Architecture in ASP.NET (IIS 6.0)
This section provides an overview of the ASP.NET infrastructure and subsystem relationships, as they relate to the subject of security. The following illustration shows the relationships among the security systems in ASP.NET.
As the illustration shows, all Web clients communicate with ASP.NET applications through Internet Information Services (IIS). IIS deciphers and optionally authenticates the request. If Allow Anonymous is set to true, no authentication occurs. IIS also finds the requested resource (such as an ASP.NET application), and, if the client is authorized, returns the appropriate resource.
In addition to the built-in ASP.NET features, an ASP.NET application can use the low-level security features of the .NET Framework. For more information, see the "Key Security Concepts" topic in .NET Framework Help.
Integrating with IIS
When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS always assumes that a set of credentials maps to a Microsoft Windows NT account and uses them to authenticate a user. There are three different kinds of authentication available in IIS 5.0 through IIS 6.0: basic, digest, and Integrated Windows Authentication (NTLM or Kerberos). You can select the type of authentication to use in IIS administrative services. For more information on IIS authentication, see Authentication in IIS 6.0.
If you request a URL containing an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides the two additional types of authentication described in the following table.
Using ASP.NET Configuration Files
ASP.NET configuration, of which security is a part, has a hierarchical architecture. All configuration information for ASP.NET is contained in files named Web.config and Machine.config. Web.config can be placed in the same directories as the application files. The Machine.config file is in the Config directory of the install root. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. In a Web.config file, there are sections for each major category of ASP.NET functionality. To see an example of the way in which the hierarchical configuration system works for security, see Hierarchical Configuration Architecture in ASP.NET.
The security section of a Web.config file is organized as follows.
<allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<identity impersonate ="[true|false]"
<trustLevel name="Full" policyFile="internal"/>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
The default settings for these elements are shown in the following table.
There are three major subsections to a Web.config file: authentication, authorization, and identity. The values for each of the security elements are usually set by overriding a section of the computer-level configuration file with a similar section in an application configuration file placed in the application root directory. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override other settings.
ASP.NET configuration applies only to ASP.NET resources (those registered to be handled by Aspnet_isapi.dll). Unfortunately, ASP.NET configuration cannot provide authorization for non-Aspnet_isapi.dll resources, so TXT, HTML, GIF, JPEG, ASP, and other types of files are still accessible by all users, subject to IIS permissions. For example, although the ASP.NET resources in a directory might be restricted by a Web.config file, all users can still view the files located in that directory if directory browsing is turned on and no other restrictions are in place.
You can avoid this situation by explicitly mapping such files, but not directories, to Aspnet_isapi.dll using the IIS administration tool. However, there could be a performance impact if you do this.
You can use the <location></location> tags to specify a particular file or directory to which settings should apply. For more information about how to use the <location> tag, see Configuration Settings in ASP.NET and <location> Element.