabling Windows-Based Authentication

    11• Configure IIS to use one or more of the following


    authentication mechanisms:
     Basic
     Digest
     Integrated Windows security

    22• Set Windows-based authentication in Web.config


    <system.web>
    <authentication mode="Windows" />
    </system.web>

    33• Set up authorization in Web.config

    44• When users access the


    Web Form, IIS requests
    logon information
    Reading User Information
    • After authentication, the Web server can read the user
    identity
    Lesson: Forms-Based Authentication
    • Overview of Forms-Based Authentication

    • Multimedia: Forms-Based Authentication

    • Enabling Forms-Based Authentication

    • Creating a Logon Page

    • Demonstration: Forms-Based Authentication


    Overview of Forms-Based Authentication

    11 22 ASP.NET Forms
    IIS Authentication

    Client requests page


    Not
    Authenticated

    Username
     Authenticated

    66 Someone 44 Authorized
    Access Denied


    Password Logon Page
    *********** (Users enter
    their credentials)
    Not Submit
    Submit
    Authenticated 33
    Authenticated

    Authentication Authorized
    Cookie 77 Requested
    55 Secure Page
    Multimedia: Forms-Based Authentication
    Enabling Forms-Based Authentication

    11• Configure IIS to use Anonymous authentication

    22• Set Forms-based authentication in Web.config

    <authentication mode="Forms" >


    <forms name=".namesuffix"
    loginUrl="login.aspx" />
    </authentication>

    33• Set up authorization

    44• Build a Logon Web Form


    Creating a Logon Page

    • Reference System.Web.Security

    • Logon page verifies and checks the credentials of a user

    • Reading user credentials from a cookie


    Demonstration: Forms-Based Authentication
    • Open IIS and configure for Anonymous authentication

    • Open Web.config and configure for authentication and


    authorization
    • Open logon page and show code

    • Run the ASP.NET Web application


    Securing a Microsoft ASP.NET Web Application
    • Exercise 1: Securing Your Web Site by Using Windows-
    Based Authentication
    • Exercise 2: Securing Your Web Site by Using Forms-Based
    Authentication
    • Exercise 3: (If Time Permits): Registering New Users

    • Exercise 4: (If Time Permits): Permitting Users to Sign


    Out
    Logon information
    Virtual machine 2310C_16
    User name Student
    Password Pa$$w0rd

    Estimated time: xx minutes


    Lab Scenario

    Logon Page
    Login.aspx
    Benefits
    Coho Home Page Page Header ASPState
    Winery Default.aspx Header.ascx
    Menu
    Registration Component
    Register.aspx Class1.vb or Class1.cs Web.
    tempdb
    config

    Life Insurance Retirement Medical Dental


    Life.aspx Retirement.aspx Medical.aspx Dental.aspx

    Prospectus Doctors User Control XML Web


    Lab Web Prospectus.aspx Doctors.aspx namedate.ascx Service
    Application dentalService1.asmx

    XML
    Doctors Dentists
    Files
    Lab Review
    Module Review and Takeaways
    Review Questions
    • What are the authentication methods provided with
    ASP.NET?
    • What is the difference between authentication and
    authorization?
    • What is the most important thing to remember when using
    Basic authentication?
    • How does ASP.NET know to which page you have to be
    redirected when using the RedirectFromLoginPage
    method?
    Review for Alpha
    • Is there any topic or specific content item in the module
    that seemed unclear or unnecessary?
    • Is there any content item/related subject area that was
    not covered and could be included?
    • Did you observe any issues with the technical accuracy of
    the content?
    • Is the content in the module presented in a manner that
    encourages learning? Did the flow of topics seem right?
    • Does the lab outline indicate the expected scope of tasks
    to be covered? Would you like to suggest any tasks that
    could be removed or added?

    You might also like