ASP.NET
Security
Host: Harish Vaidyanathan,, Consultant - Microsoft Consulting
Services, India
May
23, 2003
Deepak_MS: Good evening friends and welcome to today's session on
ASP.NET Security
Deepak_MS: Today we have with us Harish Vaidyanathan who works as
a consultant for Microsoft Consulting Services and will be glad to
take up your questions..
Deepak_MS: Please key in your questions in the bottom half of the
window and I'll take them up over to you Harish.. but since we don't
have any questions yet, could you please give us some backgrounder
on how things have changed from ASP days..
HarishV_MSFT: Hi all, good to be here.
HarishV_MSFT: Things have changed quite a bit since ASP
days, not just from dev perspective but also the depth of security
offered by the framework
HarishV_MSFT: As part of the TWC Initiative, the secure
by default and defense in depth principles are being followed across
the .NET platform and ASP.NET is no exception
Deepak_MS: How do I secure my Web Service?
HarishV_MSFT: Good question! There are multiple ways to
secure a web service, but before getting into the specifics its important
to understand that web services are meant for consumption by end users
directly. these will be consumed by "consumer applications"
HarishV_MSFT: So the Web service security models are not
necessarily restricted to userid + pwd combinations.
HarishV_MSFT: The WS-Security spec covers this in detail.
You should look at the Web Service Enhancements 1.0 release which
has extensive support for WS_Security spec.
Deepak_MS: (anish): I've seen that but I can't find a solution to
restrict everyone from seeing my asmx page thro' a browser, the only
way is to take off anonymous access and hardcode username password
in your application, Is there any other way?
HarishV_MSFT: Actually, there is another way to do that
you can disable access to the HTTP GET and HTTP POST protocols for
the web services. This way users will not be able to access the web
service using their web browser, they will have to go through a ws
proxy
HarishV_MSFT: The webservices->protocols section in machine.config
can be used to disable these protocols.
Deepak_MS: MY problem is the user can change the query string and
he can look at the information which he is not supposed to. This is
a big security problem. How do I fix it?
HarishV_MSFT: Good question, there are multiple ways to
address this:
HarishV_MSFT: 1. Always validate user input data on the
server side
HarishV_MSFT: 2. Switch to post to make it difficult for
the user to pass bad data
HarishV_MSFT: 3. ASP.NET 1.1 has a script injection handler
which will check for scripts/bad data being submitted by the user
when the page is posted to the server
Deepak_MS: (satya): Is there any way I can encrypt the query strings
in simple way
HarishV_MSFT: Would it help? The user will anyway see
the data in the browser and possibly change? Between the time the
user enters the data and hits the send button you will have to perform
some 'magic' to encrypt the data and then submit to the web server.
HarishV_MSFT: Also, if the encryption is on the client
side (as mentioned above) then the user can anyway do a "View source"
and figure things out.
HarishV_MSFT: Ideally, you want security "in depth", encrypting
query strings can make things slightly more difficult but it wont
be worth much in the long term.
Deepak_MS: Could you please explain asp.net security architecture,
especially how it works with Inetinfo.exe (IIS)?
HarishV_MSFT: The short answer is the asp.net security
nicely complements the security model provided by the web server.
For example, the web server handle Windows auth whereas the other
authentication mechanisms (forms, passport, custom) are handled by
asp.net.
HarishV_MSFT: You should read the article at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
for more info about asp.net security
Deepak_MS: My problem is the user can select one order from hunderds
of orders available for him. If I validate this again on server for
every user, the performance will hit badly. I am looking for some
simple solution. Will version 1.1 actually solve my problem…
HarishV_MSFT: Maybe not, what 1.1 handles is verification
of the data submitted by the user should not contain scripts or any
other form of injection attack.
HarishV_MSFT: What you want to do is to validate that
the order selected by the user actually belongs to the user. You maybe
able to come up with a creative solution i.e. the page that displays
the order details can do this validation and return nulls or an error
msg.
Deepak_MS: (vijay): how does the username setting under processProfile
in the machine.config file affect security?
HarishV_MSFT: I suppose you mean the node...
HarishV_MSFT: the username specified here is the identity
that the asp.net worker process will execute under, by default this
is the aspnet account created at install time. You can change this
to any other user account, but keep in mind that you dont want the
account
HarishV_MSFT: to have too many priviledges.
HarishV_MSFT: Also, most admins are concerned about storing
user name and pwd in clear text in the configuration file, check the
msdn docs which demonstrates how you could use the Data protection
apis to encrypt and store the info in the Security Subsystem.
HarishV_MSFT: Hope this answers your query.
Deepak_MS: (vijay): by default it is set to machine. Should this be
changed?
HarishV_MSFT: The default of "machine" means that asp.net
will run under the ASPNET Windows account and the password of this
account is set to a randomly generated value during install time.
HarishV_MSFT: I wouldnt recommend changing this unless
there is a potential security hole. Alternatively, you could change
this to a user account, which has been configured for utmost security
(i.e. least privileges) so that the ASP.NET process does not become
a potential security issue.
HarishV_MSFT: hope this clarifies.
Deepak_MS: (newbie): hi harish. I'm pretty new to ASP.NEt security.
A basic q. Why do we need to consider security aspects in ASP.NET
HarishV_MSFT: Good question. To start with, your web site
is likely to be exposed on the public internet and there actually
are "bad" people trying to bring down your web site. ASP.NET does
offer services which can be used to protect the web site from malicious
users.
HarishV_MSFT: Also, there are cases where you want the
web site to perform some priviledged operations under the context
of a different user account, again the asp.net security model comes
in.
Deepak_MS: (Arun): Hi Harish, Is there any way to validate the DOMAIN\UserName
against the Domain Controller to check whether it is a valid or not,
using ASP.NET
HarishV_MSFT: To validate the user name you would also
want to check the password right? You could call the Win32 LogonUser
API to perform this verification alternatively you could use the System.DirectoryServices
namespace and pass the uid+pwd to the DC and verify
HarishV_MSFT: Normally, you wouldnt take a user name and
say "Yes this is a valid user. Welcome to the party!"
Deepak_MS: (Omni): Hi Harish.. one basic question.. from where does
these security issues arise..is it because of the web server or the
OS lying underneath.. or the proxy servers etc. on the intranet, which
one is the most vulnerable to security issues..
HarishV_MSFT: Hmm... there are multiple sources of security
issues not all are OS related
HarishV_MSFT: some of the most common security issues
arise out of application not doing simple things like data entry validations,
this can be easily used to perform SQL injection attacks. Of course,
this by no means is an exhaustive list, and contrary to what most
people think placing a firewall in front of the web server doesn't
make it secure!!
Deepak_MS: Ok folks this brings us to the end of today's chat. As
Harish mentioned, you should take a look at this wonderful article
at:
Deepak_MS: and then look at the ASP.NET Identity matrix at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp
Deepak_MS: Thanks for hosting the chat today Harish…
