Tài liệu Module 4: Internet Information Services Authentication docx

Use Information Protocol IP address and domain name restrictions, and IIS Web-based permissions, to effectively control who can access the resources on a Web server!. Lab 4: Authenticati

Contents

Overview 1

Lesson: Introduction to Web Client

Authentication 3

Lesson: Configuring Access Permissions

Lesson: Selecting a Secure Client

Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2002 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with information about the Web client authentication methods that are supported by Internet Information Services (IIS) and Microsoft® Windows® 2000 Server Initial Web client authentication and the flow of user identities through the Web application are the focus of this module After completing this module, students will be able to select the best

IIS authentication method for a given set of requirements

After completing this module, students will be able to:

! Explain how Web client authentication is used to pass user identity through

a Web application

! Use Information Protocol (IP) address and domain name restrictions, and IIS Web-based permissions, to effectively control who can access the resources on a Web server

! List and explain all of the authentication methods that are supported by IIS and select the best method for a given set of requirements

! Explain how the identity of an authenticated Web client is mapped to a Windows 2000 user identity and passed to Web applications and COM+ components

To teach this module, you need the following materials:

! Microsoft PowerPoint® file 2300A_04.ppt

! Hypertext Markup Language (HTML) and Flash animation files:

2300A_04_A05_1570.htm, 2300A_04_A05_1570.swf

To prepare for this module:

! Read all of the materials for this module

! Complete the demonstrations and lab

! Read Module 5, “Implementing Security on a Web Server,” in Course 2295,

Implementing and Supporting Microsoft Internet Information Services 5.0

! Read Module 12, “Configuring a Web Server,” in Course 2153,

Implementing a Microsoft Windows 2000 Network Infrastructure

! Read the article “Principal and Identity Objects” in the Microsoft NET Framework documentation

! For background information on COM+ and role-based security, see Course

2557, Building COM+ Applications Using Microsoft NET Enterprise

! Read the MSDN Magazine article, “Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Process Isolation,” which is available at http://msdn.microsoft.com/msdnmag/ issues/0700/websecure2/websecure2.asp

! Read the MSDN article, “Securing Your Web Application,” which is available at http://msdn.microsoft.com/library/en-us/vsentpro/html/

How to Teach This Module

This section contains information that will help you to teach this module

Lesson: Introduction to Web Client Authentication

This section describes the instructional methods for teaching each topic in this lesson

Explain the ways and reasons why a Web server is the target of so many attacks

Define authentication and authorization This module is about authentication

Module 5, “Securing Web Pages,” in Course 2300, Developing Secure Web

Applications, is about authentication and authorization These terms will be

revisited many times throughout Course 2300, Developing Secure Web

Applications

The primary difference between impersonation and delegation is that impersonation occurs on the Web server, while delegation occurs across computer boundaries

Introduce the user and group accounts listed on the slide

IWAM_computername will be covered at the end of this module The ASPNET

account is new in Microsoft NET, and it secures the Microsoft ASP.NET pages

by limiting the rights of the account that the pages run as

Expand on the subject of impersonation by explaining how IIS performs work

on behalf of an authenticated client The identity under which IIS performs this work varies, based on the type of authentication that is used and the platform that you use to develop the Web application (Active Server Pages (ASP) or ASP.NET)

In ASP.NET, you use the code User.Identity.Name to discover the name of the authenticated user In this code, User is a Principal object and User.Identity is

an Identity object

This property uses the User property of the HttpContext object to determine where the request has originated from The HttpContext object provides access

to the intrinsic Request, Response, and Server objects for the request

This topic also introduces how to enable impersonation in an ASP.NET Web application by setting an attribute in the Web.config file This may be the first time some students have heard about the Web.config configuration file Quickly explain its purpose and use Web.config will be covered again in Modules 5,

“Securing Web Pages,” and Module 6, “Securing File System Data,” in Course

2300, Developing Secure Web Applications

This demonstration is performed with the Web site configured to allow Anonymous access Therefore, the code will not show a name for the user The same page will be demonstrated in the next lesson to show how the page changes based on the authentication method selected for IIS

Why Web Servers Are

How IIS Impersonates a

Windows User Account

Lesson: Configuring Access Permissions for a Web Server

One reason to use IP address restriction is that if there is a known proxy server that is waging attacks, you can restrict access to your Web site for that IP address The http://www.ntbugtraq.com Web site has a list of servers that known hackers use

Web-based permissions are one way to protect files that are not handled “by default” by the Web server, such as inc files

This practice reinforces the point that some of the default permissions settings

in IIS can expose Web application implementation files to users It is important

to understand what the default permission settings are and how to modify these settings to best protect Web application files

Quickly demonstrate the Permissions Wizard Many of the settings in the Permissions Wizard are beyond the scope of this course, but the wizard does provide a quick way to configure Web-based permissions for common scenarios, such as a public Web site or a secure Web site The students do not run the Permission Wizard in this course because they will manually implement the same settings

Lesson: Selecting a Secure Client Authentication Method

The term “identified access” may be new to students Explain the difference between identified access, which is typically used for the personalization of a Web site, and authenticated access

The demonstration should set the different authentication methods on the Mod04 subfolder of the 2300Demos Web application Discuss the results after each authentication method is applied

You might want to mention that Anonymous access plays an important role in forms-based authentication, which is the topic of Module 5, “Securing Web

Pages,” in Course 2300, Developing Secure Web Applications

Basic authentication is not a secure way of adding authentication to your Web application because the password that is entered by the user is sent to the Web server in Base64 encoding In Module 8, “Protecting Communication Privacy

and Data Integrity,” in Course 2300, Developing Secure Web Applications, you

will explain Secure Sockets Layer (SSL) and show how the students can secure the Basic authentication method by securing the Basic-protected folder by using SSL Then, the user name and password (in addition to all of the other data on the secured pages) will be sent to the Web server by using SSL

Digest authentication is included for a complete look at authentication, but you

do not need to discuss this authentication method in detail Digest authentication requires the Active Directory® directory service, which is beyond the scope of this course

Although Integrated Windows authentication is a very secure authentication method because it takes advantage of the security features that are built into the Windows operating system, it is important to note its limitations and why is it not appropriate in most Web applications that are designed for use on the Internet

Using IP Address and

The most important difference between the Kerberos V5 protocol and NTLM is that NTLM is limited to impersonation on the Web server, whereas Kerberos can use delegation to access resources across the network It is also important to note that you do not have control over which protocol is used IIS will always attempt to use Kerberos first and will use NTLM only if Kerberos is not available

Review the guidelines for using multiple authentication methods so that the students will understand how IIS determines which authentication method to use when multiple authentication methods are specified

In this practice, students will review some common scenarios and decide which authentication method or methods to use in each scenario You can add value to this practice by asking students to determine the order in which IIS will try each

of the authentication methods to find a valid one

Lesson: Running Services As an Authenticated User

This animation explains how the identity flow can be passed either by using application parameters or the Windows operating system The animation shows all parts of the process; however, only the client authentication in IIS and COM+ pieces are discussed here Microsoft SQL Server™ is covered in Module

7, “Securing Microsoft SQL Server,” in Course 2300, Developing Secure Web

Applications COM+ is beyond the scope of this course

If students do not know what a COM+ component is, start out with a brief description:

COM+ was introduced by Microsoft in 2000 COM+ builds on the integrated services and features of the Component Object Model (COM), making it easier for developers to create and use software components in any language, by using any tool

For more information about COM+, see the article “COM+ Programming Overview,” which is available at http://msdn.microsoft.com/library/en-us/ cossdk/htm/pgintro_programmingoverview_9kjb.asp

Note that the application protection setting applies only to ASP Web applications

Demonstrate where you configure this setting in IIS, which is in the Properties dialog box, on the Directory tab, of a Web application

Describe the process in which ASP.NET Web applications are run, ASPNet_wp.exe Explain that IIS always runs ASP.NET Web applications in a single instance of the ASPNet_wp.exe process and that developers do not have control over this

Using the Kerberos V5

Demonstrate the Component Services dialog box to show where the students

can set the identity of a COM+ application:

1 On the Start menu, point to Programs, point to Administrative Tools, and then click Component Services

2 In the Component Services dialog box, expand Component Services, expand Computers, expand My Computer, and then expand COM+ Applications

3 Right-click a COM+ application, such as IIS Out-Of-Process Pooled Applications, and then click Properties

4 In the Properties dialog box, on the Identity tab, show how the IIS

Out-Of-Process Pooled applications are configured to run as the

IWAM_computername user

5 Click Cancel to close the Properties dialog box

This topic is beyond the scope of this course Direct students to Course 2557,

Building COM+ Applications Using Microsoft NET Enterprise Services, to

learn more about this topic

Lab 4: Authentication and Access Control

Introduce the lab with a group brainstorming session about which users need to have access to the TailspinToys and TailpsinToysAdmin Web applications, and therefore, what authentication method should be applied to each Web

application:

! The TailspinToys Web application must be available to everyone; therefore,

it will be configured to allow Anonymous access

! The TailspinToysAdmin Web application must be available only to the employees of Tailspin Toys; therefore, it will be configured to use Integrated Windows authentication

At the end of the lab, reiterate which authentication methods were applied to the two Web applications and why

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

Lab Setup

To complete this lab, students can continue working in the Tailspin Toys MicrosoftVisual Studio® NET projects that they used in previous labs, or they can start with new files

To start with new files, students must complete the following steps

! Create the Web applications for the ASP exercises

1 Copy all of the contents of the ASP starter folder install_folder\Labfiles\

Lab04\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys

2 Copy all of the contents of the ASP starter folder install_folder\Labfiles\

Lab04\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin

! Create the Web applications for the ASP.NET exercises

1 Copy all of the contents of the ASP.NET folder install_folder\Labfiles\

Lab04\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET

2 Copy all of the contents of the ASP.NET folder, install_folder\Labfiles\

Lab04\ASPXVB\Starter\TailspinToysAdmin.NET, to the TailspinToysAdmin.NET IIS virtual directory at

Overview

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Implementing the correct security settings on your Web servers can safeguard your Web application against security threats, such as unauthorized individuals trying to gain access to restricted information, along with protecting against well-intentioned users who might accidentally alter important files

Security in Internet Information Services (IIS) version 5.0 consists of an interaction of permissions, policies, authentication methods, and secure communications protocols By configuring security correctly on your Web server, you can ensure that your servers are protected from unauthorized access This module provides insight into the Web client authentication methods that are supported by IIS and Microsoft® Windows® 2000 Server After the Web client user is identified, that identity is then mapped to a Windows 2000 user identity Servicing a Web page request can involve several processes that have different security identities The initial authentication and the flow of those identities are the focus of this module

The code samples in this module are provided in both Microsoft Visual Basic® NET and C#

Introduction

Note

After completing this module, you will be able to:

! Explain how Web client authentication is used to pass user identity through

a Web application

! Use Information Protocol (IP) address and domain name restrictions, and IIS Web-based permissions, to effectively control who can access the resources on a Web server

! List and explain all of the authentication methods that are supported by IIS and select the best method for a given set of requirements

! Explain how the identity of an authenticated Web client is mapped to a Windows 2000 user identity and passed to Web applications and COM+ components

Objectives

Lesson: Introduction to Web Client Authentication

Identity

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

IIS serves as the gatekeeper to the resources that are on your Web server by authenticating clients as they attempt to access your Web application In this lesson, you will learn how IIS authenticates clients and passes user identity through a Web application

After completing this lesson, you will be able to:

! Describe why and how Web servers are attacked

! Describe the difference between authentication and authorization in a Web application

! Explain the difference between impersonation and delegation

! List and explain the standard user identities that are on an IIS server

! Explain how a Web client identity is translated into the process identity or a series of identities that are used by processes that fulfill the Web application request

! Use code to determine the identity of the user of the currently running Web application

Introduction

Lesson objectives

Why Web Servers Are Attacked

access

application pages

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Web servers are an easily reached gateway to a company’s network because they are often available for all Internet users to browse Therefore, Web servers pose a very public arena for attack

Some files on the Web server need to be available for read access, but must not

be available for write access or execute access Some pages on the Web server should be accessible only to the Web server itself (such as include files or code-behind pages in a Microsoft ASP.NET Web application)

The files on the Web server contain useful information for attackers Server script files, such as asp and aspx files, contain implementation source code that can be useful for determining a Web site’s architecture This

implementation source code may also describe database structures Source code may also contain database connection strings, trusted user names and

passwords, and other configuration data that can be useful to an attacker

Introduction

A Web server can become available to an attacker through a variety of mechanisms Some of these mechanisms are the results of the weakness in a system You can prevent most of the attacks on the Web server by ensuring that certain weaknesses are addressed Specific weaknesses are described in the following table

Alternate routes to the file Running more applications on the Web server than

required makes the Web application vulnerable to attack because it provides alternate routes to attackers to access the Web application data For example, Web application implementation files can also be accessed through applications, such as File Transfer Protocol (FTP) and Web Distributed Authoring and Versioning (WebDAV)

If a Web server is running these applications and they have a weakness or security hole, Web application implementation files may be accessible to external users You should disable all of the applications that are not required on the server

Unprotected configuration files

File types that are not explicitly disallowed are by default accessible through IIS If you add any new file types (for example, inc files) to your Web application, you must ensure that those files are secured

Securing private portions of Web sites

Ensure that anonymous users are allowed only to visit public Web sites and secure all private sites for authenticated users

Incorrect Web-based permissions on files

Ensure that the pages of your Web application are available for read access and possibly available for execution Do not apply write, directory browsing, or execute permission to files and folders unless it is needed

by the Web application

Accessing a Web server

Authentication and Authorization

accepting credentials and validating those credentials

principal is allowed access to one or more resources

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The ability to authenticate Web application users and authorize them to use Web application resources is one of the foundations of Web security

Authentication is the process of obtaining user identification credentials, such

as a name and a password, and then validating those credentials against some authority, such as a database If the identification credentials are valid, the user that submitted the credentials is considered an authenticated user

For example, all users must provide a user name and password every time that they log on to a network These credentials are then authenticated by an authority, such as a database or a Windows-based domain controller

After an identity has been authenticated, the authorization process determines

whether that identity has access to a specified resource The authorization process limits access rights by granting or denying specific permissions to an already authenticated identity

For example, you can authorize user Robert Brown to access the color printer, but deny access to user Bob Hohman Similarly, you can authorize only the users of a company’s Media group to be able to access the color printer and deny access to the rest of the company’s users

The user of a Web application should always execute code with just enough access privilege to accomplish the intended task, and no more This is referred

to as running with least privileges By limiting access to resources to only those

users who are authorized, you can help prevent accidental or malicious damage

to Web application and system resources

Introduction

What is authentication?

What is authorization?

Impersonation and Delegation

Authenticated User

Authenticated User

IIS Client

in the context of

an authenticated client

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Impersonation and delegation are used to control the flow of user identity through a Web application

The pages in your Web application are run by either the Active Server Pages (ASP) process or the ASP.NET process These processes run in many threads

on the computer running Windows 2000 Server

Impersonation is the ability of a thread to execute by using different security

information than the process that owns the thread Typically, a thread in a server application impersonates a client Impersonation allows the thread to act

on behalf of that client to access objects on the server or to validate access to the client’s own objects

The primary reason for impersonation is to cause access checks to be performed against the client’s identity Access checks identify the user when a thread interacts with a securable object or tries to perform a system task that requires access privileges Using the client’s identity for access checks can cause access

to be either restricted or expanded, depending on what the client has permission

to do For example, assume that a file server has files containing confidential information and that each of these files is protected by an Access Control List (ACL) To prevent a client from obtaining unauthorized access to the

information in these files, the server can impersonate the client before accessing the files

Delegation, which is a more powerful form of impersonation, enables the server

to access remote resources over the network while acting as the client;

impersonation is limited to accessing resources on the server computer

Introduction

What is impersonation?

What is delegation?

User Identities and Permissions

applications that help you to control user access to resources

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Windows 2000 includes several built-in group accounts that assist you in granting the minimum permissions possible These group accounts include the Interactive and Network groups Additionally, when IIS is installed, the

IUSR_computername and IWAM_computername user accounts are created for

use, by IIS, when IIS is running ASP Web applications When you install the Microsoft NET Framework, an account called ASPNET is also created The aspnet_wp.exe process (which runs all ASP.NET Web applications) runs as the ASPNET account

You will learn more about the different authentication methods that are supported by IIS in the lesson “Selecting a Secure Client Authentication Method” in this module

The Interactive group is a built-in, automatically maintained group in Windows 2000 that consists of all of the users who are logged on locally to the server computer A local log on is one that appears to the server to have occurred on the server itself, instead of occurring remotely Before a user or group can perform a local log on, he or she must have the Log on Locally user right You can use the Interactive group to restrict or permit access to all of the users that are authenticated by Basic authentication

The Network group is a built-in, automatically maintained group in Windows 2000 that consists of all of the users who are logged on to the server over the network Before a user or group can perform a network log on, they must have the Access This Computer from the Network user right You can use the Network group to control access for all of the users that are authenticated by Digest or Integrated Windows authentication

Introduction

Note

Interactive group

Network group

The Internet Guest Account is named IUSR_computername (where

computername is the name of the computer on which IIS is running), and this

account is used to provide Anonymous access to a Web application, a folder, or

a file

Managing NTFS file system permissions for the Internet Guest Account is critical to the security of your Web server and network The Internet Guest Account should be permitted only the minimum permissions that are necessary

to gain access to the Web server

The IWAM_computername account is also created by IIS, and it is used solely

for Web applications that run in Medium or High application protection In some situations, you will need to provide the appropriate permissions to server resources for this account For example, if there is a program gaining access to

a database on behalf of a user, and that program is running in Medium or High application protection, you will need to provide appropriate database

permissions to this account

You will learn more about IIS application protection levels in the topic

“Selecting an IIS Application Protection Level” in this module

The ASPNET account is created by the NET Framework, and it is used solely for ASP.NET Web applications In some situations, you will need to provide the appropriate permissions to server resources for this account For example, if

a Web application needs to write to a file, you will have to give the ASPNET user write permission to access the folder where the file is located

How IIS Impersonates a Windows User Account

LocalSystem

1 2

3

4

Takes client request Impersonates the user by mapping the request to a Windows user account Performs the appropriate tasks Reverts to the process identity, LocalSystem

Internet Information Services

Internet Information Services

IUSR_computername IWAM_computername

Windows users and groups

LocalSystem

Windows user accounts

Windows user accounts

ASPNET

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When IIS receives a request from a Web client, it authenticates the client and then performs the work under the identity of the authenticated client by using a Windows user or group account IIS impersonates the client by using the

IUSR_computername or IWAM_computername account for ASP Web applications or the ASPNET or IUSR_computername account for ASP.NET

Web applications

Whereas IIS impersonates the client, IIS operates within the confines of the authenticated user’s security context This security context may change during the various stages of request processing, depending on the nature of the client request and what resources are required to service that request

The security context of the IIS process (Inetinfo.exe) is known as LocalSystem

However, when IIS is processing a client request, it will impersonate the context of the client that originally generated the request The Windows user account that is used depends on the authentication method, as described in the following table

Authentication method Windows user account

Anonymous IUSR_computername for in-process Web

applications and IWAM_computername for Web

applications running in an isolated process

Basic, Digest, and Integrated Windows (NTLM)

The Windows user account for which the client supplied the user name and password

Integrated Windows (Kerberos) The Windows user account for which the client

supplied the user name and password

Kerberos also supports delegation, which allows access to the resources of another system, under the client’s identity

Introduction

ASP and impersonation

After IIS has performed the tasks that are required to complete the client request, IIS reverts to the security context of the IIS process, LocalSystem

You will learn more about IIS application protection levels in the topic

“Selecting an IIS Application Protection Level” in this module

ASP.NET does not impersonate by default ASP.NET executes all code by using the same user account as the ASP.NET process (aspnet_wp.exe), which is typically the ASPNET account You can change the account that the ASP.NET

process runs as by setting the userName and password attributes of the

<processModel> tag in the Machine.config or Web.config file You can enable

impersonation in ASP.NET Web applications by setting the impersonate

attribute of the <identity> tag in the Web.config file

The following example enables impersonation, thereby causing the ASP.NET process to run as either the authenticated user or the Internet Guest Account

Programmatically Accessing User Identity

If (User.Identity.IsAuthenticated) ThenResponse.Write(User.Identity.Name)Response.Write(User.Identity.AuthenticationType)End If

<identity impersonate="true"/>

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

After a user has accessed your Web application through whichever authentication mechanism you have enabled, the Web pages can then access the user name of the user through code

In ASP, you use the ServerVariables collection of the Request object to obtain

the identity information about the user The variables that contain the user information are AUTH_TYPE, AUTH_USER, AUTH_PASSWORD, and LOGON_USER

The following example shows the use of the AUTH_USER and AUTH_PASSWORD variables:

<%= Request.ServerVariables("AUTH_USER") %>

<%= Request.ServerVariables("AUTH_PASSWORD") %>

If the user is authenticated with Anonymous authentication, the AUTH_USER variable will contain an empty string The LOGON_USER variable will be different from the AUTH_USER variable, if the remote user is mapped to a local Windows account

For more information about the ServerVariables collection, search for

“ServerVariables” in the Microsoft MSDN® online documentation

Introduction

Accessing user

information from ASP

Note

In ASP.NET, you use the User.Identity object to obtain identity information

about the authenticated user

The following example uses the User.Identity object to write user information

to a Web page:

[Visual Basic NET]

Imports System.Security.Principal Sub Page_Load( )

If User.Identity.IsAuthenticated Then Response.Write(User.Identity.Name) Response.Write(User.Identity.AuthenticationType) Else

Response.Write("Anonymous access") End If

Response.Write("Windows identity: " & _ WindowsIdentity.GetCurrent().Name) End Sub

Response.Write(User.Identity.AuthenticationType);

} else { Response.Write("Anonymous access");

} Response.Write("Windows identity: " + WindowsIdentity.GetCurrent().Name);

}

The Name and AuthenticationType properties return "", if Anonymous

authentication is used

For more information about the User.Identity object, search for “Identity

object” in the NET Framework documentation

Accessing user

information from

ASP.NET

Note

When impersonation is not enabled for your ASP.NET Web application, it runs under the identity of the ASPNET account, rather than as the authenticated user

The WindowsIdentity class is the Windows user account that is running the Web page The User.Identity object contains the authenticated user (User is a Principal object that contains security information)

When impersonation is not enabled, the User.Identity.Name property displays

the authenticated user, but the code still runs as the ASPNET account;

therefore, access to resources is limited to those available to that account The

WindowsIdentity.GetCurrent().Name property displays the name of the account that is running the Web application (the WindowsIdentity class is in the System.Security.Principal namespace)

If you are using Integrated Windows authentication or Basic authentication, and impersonation is enabled, the code runs as the authenticated user, and

User.Identity.Name and the WindowsIdentity.GetCurrent().Name are the same If impersonation in not enabled, WindowsIdentity displays ASPNET and User.Identity displays the authenticated user

Impersonation in

ASP.NET Web

applications

Demonstration: Programmatically Accessing User Identity

page

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this demonstration, you will see how to display the user identity of the currently running Web application

! To run the demonstration

1 In Microsoft Internet Explorer, open the http://localhost/2300Demos/ Mod04/WhoAmI.asp page

The user is allowed access to the Web application as an anonymous user

2 In Microsoft Visual Studio® NET, open 2300Demos solution

3 Open the WhoAmI.asp page in the Mod04 folder of the 2300Demos project Show the code that displays the AUTH_USER and AUTH_PASSWORD variables

4 In Internet Explorer, display the http://localhost/2300Demos/Mod04/

WhoAmI.aspx page

You are allowed access to the page as an anonymous user, but the identity

of the account is ASPNET

5 In Visual Studio NET, open the WhoAmI.aspx.vb code-behind page in the Mod04 folder of the 2300Demos project

Show the code that displays the name of the authenticated user and the name

of the Windows account

Introduction

Lesson: Configuring Access Permissions for a Web

Server

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

One of the first actions that you need to complete to protect your Web application from attack is to configure access permissions to the files and folders of your Web application In this lesson, you will learn how to configure

IP address and domain name restrictions, along with Web-based permissions, in IIS to effectively control who can access the Web application files and other resources on your Web server

After completing this lesson, you will be able to:

! Apply IP address and domain name restrictions to grant or deny access to your Web application

! Apply Web-based permissions to grant access at the file, folder, and Web server level

! Use the Permissions Wizard to set Web-based permissions based on common scenarios

Introduction

Lesson objectives

Using IP Address and Domain Name Restrictions

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can configure IIS to grant or deny access to specific IP addresses, a network address, or a Domain Name System (DNS) name If you configure IIS

to grant access to all IP addresses, except those that you list as exceptions, access is denied to any computer with an IP address that is included in the exception list Conversely, if you configure IIS to deny all IP addresses, access

is denied to all remote computers, except to those whose IP addresses have been specifically granted access

When you configure a domain name restriction, IIS must perform a DNS reverse lookup on every user’s request for access, to determine whether the requesting IP address belongs to a restricted domain The reverse lookup will have a significant negative effect on server performance Also, if the restricted domain does not have reverse lookup enabled, the user may gain access to the Web server

When a Web user passes through a proxy server or firewall, the user’s IP address can be replaced by the IP address of the proxy server or firewall

Therefore, the incoming connection to your Web server may be that of the proxy server or firewall Consequently, you can increase security by using IP address restrictions, thereby ensuring that IIS will accept only connections from the proxy server or the firewall

Introduction

Important

To restrict access by using IP address or domain name restrictions:

1 On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager

In Administrative Tools, the IIS console is called Internet Services Manager; however, when you open the console, it is called Internet Information Services, also known as the IIS snap-in

2 In the IIS snap-in, expand the IIS server and the Web applications, click the Web application that you want to configure, and then click

The Denied Access option denies access to all of the computers that you do not name in the Except those listed below list

The Granted Access option allows access to all of the computers that you

do not name in the Except those listed below list

5 Click Add, and then in the Grant Access On dialog box (or Deny Access

On dialog box), type the IP address of the computer to which you will grant

access If you do not know the IP address and want to search for the IP

address by DNS name, click DNS Lookup, type the name of the computer, and then click OK

6 Repeat Step 5 for each IP address to which you want to grant or deny

access Click OK to close the IP Address and Domain Name Restrictions dialog box, and then click OK to close the Properties dialog box

Restricting access by IP

address or domain name

Using Web-Based Permissions

General Access Permissions

General Access Permissions

Execute Permissions

Execute Permissions

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

To more accurately control security, you can use IIS to configure access permissions on your Web server for specific Web applications, directories, and files These access permissions can be categorized into two general groups:

! General access permissions

! Execute permissions

These access permissions together are called Web-based permissions because

they are applied at the Web server level, which equates to the application layer

of Transmission Control Protocol/Internet Protocol (TCP/IP) Web-based permissions are enforced equally to all of the users who are granted access to the Web server, a folder, or a file For example, you cannot grant write permissions to one group and read permissions to another group when using Web-based permissions

General access permissions can be set at the Web application, folder, and file levels The general access permissions are:

! Read When enabled, users can gain access to static files, such as html or

.txt files, by using a Web browser or a Web folder Disabling read permissions prevents anyone from viewing your Web application’s htm files

! Write When enabled, users can change file content and properties on a Web

application Changing file content and properties on a Web application is most commonly accomplished by using a Web folder or a browser that is capable of posting to a Web application

Introduction

Using general access

permissions

Read and write permissions affect only requests to static files, such

as htm or txt files These permissions have no effect on scripts or executable files, meaning that disabling the Web-based read permissions does not prevent ASP scripts or executable files from running when they are invoked Also, disabling the write permission does not prevent ASP pages or executables from writing to the Web application

! Directory browsing When enabled, users can view the folder listing for the

home folder when a default document is not defined Typically, when you first gain access to a Web server, the default document is displayed If the default document is not defined or if it is absent, an error is returned to the client computer However, if directory browsing is enabled, the folder listing for the home folder is shown instead of an error

! Script Source Access When enabled, this option enables users to read and

edit the source code for your Web application This option is available only

if either the Read or Write permissions are enabled If Read permissions are enabled, a user can read the source code, and if Write permissions are enabled, a user can write to the source code For example, to write an ASP page to a Web application from a Web folder, you must enable both Write permissions and Script Source Access Additionally, Script Source Access controls whether or not users can copy scripts from or write to the Web application by using WebDAV

When you select Script Source Access, users may be able to view sensitive information, such as a user name and password, from the scripts in

an ASP page or other script-based Web applications, such as Perl

You can set Execute permissions on a per-Web-site and per-folder basis Therefore, you can control whether programs and scripts are allowed to run in a specific Web application or subfolder Execute permission settings are:

! None This option does not enable any programs or scripts to run in the

specified Web application or folder

! Scripts only This option enables Web applications that are mapped to a

script engine to run in the specified folder, without having the Execute permission set The Scripts only permission is significantly more secure than the Scripts and Executables permission For example, you can run ASP pages from a Web application or folder that is secured by using the Scripts only permission, but you cannot execute exe or dll files

! Scripts and Executables This option enables any Web application to run in

the specified folder, including Web applications that are mapped to script engines, Windows binaries, and dll and exe files It is suggested that you use this option with caution, because when this option is enabled, a user who has Write access can upload and execute potentially harmful programs

To set Web-based permissions on a Web application, open the IIS snap-in, right-click the Web application on which you want to add Web-based

permissions, and then click Properties On the Virtual Directory tab, select

the permissions that you want to set

Practice: Using Web-Based Permissions

TailspinToysAdmin ASP Web applications

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The TailspinToys and TailspinToysAdmin Web applications use inc files to implement database functionality on the Web pages of the Web application By default, users can view the code in these inc files

In this practice, you will secure the inc files in the TailspinToys and TailspinToysAdmin ASP Web applications

! Secure the TailspinToys inc files

1 In Internet Explorer, browse to the http://localhost/TailspinToys/

UsersDB.inc page

Why are you able to view the code on this page?

Because all of the pages in the TailspinToys Web application are set to

be viewable

2 On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager

3 In the left pane, expand the TailspinToys Web application

4 For each of the inc files in the right pane—adovbs.inc, DBConn.inc, UsersDB.inc, and _header.inc—complete the following steps:

a Right-click the file, and then click Properties

b In the Properties dialog box, on the File tab, clear the Read check box, and then click OK

Introduction

5 In Internet Explorer, refresh your view of the http://localhost/TailspinToys/UsersDB.inc page

What happens?

You get an error that the page cannot be displayed

! Secure the TailspinToysAdmin inc files

1 In IIS, in the left pane, expand the TailspinToysAdmin Web application

2 For each of the inc files in the right pane—adovbs.inc, DBConn.inc, and OrdersDB.inc—complete the following steps:

a Right-click the file, and then click Properties

b In the Properties dialog box, on the File tab, clear the Read check box, and then click OK

Using the Permissions Wizard

scenario-driven approach to setting up Web and FTP permissions, NTFS access permissions, and authentication schemes

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The Permissions Wizard takes a scenario-driven approach to setting up Web and FTP permissions, NTFS access permissions, and authentication schemes Rather than setting each area with a separate user interface (UI), you select the scenario that most closely resembles your Web application’s needs, and the wizard sets all of the access permissions and authentication schemes for you One of the great advantages of using the wizard is that it ensures that Web (or FTP) and NTFS permissions are properly coordinated, and that the correct authentication scheme is used All of the settings can still be changed in the IIS snap–in

The Permissions Wizard Web site scenarios are:

! Public Web Site This is the most common configuration, in which the

information on the site is intended for public use over the Internet This configuration uses anonymous authentication and allows users to view all of the files and access ASP Web applications on your Web server This configuration also gives administrators complete control over the Web site

! Secure Web Site This configuration is used for corporate extranets, which

are intranets accessed over the Internet Information on the Web site is intended for restricted use This configuration uses Basic, Digest, or Integrated Windows authentication Secure Web Site allows only authorized users to view all of the files and access the ASP applications on your Web server This configuration also gives administrators complete control over the Web site

You will learn more about the different authentication methods that are supported by IIS in the lesson “Selecting a Secure Client Authentication Method” in this module

Introduction

Permissions Wizard

scenarios

Note

To open the Permissions Wizard:

1 In the IIS snap-in, select the Web application that you want to configure

2 On the Action menu, point to All Tasks, and then click Permissions Wizard

Using the Permissions

Wizard

Lesson: Selecting a Secure Client Authentication Method

Internet Information Services

Internet Information Services

Anonymous Basic Digest Integrated Windows (NTLM, Kerberos) SSL and Certificates

Anonymous Basic Digest Integrated Windows (NTLM, Kerberos) SSL and Certificates

Client

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

All users who are connecting to IIS must be authenticated to access the Web applications or the actual files that are on the hard disk This authentication can vary from Anonymous authentication to extremely secure methods of

authentication, such as Kerberos or certificate mapping

In this lesson, you will learn how to select and configure an IIS Web authentication method that provides the best possible security, given a set of Web application requirements

After completing this lesson, you will be able to:

! Define the three categories of Web user identification in a Web application

! Describe and configure the following IIS authentication methods:

! Explain what happens when multiple authentication methods are enabled on

an IIS Web server

Introduction

Lesson Objectives

Overview of IIS Web Client Authentication

Kerberos)

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Web client access is organized into three basic methods:

! Anonymous access If there is no reason to require any information about the

Web client, except perhaps that the client has visited the Web site before, this level of client identification can be used An example of this is a Web site that provides informative content accessible to everyone, such as http://www.microsoft.com

! Identified access If you are providing personalized services to users, but

you are not giving users access to private data that is known only to your company and the users, you should use this method of Web client access Typical examples of this method of access are personalization of Web application attributes and identification for user profiling

! Authenticated access Authenticated access is required when you must know

who the user is and the user must have access to data that might be private, sensitive, or personal An example of this is a banking Web site that allows customers to manage their accounts

Introduction

To view Web application content, a user must log on to the Web browser and access the Web pages Each Web client authentication protocol that is supported by IIS provides a means by which a user can log on to the Web server by using a Web browser IIS provides a range of Web client authentication protocols, including:

! Anonymous authentication

! Basic authentication

! Digest authentication

! Integrated Windows authentication, including NTLM and Kerberos

! Client certificate mapping When you configure authentication for a Web server, it is important to know the advantages and limitations of each type of authentication protocol, so that you can use the protocol that best meets your security needs

This lesson discusses the first four authentication protocols in detail Client certificate mapping is discussed in Module 8, “Protecting

Communication Privacy and Data Integrity,” in Course 2300, Developing

Secure Web Applications

IIS authentication

protocols

Note

Demonstration: Setting IIS Authentication Methods

application

Directory Security tab

authentication methods

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this demonstration, you will see how to change the authentication method for

a Web application and observe the results of setting these different authentication methods on a Web application

! To run the demonstration

1 On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager

2 Expand the IIS server, expand Default Web Site, and then expand the 2300Demos Web application

3 Right-click the Mod04 folder of the 2300Demos Web application, and then click Properties

4 In the Mod04 Properties dialog box, on the Directory Security tab, in the Anonymous access and authentication control section, click Edit

5 In the Authentication Methods dialog box, point out the default

authentication methods Because Anonymous is selected by default, all users will be allowed Anonymous access

6 Change the authentication method for the Mod04 folder of the 2300Demos

Web application to allow only Basic authentication

7 In Internet Explorer, open the http://localhost/2300Demos/Mod04/

WhoAmI.asp page

You are prompted for a user name and password of a Windows account

8 In the Enter Network Password dialog box, type 2300Instructor in the Username text box, type P@ssw0rd in the Password text box, and then click OK

You are allowed access to the page, and the user name and password are displayed

Introduction