You are previewing Building Secure Microsoft® ASP.NET Applications.
O'Reilly logo
Building Secure Microsoft® ASP.NET Applications

Book Description

This guide presents a practical, scenario-driven approach to designing and building security-enhanced ASP.NET applications for Microsoft® Windows® 2000 and version 1.1 of the Microsoft .NET Framework.

Table of Contents

  1. Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
  2. A Note Regarding Supplemental Files
  3. Acknowledgements
  4. Preface
    1. Why We Wrote This Book
    2. Who Should Read This Book?
    3. How You Should Read This Book
    4. Organization of this Book
      1. Part I, Security Models
      2. Part II, Application Scenarios
      3. Part III, Securing the Tiers
      4. Part IV, Reference
    5. System Requirements
    6. Installing the Sample Files
    7. Building Secure ASP.NET Applications—Online Version
    8. Support
  5. 1. Introduction
    1. The Connected Landscape
    2. The Foundations
      1. Authentication
      2. Authorization
      3. Secure Communication
    3. Tying the Technologies Together
    4. Design Principles
    5. Summary
  6. 2. Security Model for ASP.NET Applications
    1. .NET Web Applications
      1. Logical Tiers
      2. Physical Deployment Models
        1. The Web Server as an Application Server
        2. Remote Application Tier
    2. Implementation Technologies
    3. Security Architecture
      1. Security Across the Tiers
      2. Authentication
        1. ASP.NET Authentication Modes
          1. More Information
        2. Enterprise Services Authentication
          1. More Information
        3. SQL Server Authentication
          1. More Information
      3. Authorization
        1. ASP.NET Authorization Options
          1. More Information
        2. Enterprise Services Authorization
          1. More Information
        3. SQL Server Authorization
          1. More Information
      4. Gatekeepers and Gates
    4. Introducing .NET Framework Security
      1. Code Access Security
        1. Evidence and Security Policy
        2. CAS and ASP.NET Web Applications
      2. Principals and Identities
        1. The IPrincipal and IIdentity Interfaces
      3. WindowsPrincipal and WindowsIdentity
      4. GenericPrincipal and Associated Identity Objects
      5. ASP.NET and HttpContext.User
        1. ASP.NET Identities
        2. More Information
      6. Remoting and Web Services
    5. Summary
  7. 3. Authentication and Authorization Design
    1. Designing an Authentication and Authorization Strategy
      1. Identify Resources
      2. Choose an Authorization Strategy
        1. More Information
      3. Choose the Identities Used for Resource Access
      4. Consider Identity Flow
      5. Choose an Authentication Approach
        1. More Information
      6. Decide How to Flow Identity
        1. More Information
    2. Authorization Approaches
      1. Role Based Authorization
      2. Resource Based Authorization
      3. Resource Access Models
      4. The Trusted Subsystem Model
        1. Fixed Identities
        2. Using Multiple Trusted Identities
      5. The Impersonation / Delegation Model
      6. Choosing a Resource Access Model
        1. Advantage of the Impersonation / Delegation Model
        2. Disadvantages of the Impersonation / Delegation Model
        3. Advantages of the Trusted Subsystem Model
        4. Disadvantages of the Trusted Subsystem Model
    3. Flowing Identity
      1. Application vs. Operating System Identity Flow
      2. Impersonation and Delegation
        1. Impersonation
        2. Delegation
    4. Role-Based Authorization
      1. .NET Roles
        1. .NET Roles with Windows Authentication
        2. .NET Roles with non-Windows Authentication
        3. Custom IPrincipal Objects
          1. More Information
      2. Enterprise Services (COM+) Roles
      3. SQL Server User Defined Database Roles
      4. SQL Server Application Roles
        1. More Information
      5. .NET Roles versus Enterprise Services (COM+) Roles
      6. Using .NET Roles
        1. More Information
        2. Checking Role Membership
        3. Role Checking Examples
    5. Choosing an Authentication Mechanism
      1. Internet Scenarios
        1. Forms / Passport Comparison
          1. Advantages of Forms Authentication
          2. Advantages of Passport Authentication
          3. More Information
      2. Intranet / Extranet Scenarios
      3. Authentication Mechanism Comparison
    6. Summary
  8. 4. Secure Communication
    1. Know What to Secure
    2. SSL/TLS
      1. Using SSL
    3. IPSec
      1. Using IPSec
    4. RPC Encryption
      1. Using RPC Encryption
        1. More Information
    5. Point to Point Security
      1. Browser to Web Server
      2. Web Server to Remote Application Server
      3. Application Server to Database Server
        1. Using SSL to SQL Server
          1. More Information
    6. Choosing Between IPSec and SSL
    7. Farming and Load Balancing
      1. More Information
    8. Summary
  9. 5. Intranet Security
    1. ASP.NET to SQL Server
      1. Characteristics
      2. Secure the Scenario
      3. The Result
      4. Security Configuration Steps
        1. Configuring IIS
        2. Configuring ASP.NET
        3. Configuring SQL Server
        4. Configuring Secure Communication
      5. Analysis
      6. Q&A
      7. Related Scenarios
        1. Non-Internet Explorer Browsers
        2. SQL Authentication to the Database
        3. Flowing the Original Caller to the Database
    2. ASP.NET to Enterprise Services to SQL Server
      1. Characteristics
      2. Secure the Scenario
      3. The Result
      4. Security Configuration Steps
        1. Configuring IIS
        2. Configuring ASP.NET
        3. Configuring Enterprise Services
        4. Configuring SQL Server
        5. Configuring Secure Communication
      5. Analysis
      6. Pitfalls
    3. ASP.NET to Web Services to SQL Server
      1. Characteristics
      2. Secure the Scenario
      3. The Result
      4. Security Configuration Steps
        1. Configuring the Web Server (that Hosts the Web Application)
        2. Configuring the Application Server (that Hosts the Web Service)
        3. Configure SQL Server
        4. Configuring Secure Communication
      5. Analysis
      6. Pitfalls
      7. Q&A
        1. Related Scenarios
    4. ASP.NET to Remoting to SQL Server
      1. Characteristics
      2. Secure the Scenario
      3. The Result
      4. Security Configuration Steps
        1. Configuring the Web Server
        2. Configure the Application Server
        3. Configure SQL Server
        4. Configuring Secure Communication
      5. Analysis
      6. Pitfalls
        1. Related Scenarios
    5. Flowing the Original Caller to the Database
      1. ASP.NET to SQL Server
        1. Using Basic Authentication at the Web Server
        2. Using Integrated Windows Authentication at the Web Server
      2. ASP.NET to Enterprise Services to SQL Server
        1. Characteristics
        2. Secure the Scenario
        3. The Result
        4. Security Configuration Steps
      3. Analysis
      4. Pitfalls
    6. Summary
  10. 6. Extranet Security
    1. Exposing a Web Service
      1. Characteristics
      2. Secure the Scenario
      3. The Result
      4. Security Configuration Steps
        1. Configuring the Partner Application
        2. Configuring the Extranet Web Server
        3. Configuring SQL Server
        4. Configuring Secure Communication
      5. Analysis
      6. Pitfalls
      7. Q&A
        1. Related Scenarios
          1. More Information
    2. Exposing a Web Application
      1. Scenario Characteristics
      2. Secure the Scenario
      3. The Result
        1. Configuring the Extranet Web Server
        2. Configuring SQL Server
        3. Configuring Secure Communication
      4. Analysis
      5. Pitfalls
        1. Related Scenarios
          1. No Connectivity from Extranet to Corporate Network
          2. More Information
    3. Summary
  11. 7. Internet Security
    1. ASP.NET to SQL Server
      1. Characteristics
      2. Secure the Scenario
      3. The Result
      4. Security Configuration Steps
        1. Configure the Web Server
        2. Configuring SQL Server
        3. Configuring Secure Communication
      5. Analysis
      6. Pitfalls
      7. Related Scenarios
        1. Forms Authentication against Active Directory
          1. More Information
        2. .NET Roles for Authorization
          1. More Information
        3. Using a Domain Anonymous Account at the Web Server
          1. More Information
    2. ASP.NET to Remote Enterprise Services to SQL Server
      1. Characteristics
      2. Secure the Scenario
      3. The Result
      4. Security Configuration Steps
        1. Configure the Web Server
        2. Configure the Application Server
        3. Configuring SQL Server
        4. Configuring Secure Communication
      5. Analysis
      6. Pitfalls
      7. Related Scenarios
        1. Forms Authentication Against Active Directory
          1. More Information
        2. Using DCOM
          1. More Information
        3. Using .NET Remoting
          1. More Information
    3. Summary
  12. 8. ASP.NET Security
    1. ASP.NET Security Architecture
      1. Gatekeepers
        1. IIS
        2. ASP.NET
          1. UrlAuthorizationModule
          2. FileAuthorizationModule
          3. Principal Permission Demands and Explicit Role Checks
          4. More Information
    2. Authentication and Authorization Strategies
      1. Available Authorization Options
      2. Windows Authentication with Impersonation
        1. Configurable Security
        2. Programmatic Security
        3. When to Use
          1. More Information
      3. Windows Authentication without Impersonation
        1. Configurable Security
        2. Programmatic Security
        3. When to Use
          1. More Information
      4. Windows Authentication Using a Fixed Identity
        1. When to Use
      5. Forms Authentication
        1. Configurable Security
        2. Programmatic Security
        3. When to Use
          1. More Information
      6. Passport Authentication
        1. When to Use
    3. Configuring Security
      1. Configure IIS Settings
      2. Configure ASP.NET Settings
        1. URL Authorization Notes
          1. URL Authorization Examples
      3. Secure Resources
        1. Locking Configuration Settings
        2. Preventing Files from Being Downloaded
      4. Secure Communication
        1. More information
    4. Programming Security
      1. An Authorization Pattern
        1. Retrieve Credentials
        2. Validate Credentials
        3. Put Users in Roles
        4. Create an IPrincipal Object
        5. Put the IPrincipal Object into the Current HTTP Context
        6. Authorize Based on the User Identity and/or Role Membership
          1. More Information
      2. Creating a Custom IPrincipal class
        1. More Information
    5. Windows Authentication
      1. Identifying the Authenticated User
    6. Forms Authentication
      1. Development Steps for Forms Authentication
        1. Configure IIS for Anonymous Access
        2. Configure ASP.NET for Forms Authentication
        3. Create a Logon Web Form and Validate the Supplied Credentials
          1. More Information
        4. Retrieve a Role List from the Custom Data Store
        5. Create a Forms Authentication Ticket
        6. Create an IPrincipal Object
        7. Put the IPrincipal Object into the Current HTTP Context
        8. Authorize the User Based on User Name or Role Membership
      2. Forms Implementation Guidelines
        1. More Information
      3. Hosting Multiple Applications Using Forms Authentication
        1. More Information
      4. Cookieless Forms Authentication
        1. More Information
    7. Passport Authentication
      1. Configure ASP.NET for Passport authentication
      2. Map a Passport Identity into Roles in Global.asax
      3. Test Role Membership
    8. Custom Authentication
      1. More Information
    9. Process Identity for ASP.NET
      1. Use a Least Privileged Account
      2. Avoid Running as SYSTEM
        1. More Information
        2. Domain Controllers and the ASP.NET Process Account
      3. Using the Default ASPNET Account
        1. The <processModel> Element
        2. Storing Encrypted <processModel> Credentials
          1. More Information
    10. Impersonation
      1. Impersonation and Local Resources
      2. Impersonation and Remote Resources
        1. More Information
      3. Impersonation and Threading
    11. Accessing System Resources
      1. Accessing the Event Log
      2. Accessing the Registry
        1. More Information
    12. Accessing COM Objects
      1. Apartment Model Objects
        1. The AspCompat Directive is Required
          1. More Information
        2. Don’t Create COM Objects Outside of Specific Page Events
          1. More Information
        3. C# and VB .NET Objects in COM+
    13. Accessing Network Resources
      1. Using the ASP.NET Process Identity
        1. More Information
      2. Using a Serviced Component
      3. Using the Anonymous Internet User Account
        1. Hosting Multiple Web Applications
      4. Using LogonUser and Impersonating a Specific Windows Identity
      5. Using the Original Caller
        1. More Information
      6. Accessing Files on a UNC File Share
      7. Accessing Non-Windows Network Resources
    14. Secure Communication
      1. More Information
    15. Storing Secrets
      1. Options for Storing Secrets in ASP.NET
        1. More Information
      2. Consider Storing Secrets in Files on Separate Logical Volumes
    16. Securing Session and View State
      1. Securing View State
      2. Securing Cookies
      3. Securing SQL Session State
        1. Securing the Database Connection String
        2. Securing Session State Across the Network
          1. More Information
    17. Web Farm Considerations
      1. Session State
      2. DPAPI
        1. More Information
      3. Using Forms Authentication in a Web Farm
      4. The <machineKey> Element
        1. The validationKey Attribute
        2. The decryptionKey Attribute
        3. The Validation Attribute
          1. More Information
    18. Summary
  13. 9. Enterprise Services Security
    1. Security Architecture
      1. Gatekeepers and Gates
      2. Use Server Applications for Increased Security
      3. Security for Server and Library Applications
        1. Assign Roles to Classes, Interfaces, or Methods
      4. Code Access Security Requirements
    2. Configuring Security
      1. Configuring a Server Application
        1. Development Time vs. Deployment Time Configuration
        2. Configure Authentication
        3. Configure Authorization (Component-Level Access Checks)
        4. Create and Assign Roles
          1. Adding Roles to an Application
          2. Adding Roles to a Component (Class)
          3. Adding Roles to an Interface
          4. Adding Roles to a Method
        5. Register Serviced Components
        6. Populate Roles
          1. Use Windows Groups
          2. More Information
        7. Configure Identity
          1. More Information
      2. Configuring an ASP.NET Client Application
        1. Configure Authentication
          1. More Information
        2. Configure Impersonation
          1. More Information
      3. Configuring Impersonation Levels for an Enterprise Services Application
    3. Programming Security
      1. Programmatic Role-Based Security
      2. Identifying Callers
    4. Choosing a Process Identity
      1. Avoid Running as the Interactive User
      2. Use a Least-Privileged Custom Account
    5. Accessing Network Resources
      1. Using the Original Caller
        1. More Information
      2. Using the Current Process Identity
      3. Using a Specific Service Account
    6. Flowing the Original Caller
      1. Calling CoImpersonateClient
        1. More Information
    7. RPC Encryption
      1. More Information
    8. Building Serviced Components
      1. DLL Locking Problems
      2. Versioning
        1. More Information
      3. QueryInterface Exceptions
    9. DCOM and Firewalls
      1. More Information
    10. Calling Serviced Components from ASP.NET
      1. Caller’s Identity
      2. Use Windows Authentication and Impersonation Within the Web-based Application
      3. Configure Authentication and Impersonation within Machine.config
      4. Configuring Interface Proxies
        1. More Information
    11. Security Concepts
      1. Enterprise Services (COM+) Roles and .NET Roles
      2. Authentication
        1. Authentication Level Promotion
        2. Authentication Level Negotiation
          1. More Information
      3. Impersonation
        1. Cloaking
          1. More Information
    12. Summary
  14. 10. Web Services Security
    1. Web Service Security Model
      1. Platform/Transport Level (Point-to-Point) Security
        1. When to Use
      2. Application Level Security
        1. When to Use
      3. Message Level (End-to-End) Security
        1. When to Use
          1. The Web Services Development Kit
          2. More Information
    2. Platform/Transport Security Architecture
      1. Gatekeepers
        1. More Information
    3. Authentication and Authorization Strategies
      1. Windows Authentication with Impersonation
        1. Configurable Security
        2. Programmatic Security
        3. When to Use
          1. More Information
      2. Windows Authentication without Impersonation
        1. Configurable Security
        2. Programmatic Security
        3. When to Use
          1. More Information
      3. Windows Authentication Using a Fixed Identity
        1. When to Use
          1. More Information
    4. Configuring Security
      1. Configure IIS Settings
      2. Configure ASP.NET Settings
        1. More Information
      3. Secure Resources
      4. Disable HTTP-GET, HTTP-POST
        1. More Information
      5. Secure Communication
        1. More information
    5. Passing Credentials for Authentication to Web Services
      1. Specifying Client Credentials for Windows Authentication
        1. Using DefaultCredentials
        2. Using Specific Credentials
          1. Request a Specific Authentication Type
        3. Set the PreAuthenticate Property
        4. Using the ConnectionGroupName Property
      2. Calling Web Services from Non-Windows Clients
      3. Proxy Server Authentication
    6. Flowing the Original Caller
      1. Default Credentials with Kerberos Delegation
        1. Configuring the Web Server
        2. Configuring the Remote Application Server
          1. More Information
      2. Explicit Credentials with Basic or Forms Authentication
        1. Basic Authentication
        2. Forms Authentication
        3. Configuring the Web Server
        4. Configuring the Application Server
    7. Trusted Subsystem
      1. Flowing the Caller’s Identity
      2. Configuration Steps
        1. Configuring the Web Server
        2. Configuring the Application Server
    8. Accessing System Resources
    9. Accessing Network Resources
    10. Accessing COM Objects
      1. More Information
    11. Using Client Certificates with Web Services
      1. Authenticating Web Browser Clients with Certificates
      2. Using the Trusted Subsystem Model
        1. Solution Implementation
        2. Why Use an Additional Process?
        3. More Information
    12. Secure Communication
      1. Transport Level Options
      2. Message Level Options
        1. More Information
    13. Summary
  15. 11. .NET Remoting Security
    1. .NET Remoting Architecture
      1. Remoting Sinks
        1. Transport Channel Sinks
          1. Comparing Transport Channel Sinks
        2. Custom Sinks
        3. Formatter Sinks
      2. Anatomy of a Request When Hosting in ASP.NET
      3. ASP.NET and the HTTP Channel
        1. More Information
    2. .NET Remoting Gatekeepers
    3. Authentication
      1. Hosting in ASP.NET
      2. Hosting in a Windows Service
        1. Custom Authentication
          1. More Information
    4. Authorization
      1. Using File Authorization
        1. More Information
    5. Authentication and Authorization Strategies
      1. More Information
    6. Accessing System Resources
    7. Accessing Network Resources
    8. Passing Credentials for Authentication to Remote Objects
      1. Specifying Client Credentials
        1. Using DefaultCredentials
          1. Explicit Configuration
          2. Programmatic Configuration
        2. Using Specific Credentials
          1. Request a Specific Authentication Type
        3. Set the preauthenticate Property
        4. Using the connectiongroupname Property
    9. Flowing the Original Caller
      1. Default Credentials with Kerberos Delegation
        1. Configuring the Web Server
        2. Configuring the Remote Application Server
          1. More Information
      2. Explicit Credentials with Basic or Forms Authentication
        1. Basic Authentication
        2. Forms Authentication
        3. Configuring the Web Server
        4. Configuring the Application Server
    10. Trusted Subsystem
      1. Flowing the Caller’s Identity
      2. Choosing a Host
      3. Configuration Steps
        1. Configuring the Web Server
        2. Configuring the Application Server
        3. Using a Windows Service Host
    11. Secure Communication
      1. Platform Level Options
        1. Message Level Options
          1. More Information
    12. Choosing a Host Process
      1. Recommendation
      2. Hosting in ASP.NET
        1. Advantages
        2. Disadvantages
      3. Hosting in a Windows Service
        1. Advantages
        2. Disadvantages
      4. Hosting in a Console Application
        1. Advantages
        2. Disadvantages
    13. Remoting vs. Web Services
    14. Summary
  16. 12. Data Access Security
    1. Introducing Data Access Security
      1. SQL Server Gatekeepers
      2. Trusted Subsystem vs. Impersonation/Delegation
    2. Authentication
      1. Windows Authentication
        1. More Information
        2. Using Windows Authentication
        3. Recommendation
        4. Using the ASP.NET Process Identity
          1. Use Mirrored ASPNET Local Accounts
          2. Use Mirrored, Custom Local Accounts
          3. Use a Custom Domain Account
          4. Implementing Mirrored ASPNET Process Identity
          5. Connecting to SQL Server Using Windows Authentication
        5. Using Fixed Identities within ASP.NET
        6. Using Serviced Components
        7. Calling LogonUser and Impersonating a Specific Windows Identity
        8. Using the Original Caller’s Identity
        9. Using the Anonymous Internet User Account
          1. More Information
        10. When Can’t You Use Windows Authentication?
      2. SQL Authentication
        1. Connection String Types
          1. More Information
        2. Choosing a SQL Account for Your Connections
        3. Passing Credentials over the Network
        4. Securing SQL Connection Strings
      3. Authenticating Against Non-SQL Server Databases
    3. Authorization
      1. Using Multiple Database Roles
    4. Secure Communication
      1. The Options
      2. Choosing an Approach
        1. More Information
    5. Connecting with Least Privilege
      1. The Database Trusts the Application
      2. The Database Trusts Different Roles
      3. The Database Trusts the Original Caller
    6. Creating a Least Privilege Database Account
    7. Storing Database Connection Strings Securely
      1. The Options
      2. Using DPAPI
        1. Why Not LSA?
        2. Machine Store vs. User Store
        3. DPAPI Implementation Solutions
          1. Using DPAPI from Enterprise Services
          2. Using DPAPI Directly from ASP.NET
          3. More Information
      3. Using Web.config and Machine.config
      4. Using UDL Files
        1. ACL Granularity
          1. More Information
      5. Using Custom Text Files
      6. Using the Registry
        1. More Information
      7. Using the COM+ Catalog
        1. More Information
    8. Authenticating Users against a Database
      1. Store One-way Password Hashes (with Salt)
        1. Creating a Salt Value
        2. Creating a Hash Value (with Salt)
        3. More Information
    9. SQL Injection Attacks
      1. The Problem
      2. Anatomy of a SQL Script Injection Attack
        1. The Solution
        2. Additional Best Practices
        3. Protecting Pattern Matching Statements
    10. Auditing
    11. Process Identity for SQL Server
    12. Summary
  17. 13. Troubleshooting Security Issues
    1. Process for Troubleshooting
      1. Searching for Implementation Solutions
    2. Troubleshooting Authentication Issues
      1. IIS Authentication Issues
      2. Using Windows Authentication
      3. Using Forms Authentication
      4. Kerberos Troubleshooting
    3. Troubleshooting Authorization Issues
      1. Check Windows ACLs
      2. Check Identity
        1. More Information
      3. Check the <authorization> Element
    4. ASP.NET
      1. Enable Tracing
        1. More Information
      2. Configuration Settings
    5. Determining Identity
      1. Determining Identity in a Web Page
      2. Determining Identity in a Web service
        1. More Information
      3. Determining Identity in a Visual Basic 6 COM Object
    6. .NET Remoting
      1. More Information
    7. SSL
      1. More Information
    8. IPSec
    9. Auditing and Logging
      1. Windows Security Logs
        1. More Information
      2. SQL Server Auditing
        1. Sample Log Entries
      3. IIS Logging
    10. Troubleshooting Tools
      1. File Monitor (FileMon.exe)
        1. More Information
      2. Fusion Log Viewer (Fuslogvw.exe)
      3. ISQL.exe
        1. Connecting Using SQL Authentication
        2. Connecting Using Windows Authentication
        3. Running a Simple Query
      4. Windows Task Manager
      5. Network Monitor (NetMon.exe)
        1. More Information
      6. Registry Monitor (regmon.exe)
      7. WFetch.exe
        1. More Information
      8. Visual Studio .NET Tools
        1. More Information
      9. WebServiceStudio
      10. Windows 2000 Resource Kit
  18. Index of How Tos
    1. ASP.NET
    2. Authentication and Authorization
    3. Cryptography
    4. Enterprise Services Security
    5. Web Services Security
    6. Remoting Security
    7. Secure Communication
  19. How To: Create a Custom Account to Run ASP.NET
    1. ASP.NET Worker Process Identity
    2. Impersonating Fixed Identities
    3. Notes
    4. Summary
    5. 1. Create a New Local Account
    6. 2. Assign Minimum Privileges
    7. 3. Assign NTFS Permissions
    8. 4. Configure ASP.NET to Run Using the New Account
  20. How To: Use Forms Authentication with Active Directory
    1. Requirements
    2. Summary
    3. 1. Create a Web Application with a Logon Page
    4. 2. Configure the Web Application for Forms Authentication
    5. 3. Develop LDAP Authentication Code to Look Up the User in Active Directory
    6. 4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
    7. 5. Authenticate the User and Create a Forms Authentication Ticket
    8. 6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
    9. 7. Test the Application
  21. How To: Use Forms Authentication with SQL Server 2000
    1. Requirements
    2. Summary
    3. 1. Create a Web Application with a Logon Page
    4. 2. Configure the Web Application for Forms Authentication
    5. 3. Develop Functions to Generate a Hash and Salt value
    6. 4. Create a User Account Database
    7. 5. Use ADO.NET to Store Account Details in the Database
    8. 6. Authenticate User Credentials Against the Database
    9. 7. Test the Application
    10. Additional Resources
  22. How To: Create GenericPrincipal Objects with Forms Authentication
    1. Requirements
    2. Summary
    3. 1. Create a Web Application with a Logon Page
    4. 2. Configure the Web Application for Forms Authentication
    5. 3. Generate an Authentication Ticket for Authenticated Users
    6. 4. Construct GenericPrincipal and FormsIdentity Objects
    7. 5. Test the Application
      1. Additional Resources
  23. How To: Implement Kerberos Delegation for Windows 2000
    1. Notes
    2. Requirements
    3. Summary
    4. 1. Confirm that the Client Account is Configured for Delegation
    5. 2. Confirm that the Server Process Account is Trusted for Delegation
    6. References
  24. How To: Implement IPrincipal
    1. Requirements
    2. Summary
    3. 1. Create a Simple Web Application
    4. 2. Configure the Web Application for Forms Authentication
    5. 3. Generate an Authentication Ticket for Authenticated Users
    6. 4. Create a Class that Implements and Extends IPrincipal
    7. 5. Create the CustomPrincipal Object
    8. 5. Test the Application
    9. Additional Resources
  25. How To: Create a DPAPI Library
    1. Notes
    2. Requirements
    3. Summary
    4. 1. Create a C# Class Library
    5. 2. Strong Name the Assembly (Optional)
    6. References
  26. How To: Use DPAPI (Machine Store) from ASP.NET
    1. Notes
      1. Requirements
    2. Summary
    3. 1. Create an ASP.NET Client Web Application
    4. 2. Test the Application
    5. 3. Modify the Web Application to Read an Encrypted Connection String from Web.Config
    6. References
  27. How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
    1. Notes
      1. Why Use Enterprise Services?
      2. Why Use a Windows Service?
    2. Requirements
    3. Summary
    4. 1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
    5. 2. Call the Managed DPAPI Class Library
    6. 3. Create a Dummy Class that will Launch the Serviced Component
    7. 4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
    8. 5. Configure, Strong Name, and Register the Serviced Component
    9. 6. Create a Windows Service Application that will Launch the Serviced Component
    10. 7. Install and Start the Windows Service Application
    11. 8. Write a Web Application to Test the Encryption and Decryption Routines
    12. 9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
    13. References
  28. How To: Create an Encryption Library
    1. Requirements
    2. Summary
    3. 1. Create a C# Class Library
    4. 2. Create a Console Test Application
    5. References
  29. How To: Store an Encrypted Connection String in the Registry
    1. Notes
    2. Requirements
    3. Summary
    4. 1. Store the Encrypted Data in the Registry
    5. 2. Create an ASP.NET Web Application
    6. References
  30. How To: Use Role-based Security with Enterprise Services
    1. Notes
    2. Requirements
    3. Summary
    4. 1. Create a C# Class Library Application to Host the Serviced Component
    5. 2. Create the Serviced Component
    6. 3. Configure the Serviced Component
    7. 4. Generate a Strong Name for the Assembly
    8. 5. Build the Assembly and Add it to the Global Assembly Cache
    9. 6. Manually Register the Serviced Component
    10. 7. Examine the Configured Application
    11. 8. Create a Test Client Application
  31. How To: Call a Web Service Using Client Certificates from ASP.NET
    1. Why Use a Serviced Component?
      1. Why is a User Profile Required?
    2. Requirements
    3. Summary
    4. 1. Create a Simple Web Service
    5. 2. Configure the Web Service Virtual Directory to Require Client Certificates
    6. 3. Create a Custom Account for Running the Serviced Component
    7. 4. Request a Client Certificate for the Custom Account
    8. 5. Test the Client Certificate Using a Browser
    9. 6. Export the Client Certificate to a File
    10. 7. Develop the Serviced Component Used to Call the Web Service
    11. 8. Configure and Install the Serviced Component
    12. 9. Develop a Web Application to Call the Serviced Component
    13. Additional Resources
  32. How To: Call a Web Service Using SSL
    1. Requirements
    2. Summary
    3. 1. Create a Simple Web Service
    4. 2. Configure the Web Service Virtual Directory to Require SSL
    5. 3. Test the Web Service Using a Browser
    6. 4. Install the Certificate Authority’s Certificate on the Client Computer
    7. 5. Develop a Web Application to Call the Web Service
    8. Additional Resources
  33. How To: Host a Remote Object in a Windows Service
    1. Notes
    2. Requirements
    3. Summary
    4. 1. Create the Remote Object Class
    5. 2. Create a Windows Service Host Application
    6. 3. Create a Windows Account to Run the Service
    7. 4. Install the Windows Service
    8. 5. Create a Test Client Application
    9. References
  34. How To: Set Up SSL on a Web Server
    1. Requirements
    2. Summary
    3. 1. Generate a Certificate Request
    4. 2. Submit a Certificate Request
    5. 3. Issue the Certificate
    6. 4. Install the Certificate on the Web Server
    7. 5. Configure Resources to Require SSL Access
  35. How To: Set Up Client Certificates
    1. Requirements
    2. Summary
    3. 1. Create a Simple Web Application
    4. 2. Configure the Web Application to Require Client Certificates
    5. 3. Request and Install a Client Certificate
    6. 4. Verify Client Certificate Operation
    7. Additional Resources
  36. How To: Use IPSec to Provide Secure Communication Between Two Servers
    1. Notes
    2. Requirements
    3. Summary
    4. 1. Create an IP Filter
    5. 2. Create Filter Actions
    6. 3. Create Rules
    7. 4. Export the IPSec Policy to the Remote Computer
    8. 5. Assign Policies
    9. 6. Verify that it Works
    10. Additional Resources
  37. How To: Use SSL to Secure Communication with SQL Server 2000
    1. Notes
    2. Requirements
    3. Summary
    4. 1. Install a Server Authentication Certificate
    5. 2. Verify that the Certificate Has Been Installed
    6. 3. Install the Issuing CA’s Certificate on the Client
    7. 4. Force All Clients to Use SSL
    8. 5. Allow Clients to Determine Whether to Use SSL
    9. 6. Verify that Communication is Encrypted
    10. Additional Resources
  38. Base Configuration
  39. Configuration Stores and Tools
  40. Reference Hub
    1. Searching the Knowledge Base
      1. Tips
    2. .NET Security
      1. Hubs
    3. Active Directory
      1. Hubs
      2. Key Notes
      3. Articles
    4. ADO.NET
      1. Roadmaps and Overviews
      2. Seminars and WebCasts
    5. ASP.NET
      1. Hubs
      2. Roadmaps and Overviews
      3. Knowledge Base
      4. Articles
      5. How Tos
      6. Seminars and WebCasts
    6. Enterprise Services
      1. Knowledge Base
      2. Roadmaps and Overviews
      3. How Tos
      4. FAQs
      5. Seminars and WebCasts
    7. IIS (Internet Information Server)
      1. Hubs
    8. Remoting
      1. Roadmaps and Overviews
      2. How Tos
      3. Seminars and WebCasts
    9. SQL Server
      1. Hubs
      2. Seminars and WebCasts
    10. Visual Studio .NET
      1. Hubs
      2. Roadmaps and Overviews:
    11. Web Services
      1. Hubs
      2. Roadmaps and Overviews
      3. How Tos
      4. Seminars and WebCasts
    12. Windows 2000
      1. Hubs
  41. How Does It Work?
    1. IIS and ASP.NET Processing
      1. Application Isolation
      2. The ASP.NET ISAPI Extension
      3. IIS 6.0 and Windows .NET Server
        1. More Information
    2. ASP.NET Pipeline Processing
      1. The Anatomy of a Web Request
        1. Forms Authentication Processing
        2. Windows Authentication Processing
      2. Event Handling
      3. Implementing a Custom HTTP Module
      4. Implementing a Custom HTTP Handler
  42. ASP.NET Identity Matrix
  43. Cryptography and Certificates
    1. Keys and Certificates
      1. X.509 Digital Certificates
      2. Certificate Stores
      3. More Information
    2. Cryptography
      1. Technical Choices
      2. Cryptography in .NET
        1. Symmetric Algorithm Support
        2. Asymmetric Algorithm Support
        3. Hashing Algorithm Support
    3. Summary
  44. .NET Web Application Security
  45. Glossary
  46. Microsoft® patterns & practices
  47. Index
  48. About the Author
  49. Copyright