A lot of asp.net since 2.0 is rolled with its own "Forms Authentication" based security. However, this rudimentary forms authentication, as far as we know, does not have any "abuse detection", "Quota detection", or any means of controlling misuse of usernames
and passwords.
If you take a look at the www.flicks.com webquota product, it is the only solution we are aware of that solves these issues. The problem is that software is EXPENSIVE and runs as a filter dll meaning everytime there is
a new version of IIS, you have to upgrade. We have given that company well over $2000 in the past 10 years.
Does anyone know of any alternative to this webquota product that rolls "authentication" WITH "quota" and "abuse" prevention. Microsoft really should have this built into their product if they are going to take it on but they don't as far as I know.
There is the SqlServer Membership provider from Microsoft and that does some basic password guessing detection and account locking, but it's rudimentary.
I normally suggest to people to not bother wiht the entire membership provider model and build your own. While this is slightly more work, it 1) forces developers to think about and understand the security that they're implementing, and 2) you can customize
it according to your needs.
Yeh, the webquota stuff is miles beyond anything I've seen.
It looks for the number of requests within a certain time, from a certain ip, etc. You can block IP's, throttle login attempts, and all kinds of things.
Actually this sort of thing is so "fundamental"...object oriented principals force us to consider it a really a "base" class something that should come with the asp.net base classes. In fact, precisely because security is "hard". If asp.net cannot fundamentally
"protect" its own web server, iis, then it is useless in this day and age where security has become paramount. Its like telling everyone they have to build their own tires and only giving them rubber and a loud "good luck". Every car can be different, but
for the most, tires are tires. You need them and if they aren't safe, it really doesn't make any difference how safe you make the rest of the vehicle.
Ahh, so many product ideas and so little time. Someone run with this, its a "million dollar" idea.
codeaholic
Participant
1367 Points
707 Posts
Web authentication with Abuse / Quota detection and prevention
Apr 25, 2012 10:55 PM|LINK
A lot of asp.net since 2.0 is rolled with its own "Forms Authentication" based security. However, this rudimentary forms authentication, as far as we know, does not have any "abuse detection", "Quota detection", or any means of controlling misuse of usernames and passwords.
If you take a look at the www.flicks.com webquota product, it is the only solution we are aware of that solves these issues. The problem is that software is EXPENSIVE and runs as a filter dll meaning everytime there is a new version of IIS, you have to upgrade. We have given that company well over $2000 in the past 10 years.
Does anyone know of any alternative to this webquota product that rolls "authentication" WITH "quota" and "abuse" prevention. Microsoft really should have this built into their product if they are going to take it on but they don't as far as I know.
Please let me know.
Thanks.
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: Web authentication with Abuse / Quota detection and prevention
Apr 25, 2012 11:00 PM|LINK
There is the SqlServer Membership provider from Microsoft and that does some basic password guessing detection and account locking, but it's rudimentary.
I normally suggest to people to not bother wiht the entire membership provider model and build your own. While this is slightly more work, it 1) forces developers to think about and understand the security that they're implementing, and 2) you can customize it according to your needs.
Security is hard.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
codeaholic
Participant
1367 Points
707 Posts
Re: Web authentication with Abuse / Quota detection and prevention
Apr 26, 2012 01:11 AM|LINK
Yeh, the webquota stuff is miles beyond anything I've seen.
It looks for the number of requests within a certain time, from a certain ip, etc. You can block IP's, throttle login attempts, and all kinds of things.
Actually this sort of thing is so "fundamental"...object oriented principals force us to consider it a really a "base" class something that should come with the asp.net base classes. In fact, precisely because security is "hard". If asp.net cannot fundamentally "protect" its own web server, iis, then it is useless in this day and age where security has become paramount. Its like telling everyone they have to build their own tires and only giving them rubber and a loud "good luck". Every car can be different, but for the most, tires are tires. You need them and if they aren't safe, it really doesn't make any difference how safe you make the rest of the vehicle.
Ahh, so many product ideas and so little time. Someone run with this, its a "million dollar" idea.