A: ASP.NET 2.0 (3.0 and 3.5) is easy to install with Windows Vista and Windows 2008 - just install the ASP.NET component located under IIS->Word Wide Web Services->Application Development Features. To install
the ASP.NET 1.1 application in IIS 7 please check this link:
A: Normally, in Forms Authentication, Password will be sent as plain text from the client side, it is not secure apparently.
Password could be encrypted or hashed by JavaScript before sending to the server side. However, anyone who captures encrypted password and username can counterfeit your credential. So, encrypt password in the client side is not secure either.
Two suggestions to keep your passwords secure during login:
1. To ensure the security the password in the transmission, I recommend that you use Secure Sockets Layers (SSL).
To ensure the security the password in the server side, you'd better hash your password before stored it in database.
if you are using Membership provided by asp.net. After you specifying the passwordFormat="Hashed" like this:
Password will be stored in database as hashed code automatically.
A: Usually, the aspnet_regiis.exe tool (included in .net framework) can be used to encrypt sections e.g. appSettings, connectionStrings, identity and sessionState in web.config. For further information, please
to this article:
A: To access the resources within a domain, it’s recommended to use a domain user.
The identity of IIS can be changed, and be granted the required permissions in the shared resources. This is because of the default identity of IIS have the permission to access domain resources. By default, it’s ASPNET on Windows Server
2000 and NETWORK SERVICE on IIS6 and Windows Server 2008.
To change the identity of IIS, there are two possible ways:
1)Change the identity of the application pool in IIS directly, but please note that if a domain user is being used to run the application pool, the domain user should also have the required permissions
to run ASP.NET applications. This command can be used to grant the required permissions:
aspnet_regiis.exe–ga domain/user.
But note, in a share environment, individual application pools should have different identities. Then the directories on disk can be ACLd independently with the different application pool identities. In general, sticking with the shared identities
like NETWORK SERVICE, or IIS_IUSRS, for file ACLs is bad because it means any full-trust ASP.NET application ends up with access to the directory structures of other applications.
A:It’s probably caused by different trust levels. When developing an ASP.NET application in a test environment, it is set to Full trust level by default. However when it is published to a production environment,
it may not be set to Full trust level at machine-level for security reasons. Therefore, some operations that require Full trust level may experience problems. In this scenario, you need to contact the host.
Here’s a good article discussing ASP.NET code access security:
A: It’s probably caused by the permissions of the application pool. By default, the ASP.NET application can access the required .net directories as well as the application directory. To check which account it is being run on, please
use the following code:
string name = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
Response.Write("Get the account running current thread: " + name);
</div>
To access other directories, you need to grant the account required permissions. To grant the permissions, add the account to the user list of the folder.
A: TheAASP.NET app runs under a Network Service Account by default. For security reasons, a Network Service account has no write permissions for any folders except the "App_Data" folder.
To grant the Network Service Account write permission, follow these steps:
1. Right click the folder, choose Properties, and click the security tab.
2. Click the "Add" button in the "Group or user name" section.
3.Type “Network Service" in the text box and click the "Check Names" button. Click "OK".
4. Under "Permissions to NETWORD SERVICE" select the “write allow” check box.
1. Rules contained in the application-level configuration files take precedence over inherited rules. The system determines which rule takes precedence by constructing a merged list of all rules for an URL, with the most
recent rules (those nearest in the hierarchy) at the head of the list.
2. Given a set of merged rules for an application, ASP.NET starts at the head of the list and checks rules until the first match is found. The default configuration for ASP.NET contains an <allow users="*"> element, which
authorizes all users. (By default, this rule is applied last.) If no other authorization rules match, the request is allowed. If a match is found and the match is a deny element, the request is returned with the 401 HTTP status code. If an allow element matches,
the module allows the request to be processed further.
2. Right-click the web site or virtual directory and select Properties.
3. Choose the Directory or Home Directory tab.
4. You will find the Configuration button under Application Settings, click it.
5. Insert Wildcard application maps: click Insert... and input
“C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll”(The filename may be different for you)
6. Restart IIS 6.0.
In IIS 7.0
1. Open the IIS manager console.
2. Under the Sites node, right click the web site or the folder which contains the file you want to protect.
3. In the Features View group by “Area”, under the
“IIS” Section, click
“Handler Mappings”
4. In the “Actions” frame, on the right side of the console, click
“Add Managed Handler…”
5. In the prompted Dialog, fill the text boxes, and Request Path: *; Type: System.Web.DefaultHttpHandler; Name: AuthFile.
6. Click ok, and restart IIS 7.0.
IIS7 also includes its own Url authorization module that works for both ISAPI and integrated mode, and protects all content requests. Check this link for details:
If “Remember me” has been selected; the ticket will be valid the next time you login. Otherwise, it’ll be invalid if the customer closes the browser. The timeout of the cookie depends on the configuration in web.config, which is set to 30
minutes by default. The time out can be set to any amount, but after it times out then, the customer cannot automatically log in. To remember the customer, select “Remember me” and set the timeout of the cookie to the largest possible value.
Here’s an example for changing the timeout property in web.config:
If the timeout cookie in web.config has been set to the largest value as well as selecting “Remember me”, the failed login may be caused by the machine key. The cookie is encrypted with a machine key by default, and it is randomly generated
In some cases, the machine key will be generated again, and will cause the invalidation of the cookie. To prevent this, specify a machine key in web.config like this:
A: Store the membership and role information in the Membership database and then retrieve it with membership API. If we want to store some custom information in the database, we can take advantage of a user profile. The user profile
is designed to store custom information except membership and role. With the user profile, we can deal with the custom user information in an easier way. For details, refer to this article:
A: When we develop our application in Visual Studio, we can take advantage of the ASP.NET Admin Tool to manage membership and role information. To start it, we click the “ASP.NET Configuration” button in the
Solution Explorer panel or Project menu. As a result, it starts a visual web server and runs the website located in:
A: ASP.NET will lock your account for 30 minutes if the wrong password is used more than 5 times. If you want to increase the maximum failure times, you can set the maxInvalidatePasswordAttempts property like this e.g. 20 times:
2) Modify the membership database manually. You can open aspnet_Membership table and set IsLockedOut, FailedPasswordAttemptCount and FailedPasswordAnswerAttemptCount to 0, and also FailedPasswordAttemptWindowStart,
LastLockoutDate and FailedPasswordAnswerAttemptWindowStart to ‘1754-1-1’.
A: If the user has not been authenticated, when we send a page request to the server, the server will return a 302 Found status code to redirect the request to the Login page. The whole scenario can be divided
into five phases:
1. Sending the request to a page which requires forms authentication. This results in a 302 to the login page.
2. Sending a request to the login page.
3. Parsing the response from phase 2 and creating a response entity containing a username/password to be used in the next post request to the login page.
4. POSTing to the login page. If successful this should return a 302 with Set-Cookies and a location header.
5. Sending a request to the location pointed to in the last response (this is the original page we requested in phase 1) with the request cookie returned in phase 4. Expect 200.
FAQ Publishe...
0 Points
12 Posts
Security FAQ
May 13, 2009 02:30 AM|LINK
Contents
Q1: How do I run ASP.NET 1.1 application in IIS 7?
Q2: How do I secure a password In ASP.NET applications?
Q3: How do you encrypt sections in web.config?
Q4: How do I access secured resources on remote machines in a domain environment?
Q5: Why does my site receive permission problems after publishing to the host?
Q6: Why do I get the error “Access to the path … is denied”?
Q7: How do I enable an ASP.NET server folders’ write permission?
Q8: How do I Understand ASP.NET URL Authorization rules?
Q9: How do I protect non-page files by using ASP.NET URL Authorization?
Q10: How do I use SSL (Secure Sockets Layer) in an ASP.NET application?
Q11: Why does the customer need to log back in, even when “Remember me” has been selected?
Q12: How can I add my custom information for a user in a database?
Q13: How can I manage membership and role information during developing?
Q14: Why does my account get locked after several failures?
Q15: How do I login a forms authentication protected asp.net application via code?
Q1: How do I run ASP.NET 1.1 application in IIS 7? [top]
A: ASP.NET 2.0 (3.0 and 3.5) is easy to install with Windows Vista and Windows 2008 - just install the ASP.NET component located under IIS->Word Wide Web Services->Application Development Features. To install the ASP.NET 1.1 application in IIS 7 please check this link:
http://learn.iis.net/page.aspx/472/how-to-install-aspnet-11-with-iis7-on-vista-and-windows-2008/
Q2: How do I secure a password In ASP.NET applications? [top]
A: Normally, in Forms Authentication, Password will be sent as plain text from the client side, it is not secure apparently.
Password could be encrypted or hashed by JavaScript before sending to the server side. However, anyone who captures encrypted password and username can counterfeit your credential. So, encrypt password in the client side is not secure either.
Two suggestions to keep your passwords secure during login:
1. To ensure the security the password in the transmission, I recommend that you use Secure Sockets Layers (SSL).
To ensure the security the password in the server side, you'd better hash your password before stored it in database.
if you are using Membership provided by asp.net. After you specifying the passwordFormat="Hashed" like this:
Password will be stored in database as hashed code automatically.
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid"><membership>
<providers>
<add
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>
</div>2. To hash password and store it in database manually (programmatically).
Check this link to know how to generate a hash:
http://msdn.microsoft.com/en-us/library/w1t5hx6k.aspx
Check this link for a sample of Membership Provider Implementation:
http://msdn.microsoft.com/en-us/library/6tc47t75.aspx
Q3: How do you encrypt sections in web.config? [top]
A: Usually, the aspnet_regiis.exe tool (included in .net framework) can be used to encrypt sections e.g. appSettings, connectionStrings, identity and sessionState in web.config. For further information, please to this article:
http://msdn.microsoft.com/en-us/library/ms998280.aspx
Also, the sections can be encrypted programmatically, for instance:
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid">// Get the current configuration file.
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
// Get the section.
ConfigurationSection appSec = config.GetSection("appSettings");
if (appSec != null && !appSec.SectionInformation.IsProtected)
{
// Encrypt the section.
appSec.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
// Save the encrypted section.
appSec.SectionInformation.ForceSave = true;
config.Save();
}
</div>Q4: How do I access secured resources on remote machines in a domain environment? [top]
A: To access the resources within a domain, it’s recommended to use a domain user.
The identity of IIS can be changed, and be granted the required permissions in the shared resources. This is because of the default identity of IIS have the permission to access domain resources. By default, it’s ASPNET on Windows Server 2000 and NETWORK SERVICE on IIS6 and Windows Server 2008.
To change the identity of IIS, there are two possible ways:
1) Change the identity of the application pool in IIS directly, but please note that if a domain user is being used to run the application pool, the domain user should also have the required permissions to run ASP.NET applications. This command can be used to grant the required permissions:
aspnet_regiis.exe–ga domain/user.
But note, in a share environment, individual application pools should have different identities. Then the directories on disk can be ACLd independently with the different application pool identities. In general, sticking with the shared identities like NETWORK SERVICE, or IIS_IUSRS, for file ACLs is bad because it means any full-trust ASP.NET application ends up with access to the directory structures of other applications.
2) Enable impersonation in web.config like this:
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid"><identity impersonate="true" userName="domain/user" password="****" />
</div>PS. You’ll also have to run the –ga command to grant required permissions first.
Q5: Why does my site receive permission problems after publishing to the host? [top]
A: It’s probably caused by different trust levels. When developing an ASP.NET application in a test environment, it is set to Full trust level by default. However when it is published to a production environment, it may not be set to Full trust level at machine-level for security reasons. Therefore, some operations that require Full trust level may experience problems. In this scenario, you need to contact the host.
Here’s a good article discussing ASP.NET code access security:
http://msdn.microsoft.com/en-us/library/ms998326.aspx
Q6: Why do I get the error “Access to the path … is denied”? [top]
A: It’s probably caused by the permissions of the application pool. By default, the ASP.NET application can access the required .net directories as well as the application directory. To check which account it is being run on, please use the following code:
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid">string name = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
Response.Write("Get the account running current thread: " + name);
</div>To access other directories, you need to grant the account required permissions. To grant the permissions, add the account to the user list of the folder.
Q7: How do I enable an ASP.NET server folders’ write permission? [top]
A: The AASP.NET app runs under a Network Service Account by default. For security reasons, a Network Service account has no write permissions for any folders except the "App_Data" folder.
To grant the Network Service Account write permission, follow these steps:
1. Right click the folder, choose Properties, and click the security tab.
2. Click the "Add" button in the "Group or user name" section.
3. Type “Network Service" in the text box and click the "Check Names" button. Click "OK".
4. Under "Permissions to NETWORD SERVICE" select the “write allow” check box.
Q8: How do I Understand ASP.NET URL Authorization rules? [top]
A: Rules are applied as follows:
1. Rules contained in the application-level configuration files take precedence over inherited rules. The system determines which rule takes precedence by constructing a merged list of all rules for an URL, with the most recent rules (those nearest in the hierarchy) at the head of the list.
2. Given a set of merged rules for an application, ASP.NET starts at the head of the list and checks rules until the first match is found. The default configuration for ASP.NET contains an <allow users="*"> element, which authorizes all users. (By default, this rule is applied last.) If no other authorization rules match, the request is allowed. If a match is found and the match is a deny element, the request is returned with the 401 HTTP status code. If an allow element matches, the module allows the request to be processed further.
For more information, see:
http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
http://support.microsoft.com/kb/316871
If you want to use ASP.NET Routing, check this link:
http://haacked.com/archive/2008/03/11/using-routing-with-webforms.aspx
Q9: How do I protect non-page files by using ASP.NET URL Authorization? [top]
A:
1. Open the IIS manager console.
2. Right-click the web site or virtual directory and select Properties.
3. Choose the Directory or Home Directory tab.
4. You will find the Configuration button under Application Settings, click it.
5. Insert Wildcard application maps: click Insert... and input
“C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll”(The filename may be different for you)
6. Restart IIS 6.0.
In IIS 7.0
1. Open the IIS manager console.
2. Under the Sites node, right click the web site or the folder which contains the file you want to protect.
3. In the Features View group by “Area”, under the “IIS” Section, click “Handler Mappings”
4. In the “Actions” frame, on the right side of the console, click “Add Managed Handler…”
5. In the prompted Dialog, fill the text boxes, and Request Path: *; Type: System.Web.DefaultHttpHandler; Name: AuthFile.
6. Click ok, and restart IIS 7.0.
IIS7 also includes its own Url authorization module that works for both ISAPI and integrated mode, and protects all content requests. Check this link for details:
http://learn.iis.net/page.aspx/142/understanding-iis-7-url-authorization/
Q10: How do I use SSL (Secure Sockets Layer) in an ASP.NET application? [top]
A: See “Configuring SSL in IIS Manager”:
http://learn.iis.net/page.aspx/378/configuring-ssl-in-iis-manager/
Q11: Why does the customer need to log back in, even when “Remember me” has been selected? [top]
A: Basically, there are two possible reasons:
1) Caused by the cookie’s timeout.
2) Caused by the machine key.
If “Remember me” has been selected; the ticket will be valid the next time you login. Otherwise, it’ll be invalid if the customer closes the browser. The timeout of the cookie depends on the configuration in web.config, which is set to 30 minutes by default. The time out can be set to any amount, but after it times out then, the customer cannot automatically log in. To remember the customer, select “Remember me” and set the timeout of the cookie to the largest possible value.
Here’s an example for changing the timeout property in web.config:
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid"><authentication mode="Forms">
<forms
name="TicketCookie"
loginUrl="Login.aspx"
defaultUrl="Default.aspx"
protection="All"
timeout="400000"
path="/"
slidingExpiration="true"
cookieless="UseCookies"
requireSSL="false">
</forms>
</authentication>
</div>If the timeout cookie in web.config has been set to the largest value as well as selecting “Remember me”, the failed login may be caused by the machine key. The cookie is encrypted with a machine key by default, and it is randomly generated In some cases, the machine key will be generated again, and will cause the invalidation of the cookie. To prevent this, specify a machine key in web.config like this:
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid"><machineKey validationKey="your validation key goes here" decryptionKey="your decryption key goes here" validation="SHA1" />
</div>The website link below provides information on generating the machine key:
http://www.aspnetresources.com/tools/keycreator.aspx
For more information about machine keys, please check this article:
http://msdn.microsoft.com/en-us/library/ms998288.aspx
Q12: How can I add my custom information for a user in a database? [top]
A: Store the membership and role information in the Membership database and then retrieve it with membership API. If we want to store some custom information in the database, we can take advantage of a user profile. The user profile is designed to store custom information except membership and role. With the user profile, we can deal with the custom user information in an easier way. For details, refer to this article:
http://www.odetocode.com/articles/440.aspx
Q13: How can I manage membership and role information during developing? [top]
A: When we develop our application in Visual Studio, we can take advantage of the ASP.NET Admin Tool to manage membership and role information. To start it, we click the “ASP.NET Configuration” button in the Solution Explorer panel or Project menu. As a result, it starts a visual web server and runs the website located in:
“%system%:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles”.
Q14: Why does my account get locked after several failures? [top]
A: ASP.NET will lock your account for 30 minutes if the wrong password is used more than 5 times. If you want to increase the maximum failure times, you can set the maxInvalidatePasswordAttempts property like this e.g. 20 times:
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid"><membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MembershipConnetionString"
applicationName="TestMembership"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="20"
passwordAttemptWindow="10"
passwordFormat="Encrypted" />
</providers>
</membership>
</div>If the account is locked, unlock it via the following two ways:
1) Use this code:
<div style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid" mce_style="BORDER-BOTTOM: 1px solid; BORDER-LEFT: 1px solid; MARGIN-LEFT: 40pt; BORDER-TOP: 1px solid; MARGIN-RIGHT: 10px; BORDER-RIGHT: 1px solid">MembershipUser lockerUser = Membership.GetUser("username");
lockerUser.UnlockUser();
</div>2) Modify the membership database manually. You can open aspnet_Membership table and set IsLockedOut, FailedPasswordAttemptCount and FailedPasswordAnswerAttemptCount to 0, and also FailedPasswordAttemptWindowStart, LastLockoutDate and FailedPasswordAnswerAttemptWindowStart to ‘1754-1-1’.
Q15: How do I login a forms authentication protected asp.net application via code? [top]
A: If the user has not been authenticated, when we send a page request to the server, the server will return a 302 Found status code to redirect the request to the Login page. The whole scenario can be divided into five phases:
1. Sending the request to a page which requires forms authentication. This results in a 302 to the login page.
2. Sending a request to the login page.
3. Parsing the response from phase 2 and creating a response entity containing a username/password to be used in the next post request to the login page.
4. POSTing to the login page. If successful this should return a 302 with Set-Cookies and a location header.
5. Sending a request to the location pointed to in the last response (this is the original page we requested in phase 1) with the request cookie returned in phase 4. Expect 200.
For a sample code, please see:
http://blogs.iis.net/ksingla/archive/2006/08/24/sample-forms-authentication-test-in-c.aspx
Starting in .NET 3.5.you use classes under System.Web.ApplicationServices Namespace to do a Forms Authentication in Winforms or WPF, see:
http://msdn.microsoft.com/en-us/library/system.web.applicationservices.aspx
If you want to use Forms Authentication via AJAX, see:
http://msdn.microsoft.com/en-us/library/bb398896.aspx