ASP 3.0 The Complete Reference

Chapter 24

Working with Security Features (Outline and Notes)

prior to component basics

see Option Pack Resource Kit Chapter 8

Controlling who can see what.

Controlling how data is transferred.

Two Aspects:

Minimizing Exposure

Security Overview

Establishing security within ASP applications. ASP has security features which work within the IIS 5.0 and within the Windows 2000 Server Security frameworks. This chapter will cover how to use these security features to make your ASP applications secure.

Three Things a Security Administrator should be concerned with

two type of users those who are welcome and those who are not

Welcome vs Unwelcome visitors

Reducing or Eliminating Vulnerability

Unwelcome users may try anything

Done everything possible to ensure that your customers can make safe and secure transactions however, done nothing to prevent the guy in the mailroom from walking into the server room, logging into the database server as SA with no password and downloading the entire credit card validation table.

Securing Transactions

Non-repudiation Ensuring Identity

A service (proof of origin) that allows the recipient of a message to verify the originator of the message.

Confidentiality Ensuring Privacy

A service that creates confidence that a message can be read only by those for whom it is intended.

Integrity Preventing Tampering

A service that allows the recipient to verify that the message has not been altered since it left the originator.

Adopting Security Policies

Reducing or Eliminating Vulnerability

Lock the Box

Restrict Login Access

Firewalls and Proxies

Restricted access to Services

Removing Services

Local System Account

usually a LocalSystem account limited access beyond machine

important to run a service in the lowest privilege possible reducing risk

Access Control

Allowing Read and write access though IIS configuration

File System Properties

Use NTFS for greatest control and protection

Folder and File level control

IP / DNS Restrictions

Custom

ISAPI

ASP

Logging access

Do not allow execute permissions except for ISAPI

and then be extrememly careful

Eliminate Directory Browsing

File Encryption

Monitoring

Log Analyzer

Windows NT Audit Log

Other Restrictions

Process Isolation

Bandwidth Throttling

helps prevent denial of service attacks

Timeouts

Ensuring Identity

User validated against the system

Anonymous, Challenge Response

Working With non Microsoft Browsers

all users must have a real account anonymous user account used for web access

Unique Security ID - SID

Standard Authentication Methods in IIS

Figure 1: Authentication Dialog

Anonymous Access

IUSR_machinename

Figure 2: Anonymous Access Exchange

Basic Authentication

password unencrypted

better over SSL

Figure 3: Basic Authentication Exchange

Integrated Windows Authentication

ACLs - Access Control List

NT Challenge and Response

NTLM

Uses Network Authentication

no passwords are passed

server sends a number to the client

number is encrypted using the clients password and sent back to the server. The server decrypts the password

does not work through proxy server

Figure 4: Integrated Windows Authentication Exchange

SSL 3.0 Client Certificates

Figure 5:Client Certificate Exchange

Impersonation

access to resources is limited

reduces the number of requests for authentication

The IUSR_Computer Account

The IWAM _Computer Account

Other User Accounts

Extent of Reach

Creating Custom Authentication Methods

Advantages and Disadvantages

Often only think of the transactional security not the vulnerabilities when design a system

ISAPI Filter

ASP - Database lookup

Forcing Authentication

Response.Status = 401

Ensuring Privacy and Intregrity

How hard is it to get data?

just use Network Monitor utility and review the captured data fortunately restricted to local machine but other utilities are readily available to provide access to all

Basic Authentication passwords are easily decoded with UUDecode

SSL

128 bit encryption restrictions for exports except international banks

TLS

Channel Encryption

private data communication between client and server

Message Digests

Hashed packets to ensure integrity

Creating Policies

Policy Creation Tools

Security Configuration toolkit

Security Checklists

see Windows Documentation

Certificate Services

The Certificate Server in Internet Information Server 5.0 is a critical part of a public key infrastructure (PKI) that allows customers to issue their own x.509 certificates to their users for PKI functionality such as certificate-based authentication, IPSec, and secure electronic mail. For administrators, integration with Active Directory greatly simplifies user enrollment.

Necessary for SSL Encryption and valid Authentication

Establishing a PKI

Public Key Infrastructure

What you Need

Installing Certificate Services

Getting Proof of Identity

Dun and Bradstreet ID

other Methods

Getting a Certificate

Public Certificate Authorities

Other Options

Using Certificates

better security than passwords easy to guess

better scalability no password stored only validating key

Smart cards

Machine specific

Definiitely a performance hit

Crypto Accelaterors -

Server

be sure that the server that you are sending your information to is what you think it is and hasnt been redirected

validated and signed by a certifying agent like Verisign

Client

certify that a user is who they are

Mutual Authentication

Certificate anatomy

Keys

Expiration

Signatures

other info

Enabling SSL

Overview of Encryption

Advantages and Disadvantages

HTTPS

Encryption Standards

Security concepts

Different Security Models

Kerberos Security

TLS

Kerberos

Becoming a Certificate Authority

Certificate Authority Options

Establishing a CA Hierarchy

Root vs Subordinate CA servers

Easy to revoke subordinates if problems occur

Enterprise Certificate Authority

Requires Active Directory

Stand Alone Certificate Authority

Subordinate can be an enterprise server

CA Capacity

Certificate Templates

Issuing Client Certificates

difference between public CAs

Proving you are who you are

Request Processes

Renewing Certificates

Setting Up an Enrollment Site

CertSrv directory

Single CA can have many enrollment sites

DCOM required between Web Server and CA

Administration Services

Revoking Certificates

Publishing the Certificate Revocation List CRL

Client Certificate Mapping

Mapped to Windows NT accounts

set rules for which Certificates can be allowed access

Reading Details of Client Certificates

Managing Keys on the Client Side

Database security

Encryption between Web Server and Database Server

Controlling Database accounts and Connection Strings

Designing an Application Permission System

Developing your own log-in.

Ensuring log-in cannot be by-passed.

Managing your own permission settings.

review of all the issues above in a simple implementation


	24 - Working with Security Features (Outline and Notes) ASP 3.0 The Complete Reference Chapter 24 Working with Security Features (Outline and Notes) prior to component basics see Option Pack Resource Kit Chapter 8 Controlling who can see what. Controlling how data is transferred. Two Aspects: Minimizing Exposure Security Overview Establishing security within ASP applications. ASP has security features which work within the IIS 5.0 and within the Windows 2000 Server Security frameworks. This chapter will cover how to use these security features to make your ASP applications secure. Three Things a Security Administrator should be concerned with two type of users those who are welcome and those who are not Welcome vs Unwelcome visitors Reducing or Eliminating Vulnerability Unwelcome users may try anything Done everything possible to ensure that your customers can make safe and secure transactions however, done nothing to prevent the guy in the mailroom from walking into the server room, logging into the database server as SA with no password and downloading the entire credit card validation table. Securing Transactions Non-repudiation Ensuring Identity A service (proof of origin) that allows the recipient of a message to verify the originator of the message. Confidentiality Ensuring Privacy A service that creates confidence that a message can be read only by those for whom it is intended. Integrity Preventing Tampering A service that allows the recipient to verify that the message has not been altered since it left the originator. Adopting Security Policies Reducing or Eliminating Vulnerability Lock the Box Restrict Login Access Firewalls and Proxies Restricted access to Services Removing Services Local System Account usually a LocalSystem account limited access beyond machine important to run a service in the lowest privilege possible reducing risk Access Control Allowing Read and write access though IIS configuration File System Properties Use NTFS for greatest control and protection Folder and File level control IP / DNS Restrictions Custom ISAPI ASP Logging access Do not allow execute permissions except for ISAPI and then be extrememly careful Eliminate Directory Browsing File Encryption Monitoring Log Analyzer Windows NT Audit Log Other Restrictions Process Isolation Bandwidth Throttling helps prevent denial of service attacks Timeouts Ensuring Identity User validated against the system Anonymous, Challenge Response Working With non Microsoft Browsers all users must have a real account anonymous user account used for web access Unique Security ID - SID Standard Authentication Methods in IIS Figure 1: Authentication Dialog Anonymous Access IUSR_machinename Figure 2: Anonymous Access Exchange Basic Authentication password unencrypted better over SSL Figure 3: Basic Authentication Exchange Integrated Windows Authentication ACLs - Access Control List NT Challenge and Response NTLM Uses Network Authentication no passwords are passed server sends a number to the client number is encrypted using the clients password and sent back to the server. The server decrypts the password does not work through proxy server Figure 4: Integrated Windows Authentication Exchange SSL 3.0 Client Certificates Figure 5:Client Certificate Exchange Impersonation access to resources is limited reduces the number of requests for authentication The IUSR_Computer Account The IWAM _Computer Account Other User Accounts Extent of Reach Creating Custom Authentication Methods Advantages and Disadvantages Often only think of the transactional security not the vulnerabilities when design a system ISAPI Filter ASP - Database lookup Forcing Authentication Response.Status = 401 Ensuring Privacy and Intregrity How hard is it to get data? just use Network Monitor utility and review the captured data fortunately restricted to local machine but other utilities are readily available to provide access to all Basic Authentication passwords are easily decoded with UUDecode SSL 128 bit encryption restrictions for exports except international banks TLS Channel Encryption private data communication between client and server Message Digests Hashed packets to ensure integrity Creating Policies Policy Creation Tools Security Configuration toolkit Security Checklists see Windows Documentation Certificate Services The Certificate Server in Internet Information Server 5.0 is a critical part of a public key infrastructure (PKI) that allows customers to issue their own x.509 certificates to their users for PKI functionality such as certificate-based authentication, IPSec, and secure electronic mail. For administrators, integration with Active Directory greatly simplifies user enrollment. Necessary for SSL Encryption and valid Authentication Establishing a PKI Public Key Infrastructure What you Need Installing Certificate Services Getting Proof of Identity Dun and Bradstreet ID other Methods Getting a Certificate Public Certificate Authorities Other Options Using Certificates better security than passwords easy to guess better scalability no password stored only validating key Smart cards Machine specific Definiitely a performance hit Crypto Accelaterors - Server be sure that the server that you are sending your information to is what you think it is and hasnt been redirected validated and signed by a certifying agent like Verisign Client certify that a user is who they are Mutual Authentication Certificate anatomy Keys Expiration Signatures other info Enabling SSL Overview of Encryption Advantages and Disadvantages HTTPS Encryption Standards Security concepts Different Security Models Kerberos Security TLS Kerberos Becoming a Certificate Authority Certificate Authority Options Establishing a CA Hierarchy Root vs Subordinate CA servers Easy to revoke subordinates if problems occur Enterprise Certificate Authority Requires Active Directory Stand Alone Certificate Authority Subordinate can be an enterprise server CA Capacity Certificate Templates Issuing Client Certificates difference between public CAs Proving you are who you are Request Processes Renewing Certificates Setting Up an Enrollment Site CertSrv directory Single CA can have many enrollment sites DCOM required between Web Server and CA Administration Services Revoking Certificates Publishing the Certificate Revocation List CRL Client Certificate Mapping Mapped to Windows NT accounts set rules for which Certificates can be allowed access Reading Details of Client Certificates Managing Keys on the Client Side Database security Encryption between Web Server and Database Server Controlling Database accounts and Connection Strings Designing an Application Permission System Developing your own log-in. Ensuring log-in cannot be by-passed. Managing your own permission settings. review of all the issues above in a simple implementation

wayne plourde

software architect mcad mcsd scjp

Security Overview

Three Things a Security Administrator should be concerned with

Reducing or Eliminating Vulnerability

Securing Transactions

Non-repudiation Ensuring Identity

Confidentiality Ensuring Privacy

Integrity Preventing Tampering

Adopting Security Policies

Reducing or Eliminating Vulnerability

Lock the Box

Restrict Login Access

Firewalls and Proxies

Restricted access to Services

Removing Services

Local System Account

Access Control

Allowing Read and write access though IIS configuration

File System Properties

IP / DNS Restrictions

Custom

Logging access

Do not allow execute permissions except for ISAPI

Eliminate Directory Browsing

File Encryption

Monitoring

Log Analyzer

Windows NT Audit Log

Other Restrictions

Process Isolation

Bandwidth Throttling

Timeouts

Ensuring Identity

Standard Authentication Methods in IIS

Anonymous Access

Basic Authentication

Integrated Windows Authentication

SSL 3.0 Client Certificates

Impersonation

The IUSR_Computer Account

The IWAM _Computer Account

Other User Accounts

Extent of Reach

Creating Custom Authentication Methods

Advantages and Disadvantages

ISAPI Filter

ASP - Database lookup

Forcing Authentication

Ensuring Privacy and Intregrity

SSL

TLS

Channel Encryption

Message Digests

Creating Policies

Policy Creation Tools

Security Configuration toolkit

Security Checklists

Certificate Services

Establishing a PKI

What you Need

Installing Certificate Services

Getting Proof of Identity

Dun and Bradstreet ID

other Methods

Getting a Certificate

Public Certificate Authorities

Other Options

Using Certificates

Server

Client

Mutual Authentication

Certificate anatomy

Keys

Expiration

Signatures

other info

Enabling SSL

Overview of Encryption

Advantages and Disadvantages