ASP.NET Security Models

RELATED: "Securing ASP.NET MVC," "The Definitive Guide to ASP.NET Security," and "ASP.NET Security Design Guidelines."

Selecting an appropriate authentication and authorizationstrategy can be one of the most important tasks in your application developmentprocess. And after selecting a strategy, it must be properly administered toprevent or alleviate many security risks. To gain an advantage from planning security specifications,you must perform the following steps:

To narrow the focus a bit, let s explain these six steps.

Identify resources.All the resources used in a Web application can be identified in three maincategories: Web Server Resources, such as Web pages, Web service, and staticresources (files); Database Resources; and Network Resources, such as datastored in Active Directory.

Specify user accessto resources. Users can access application resources with the authorizationthat an application gives them. The two kinds of authorization provided are role-based(access to resources specified by associated user roles), and resource-based(an application uses impersonation to allow access checking by Windows ACLs.

Consider identity flow.You must consider the original caller s identity across your application basedon resource manager authorization and auditing requirements.

Decide how to flowidentity. You can choose the following identities across your application:

Select an authenticationapproach. Authentication is the process of discovering and verifying theidentity of a user by examining the user s credentials and then validatingthose credentials against some authority. There are two things that are vital whenchoosing an authentication approach. First is the user s browser type and whetherthey have a Windows account. Second is using impersonation/delegation in yourapplication.

Select an authorizationapproach. Authorization is the process of determining whether a user isallowed to perform a requested action. Authorization occurs afterauthentication and uses information about a user s identity and roles todetermine which resources that user can access. If you want to implementauthorization in your code, you can choose one or both of two approaches: role-basedand resource-based. In the role-based approach, users access each part of an applicationbased on their roles. Role-based security happens within an application sfront-end or back-end (or both). The resource-based approach authorizes usersby Windows ACLs and access control mechanisms implemented by the operatingsystem. The hierarchies of access check the process sequentially as theapplication impersonates the caller and leaves it to the operating system, inconjunction with specific resource managers (file system, database, etc.), to authorize.

The diagram in Figure 1 depicts the authentication andauthorization priority in a .NET security scenario. The diagram in Figure 2displays the .NET technologies and associated security strategies.

Figure 1: Authentication and authorizationpriority.

Figure 2: .NET technologies andsecurity models.

ASP.NET Authentication Modes

ASP.NET works with IIS to provide the following securitymodels: Windows authentication, Forms authentication, Passport authentication,and none (see Figure 3).

Figure 3: ASP.NET security services.

Windowsauthentication. Windows authentication is dependent on IIS authenticationto create a user credential. IIS has five authentication mechanisms:

Formsauthentication. An unauthenticated user gets redirected to the login page toenter their credential. The Web server then creates an authentication ticketfor the user.

Passportauthentication. ASP.NET uses the centralized authentication services ofMicrosoft Passport. This is covered in detail toward the end of this article.

None. This meansthat you don t want to use an authentication mechanism (or want to use a customauthentication). This mechanism doesn t have any special configuration toimplement, so only the first three methods of authentication will be discussedin this article.

Windows Authentication

In this section we ll discuss Windows authentication configuration,and Windows authorization configuration and roles checking. Before using thisstrategy you need to know which mechanism is recommended when. First of all, Windowsauthentication (see Figure 4) can be applied only on intranet applications thatuse Windows users and groups. Also, based on security issues, you should use thecentral user registration of Windows. Use only Microsoft Internet Explorerand no proxy server or firewall should be used on the server.

Figure 4: Windows authentication.

Impersonation and delegation.A service or a component (usually somewhere within the logic of the businessservice layer) impersonates a client s identity (using operating system-levelimpersonation) before it accesses the next downstream service. If the nextservices are located on the same computer, then impersonation is required. Ifthe next services are located on a remote computer, delegation is required.

This mechanism also can be used with or withoutimpersonation (in the following circumstances). With impersonation:

There are, however, some disadvantages to impersonation. Forexample, it can reduce application scalability by using an inefficient pooldatabase connection, and it can make administrators do more to create ACLs for anindividual user.

Without impersonation:

Windows Authentication Configuration

Follow these steps before using the Windows authenticationconfiguration mechanism:

Figure 5: Windows authenticationconfiguration.

Figure 6: Windows authenticationconfiguration.

Likewise, you need to force application users to log on toyour site in one of two ways: disable anonymous access in IIS and the web.configfile or use NTFS permission to preclude anonymous accessing. You must writethese lines into the web.config or machine.config file to configure a .NETapplication to impersonate an IIS authenticated caller:

Windows ACLs(Access Control Lists). You can configure Windows ACLs on resourcesaccessed by your application (files, folders, registry keys, Active Directoryobjects, etc.) against the original caller. In other words, you can create filesystem permissions on specific application files. The ASP.NETFileAuthorizationModule class performs access checks for requested file typesthat are mapped to the ASP.NET ISAPI DLL. Thus, you can define which clientshave access to which resources by creating and modifying the ACLs associatedwith those resources and by enabling and disabling client privileges.

URL authorization.URL authorization specifies which pages can be accessed based on users or roles(you can restrict users and roles by denying or allowing keywords); simply putthe authorization tag into the web.config file:

For example:

Note: * refers to all identities (anonymous andauthenticated) and ? refers to anonymous identity. Add or to the authorization tag, otherwise unauthenticatedusers are known as authenticated users. URL authorization only applies to filetypes that are mapped by IIS to the ASP.NET ISAPI extension aspnet_isapi.dll. Youcan use a location tag to determine authorization for a specific page. InWindows authentication mode, you must use a Windows and Users account toauthorize. The User names take the form DomainNameWindowsUserName and Rolenames take the form DomainNameWindowsGroupName . For example, the localadministrators group is referred to as BUILTINAdministrators ; the localusers group is referred to as BUILTINUsers .

Enterprise Services (COM+) Roles. Roles aremaintained in the COM+ catalog. You can configure roles with the ComponentServices administration tool or script. Note: The main difference betweenauthentication with or without impersonation simply concerns EnterpriseServices (COM+) Roles. Authentication with impersonation can use EnterpriseServices (COM+) Roles, whereas authentication without impersonation is notallowed to use Enterprise Services (COM+) Roles.

Programmatic Security

Sometimes you want to apply and manage applicationsecurity by your own custom mechanism at the application level. This is knownas programmatic security. The following methods are applied to use programmaticsecurity.

.NET PrincipalObjects. WindowsPrincipal Object. This object helps you control access toyour code with a defined Windows user account. It is automatically created whenyou use Windows authentication in IIS. An instance of WindowsIdentity is neededto use this object:

//Get the current identity and put it into an identity object.WindowsIdentity TestId = WindowsIdentity.GetCurrent();//Put the previous identity into a principal object.WindowsPrincipal Prin = new WindowsPrincipal(TestId); 

GenericPrincipal Object. Use this object with your owncustom roles, which may be stored in a database; you can then populate theminto the OnAuthenticate event. An instance of WindowsIdentity is needed to usethis object:

//Create generic identity.GenericIdentity TestId = new GenericIdentity("TestId");//Create generic principal.String[] StrArray = {"Manager", "Supervisor"}; GenericPrincipal Prin = new GenericPrincipal(TestId, StrArray); 

Explicit RoleChecks. .NET security is the top level of Windows security. Windows securityis based on security context provided by the logon session; the .NET Frameworkis based on IPrincipal and IIdentity objects. You can perform role checkingusing the IPrincipal or IIdentity interface:

IPrincipal.IsInRole("DomainNameWindowsGroup"); 

Enterprise Services (COM+) Roles. You can performrole checking programmatically using the ContextUtil class:

ContextUtil.IsCallerInRole("Manager"); 

Forms Authentication

Forms authentication is a custom mechanism that allows youto authenticate user credentials with information that you saved in your desireddata store, such as a database or XML files (see Figure 7). The Forms authenticationmechanism is based on browser cookies, so after you give an authentication ticketto each user, it helps you restrict access to your site s pages.

Figure 7: Forms authentication.

The three .NET classes most often used with Forms authenticationare: FormsAuthentication, FormsAuthenticationTickets, and FormsIdentity. You canuse this mechanism when you don t want to use a Windows accounts, or when youneed to verify a user s access by its credential.

You can provide authorization based on user name or role membership.So, you can use programmatic security to perform fine-grained authorizationwithin methods. For example, you can use explicit role checks such as IPrincipal.IsInRole.If you decide to use Forms authentication, you must follow these steps:

To configure IIS for anonymous access, start IIS using theadministrative tools. Select your application s virtual directory, right-click,and select Properties. Click on Directory Security. Select Edit in theAnonymous access and authentication control group; select Anonymous access. Usethis code to configure ASP.NET for Forms authentication:

    protection="Encryption"         timeout="20"                path="/" >               

If you want more security options, you can customize the machineKeytag, which is used to encrypt, decrypt, and validate the authentication ticketfor Forms authentication. This tag is located within the machine.config file andhas three elements; its default setting is:

To use machineKey you must set the protection element toEncryption. The validationKey attribute is used to create and validate MessageAuthentication Code (MAC) for the Forms authentication ticket and viewstate.

The decryptionKey attribute is used to encrypt and decryptthe Forms authentication ticket and viewstate.

Using the validation attribute you specify which algorithmshall be implemented for encryption, decryption, or validation. The availablealgorithms are:

Next, put the IPrincipal object into the current HTTP context.The main benefit of dividing users into specific roles is that you can definean access level for each group, then add it to HTTP context. Therefore, youmust add these lines of code to the Application_AuthenticationRequest method inthe Global.asax file for authenticated users:

String roles = ("Manager|Employee|Sales");Context.User CUI = new GenericPrincipal( Context.User.Identity, roles); 

Note: Retrieve a role list from the custom data store andstore a delimited list of roles within the UserData property of theFormsAuthenticationTicket class. This improves performance by eliminatingrepeated access to the data store for each Web request and saves you fromstoring the user s credentials in the authentication cookie. For each requestafter initial authentication:

It is recommended to use two cookies; one for personalizationand one for secure authentication and authorization. Make the personalizationcookie persistent (make sure it doesn t contain information that would permit arequest to perform a restricted operation; for example, placing an order withina secure part of a site). Ensure cookies are enabled within the client browser.You must use aspnet_isapi.dll if you want to use other file types for Forms authentication.

Now create a logon Web form. In this case, create a simpleWeb form; for example, one that includes two labels and two textboxes (one for username and one for password). You also must configure the web.config file toauthentication and authorization goals:

And you can also deny access for all unauthenticatedrequests to your application page(s):

You also must create a credential validation method againsta database by using ADO.NET objects. In this regard you should write a methodto validate user information against registered information in your database. Inaddition to validating a user s information, you need a method to retrieve auser s role from a SQL Server database or Active Directory to apply an accesslevel:

string roles = GetRoles(txtUserName.Text, txtPassword.Text);

Create a Forms Authentication Ticket

After creating a credential validation method and one to retrievea user s role, you must handle it from an event. As you can see in Figure 8,after a user clicks the logon button, their credential is checked by theCredValidation method. Then your GetRoles method assigns and stores roles inthe ticket.

// Validate credentials against either a SQL Server database or Active Directorybool isAuthenticated = CredValidate(txtUserName.Text, txtPassword.Text );If (isAuthenticated == true){string roles = RetrieveRoles(txtUserName.Text, txtPassword.Text);/* Create the authentication ticket and store the roles in the custom UserData  property of the authentication ticket */FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,                          // Represent the version number of Ticket //txtUserName.Text,           // user name of Ticket owner //DateTime.Now,               // Creation time of Ticket //DateTime.Now.AddMinutes(20),// Expiration time of Ticket //false,                      // Determine user persistent //roles );                    // The roles of user //// Encrypt the ticket.string encryptedTicket = FormsAuthentication.Encrypt(authTicket);// Create a http cookie and add the encrypted ticket to it as data.HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);// Add the cookie to the outgoing cookies collection.Response.Cookies.Add(authCookie);// Redirect the user to the originally requested page.FormsAuthentication.GetRedirectUrl(txtUserName.Text,false);}}

Figure 8: Check credentials,then assign and store the roles in a ticket.

Microsoft Passport Authentication

Passport is one of the Web-based services that makes userauthentication of your site faster and more reliable. It is a centralizedauthentication mechanism for the users who registered their information at the MicrosoftPassport site. The user of each participating site should be authenticatedbefore they can access restricted pages, so users should be redirected to the Passportsite and, after successful login, automatically redirected back to the site.

It s not a free service; you must pay about $10,000 peryear. But at this time, approximately 120,000,000 users are registered and havePassport ID, which makes its use more reasonable.

Authentication versusauthorization. Microsoft Passport provides authentication service only. Thismeans you must use your application-defined mechanism to gain authorizationservice for restricted access to your site resources.

There are two major advantages to Passport authentication:

Passport Manager andPassportIdentity. The Passport Manager is a base component that connectsparticipating Web sites to Passport authentication servers; PassportIdentity isa primary component that helps control the Passport Manager.

The Passport Manager can protect and encrypt a user s datafrom malicious work, and it handles all cookie settings without the need for manualchanges. The Passport Manager Administrative Utility is a graphical interfaceof Passport Manager that helps to change the parameters of PassportIdentity.Passport Manager is included with Windows Server 2003 and you can run it by typingmsppcnfg.exe at the run command box. However, for Windows XP you shoulddownload and install Passport Manager to configure it. To use PassportIdentityin ASP.NET pages, first make some changes in the web.config file to enablePassport authentication (see Figure 9).

Figure 9: EnablingPassport authentication.

PassportIdentity must be instantiated from its namespace:

System.Web.Security.PassportIdentity PID =  (System.Web.Security.PassportIdentity) Context.User.Identity; 

PassportIdentity must be instantiated on each page,because single instantiation may cause failure in read and write during the loadand unload processes, and multiple instantiation has memory overhead, which canlead to adverse side effects on performance.

Verify User Authentication

You can use code to determine the authentication status ofthe user and also to customize the appearance of the page with a specific Passportlogo (see Figure 10). It is recommended you clear the query string of thebrowser s address to avoid any malicious user attacks.

void Page_Load(Object sender, EventArgs e) { PassportIdentity PID = Context.User.Identity; // if the user Is Authenticated Clear query string // if (PID.GetFromNetworkServer)   Response.Redirect(Request.Path); //Change the passport logo image base on Authenticated //or None Authenticated User // if (PID.IsAuthenticated)  Authlogo.Visible = true; else  NoneAuthlogo.Visible = true; 

Figure 10: Verifyingauthentication status.

After user registration, the user profile is saved on theMicrosoft Passport servers and the participating site does not have directaccess to its user profile but they can request a profile indirectly by usingthe GetProfileObject method of PassportIdentity. The user profile attributes arelisted in Figure 11.

Figure 11: Userprofile attributes.

Passport has two distinctive environments: preproductionand production. Preproduction works as a pilot environment to develop the stageof the participating Web site. It s a real-world simulation that helpsdevelopers test and validate their code. Production is the real-world environmentthat s accessible for the site s users. Participating Web sites may want totest their Passport components first in the preproduction environment; then,after resolving any problems, bring them up to the production environment.

Passport uses two kinds of cookies (instead of session-statevariables): Domain-Authority and Participating Site. The cookies listed inFigure 12 are available from *.passport.com (* refers to participating sitename) and can only be used with the Microsoft Passport site.

Figure 12: Domain-Authoritycookies.

The cookies listed in Figure 13 are available toparticipating sites. When you configure Passport Manager, you can define thestore location of the cookies to the root domain (Cookie Domain) or anotherpath (Cookie Path). But by default, they are written to the root domain of thesite, and participating sites are responsible to delete all the cookies whenthey want to sign out.

Figure 13: ParticipatingSite cookies.

To refer each user of participating sites, Passport mustuse a unique ID. The specific attribute most appropriate for this is sign-inname. Although it is unique, based on security reasons it is not stored in thePassport profiles. Member Name cannot be unique because it is possible thatmany registered users have the same name. Preferred Email is not a requiredattribute, so it cannot be used as a unique identifier. Therefore, the uniqueidentifier that Passport needs must have two major futures: uniqueness and security.

Passport uses Passport Unique Identifier (PUID), whichrepresents the attributes MemberIDLow and MemberIDHigh. Each attribute has eightcharacters in a string. To use this unique identifier in your Web site pagesyou must write this code at the beginning of each page:

System.Web.Security.PassportIdentity PID =  (System.Web.Security.PassportIdentity) Context.User.Identity; 

To authenticate users, the sign-in method is applied:

//User should be authenticated for an hourif (PID.GetIsAuthenticated(3600,false,false)){  //Determine user's PID.  string Memberidhigh, Memberidlow;  Memberidhigh = PID.GetProfileObject("MemberIDHigh").ToString();  Memberidlow = PID.GetProfileObject("MemberIDLow").ToString();  // Check for this user's record in your consent database  /*   The LogoTag2 method used to returns an HTML fragment containing   an image tag for a Microsoft Passport link.   The image displays either the Sign In or Sign Out IMG source,   as appropriate.  */ if (ConsentIsInDatabase(Memberidhigh,Memberidlow))   SignedIn = true; else   SignedIn = false;}

Figure 14: Verifythe user has granted consent for your site to keep their profile.

As mentioned, Passport uses cookie variables to save user-statevariables. So any participating site has a series of cookies to keep the authenticationstate of users. Thereby, after each sign-out, all the cookies must be deleted. Whenthe SignOut method calls, the first step is to determine which participatingsite the user is currently logged in to, then all the cookies from *.domain.commust be deleted by SignOut. You specify the URL of the mentioned method using theExpire Cookie Url field in the .NET Service Manager when you configure it.

To implement sign-out, the user should be able to sign-outby each page that used the LogoTag2 method. Your site should also have a SiteID to delete the cookies. Then, verify that the Passport Manager installation hasset cookies to the correct path. Finally, delete all the cookies used by assigninga null value, such as MSPAuth, MSPProf, etc.:

Response.ContentType = "image/gif";   //Set content type to load GIF or JPEG into   //Internet Explorer//Response.Expires = -1;Response.AddHeader("P3P", "CP=""); //Allows cookies to be deleted by your site//Response.Cookies("MSPProf").Value = "";Response.Cookies("MSPProf").Expires = DateTime.MinValue;   //Delete profile cookie//System.Web.Security.PassportIdentity.SignOut( "images/SignoutImg.gif"); 

Conclusion

This article has covered the authentication and authorizationmodels that can be used in ASP.NET. Available authentication models areWindows, Forms, Passport, and none; available authorization models are Files,URL, Principal Objects, and .NET Roles. Keep in mind that the best security strategycan be implemented when you have detailed information about the authenticationand authorization models of the technologies used in your application. For moreinformation about ASP.NET security models visit http://msdn.microsoft.com.

The sample codeaccompanying this article is available for download.

Ata Allah Yazdani isa software engineer and manager of the Analyzing and Defining SolutionArchitecture committee at Ashian, an IT consultancy and software development company.He can be reached at mailto:[email protected].