290 likes | 417 Views
Security – Programming Issues. Michelle Johnston, Firebird Services Ltd. What Is Authentication?. Let's assume you want to restrict access to selected portions of your website
E N D
Security – Programming Issues Michelle Johnston, Firebird Services Ltd
What Is Authentication? • Let's assume you want to restrict access to selected portions of your website • For example, you might have valuable information, such as real-time stock quotes (like Reuters or Datastream), or you want to charge a monthly fee in order to access your database. • In these cases, you want to let people in, but only after checking that visitors have used an authorized username and password. • Additionally, you might want to provide access to the bulk of your website for the simple price of a visitor's email address, creating an effective method for tracking visitors. • Asking a visitor for their username and password (or their credentials) is called Authentication. • On the world wide web, the oldest and most widely supported authentication method is Basic Authentication.
Authentication Options • IIS NT Challenge Response • A good choice if if you are on a Windows Network, you can require the use of IE, and there's no proxy-server between the browser and the server. • ASP.NET Authentication • Another good option, with the some of the same set backs as NT Challenge Response. • You cannot protect non-asp pages, without a significant performance hit. • Supports forms based authentication, passport authentication, and Windows authentication, but not basic authentication. • A single web.config file contains the information related to the level and type of authentication service. • IIS Basic Authentication • Can expose your NT usernames and passwords unless all connections are over SSL. • A Basic Authentication filter such as AuthentiX • Cannot compromise NT accounts. High performance, large numbers of users. Can validate against ODBC or internal database. Many advanced features. • Write your own filter • Flexible, but resource intensive to build. • Digest Authentication • Similar to NTLM (using a challenge response protocol - although it does not provide for mutual authentication), this authentication method may weaken password storage security significantly. • Cookie Based Authentication with ASP pages • Only protects ASP pages. Can be slow. Requires cookies. Cookie-based systems can be susceptible to spoofing. • Self-Authenticating ISAPI dlls, CGI-scripts using Basic Authentication. • Good performance, all content generated though a single URL. Doesn't use conventional directory/file/html format. • Certificate based. • Secure, but intimidating for webmasters and surfers alike. Requires SSL.
Authentication • Instead of letting your members choose their own username, assign their email address as their username. Email addresses are perfect for usernames: they are hard to forget, and always unique!
Authentication • Which should I use? • In deciding which type of Authentication to use, it's important to keep the following points in mind: • You want the widest possible audience, along with browser and platform independence. (impacts NTCR (Integrated Windows Authentication in Windows 2000) and cookies) • Performance is critical. If (as you hope), your site becomes wildly popular, you don't want a dead-slow server (impacts SSL/Certificates, ASP)
Authentication • NT Challenge Response • Included as one of the options when you set up each IIS directory • Any directory you want to protect must be on a NTFS partition • In Internet Service Manager (IIS1-3) or the Microsoft Management Console for IIS (IIS4 and up) select the directory you want to protect. Make sure Basic (Clear Text) is off and Windows NT Challenge Response is on. You can leave Allow Anonymous on.
Authentication • NT Challenge Response • Create an account for each user you want to provide access • Remove the permissions for "IUSR_machinename" from the directory, and add permissions for the added users • Alternatively, set up a group, permit access to that group, and add permitted users to the group • Remember, the user will need execute rights if the directory has any ASP, ISAPI extensions, counters, and so on.
Authentication • Why NOT use NT Challenge Response ? • Can only be used with IE browser – not Netscape et al • Cannot be used with directories on FAT partitions • Problematic if you have a large user base • clutters the NT user database • it becomes very difficult to maintain • it can also impair speed of the operating system • it can also be a problem because of potential security risks. You are elevating a 'mere' web surfer to the status of a full NT user. You have to be careful not to inadvertently grant too many permissions. • will not work through a proxy
Authentication • IIS Basic Authentication • included as an option when you set up each IIS directory • directory must be on a NTFS partition - Through either Internet Service Manager (IIS1-3) or the Microsoft Management Console for IIS (IIS4 and up) select the directory. Turn on Basic (Clear Text) and turn off Windows NT Challenge Response. It is OK to leave Allow Anonymous on
Authentication • Why NOT use IIS Basic Authentication? • Usernames and passwords are sent clear text over the network by default • Use only in conjunction with SSL (you must buy a certificate from Verisign or Thawte) • Recognise set up issues, cost and performance involved in using SSL
Authentication • A Third Party Basic Authentication filter • Free evaluation version • Protect Windows userids and passwords • Browser independence • Performs better than IIS Basic over SSL • Can limit concurrent logins
Authentication • Why NOT use a Third Party Basic Authentication filter? • If you do not know you cannot trust the third party, don’t use it • protecting your premium content directories does not warrant the price of registration. • if Cookie Based Authentication is not secure enough for your purposes • you want all accounts of every type in the NT user account database, for administrative reasons.
Authentication • Authentication using ASP.NET Methods • ASP.NET allows more control over configuring different authentication methods: • Forms - Based authentication : Simply put, forms based authentication uses a cookie for authentication • Passport Authentication : requires Microsoft's Passport Authentication • Windows Authentication : a.k.a. integrated Windows authentication
Authentication • FORMS BASED AUTHENTICATION • Useful if you want to use accounts that are separate from Windows accounts (e.g. AD/AM or SQL Server accounts) • Not useful if you are concerned about attackers exploiting the cookie • Can be slow as there is a performance hit associated with resources mapped to Aspnet_isapi.dll.
Authentication • PASSPORT AUTHENTICATION • Good for "single sign-on" across multiple domains • Not good if you are concerned about being dependent on an external Microsoft resource for the authentication process
Authentication • Cookie Based Authentication Using A Third Party filter • Can simplify your ASP and ASP.NET code • Can reduce ASP code so your app runs FASTER • Can provide single-signon features • There is no risk of revealing your source code and datasource locations/passwords • Browser independent
Authentication • Cookie Based Authentication Using A Third Party filter • Can simplify your ASP and ASP.NET code • Can reduce ASP code so your app runs FASTER • Can provide single-signon features • There is no risk of revealing your source code and datasource locations/passwords • Browser independent
Authentication • Write your own Basic Authentication filter • You will need to build a dll that conforms to the ISAPI filter specification and has the following entry points: • GetFilterVersion • HttpFilterProc • The GetFilterVersion function is the first entry point called by IIS. In this function you set the IIS notifications that you want to receive, and any other first time setup tasks. • The HttpFilterProc function is called in response to the notifications set in GetFilterVersion and is where the work of the filter is actually done. • For help developing an ISAPI filter. Recommended is Que's "Special Edition Using ISAPI", ISBN 0-7897-0913-9 (to which this writer also contributed).
Authentication • Digest Authentication • You can use Digest Authentication with IIS to authenticate access to your web content. Digest Authentication works similar to NTLM, with a challenge response protocol. However, Digest Authentication has several weaknesses: • It does not provide mutual authentication • It does not provide a method for exchanging session keys for data encryption or MAC generation • It weakens password storage significantly • Passwords must be stored so that the domain controller can decrypt them with reversible encryption, weakening your website security • For maximum security, you must place the web server on the same machine as the domain controller. Otherwise, you expose your public web server from the domain controller and open yourself up to serious security risks. Digest Authentication is not the ideal solution for administrators concerned about web content security.
Authentication • Cookie Based Authentication with ASP pages • You can use the cookie based session variables of Active Server Pages to capture a username and password from a form, validate the username and password, then set a session variable to indicate the user has correctly logged in.
Authentication • Cookie Based Authentication with ASP pages is the way to go if • You are happy coding your own solution in VBScript, and you only have a few asp pages to protect. • You don't mind excluding those who cannot or will not accept cookies. • You don't have gif/jpeg/pdf or other non-ASP content, so you are not concerned about someone else creating web-pages linking directly to your non-ASP protected content.
Authentication • You won't want Cookie Based Authentication with ASP pages if • You want to protect all content, not just ASP pages. • You are worried about performance. Any reasonably large amount of Active Server Pages can have a significant detrimental effect on the performance of your server. The popularity of products such as XBuilder, which generates static html pages from ASP pages for performance reasons (among others), illustrates this point. • Cookie-based systems can be susceptible to spoofing.
Authentication • Certificate based authentication • Obtain a certificate from a certificate issuing authority such as Verisign or Thawte. Refer to the IIS documentation on Key Manager. • Select a directory you want to protect in the MMC • Click on the Secure Communications Edit button on the Directory Security property sheet and use the certificate you obtained. Select both Enable Client Certificates and Require Client Certificate • Enable client certificates for this resource • Issue client certificates for access to this resource.
Authentication • Certificate based authentication references • "Internet Information Server 4.0 - Security for the Web-Enabled Enterprise" by Nick Evans in the Premier Edition of Security Advisor by Advisor.com publications • "Web Project, Digital IDs" by Jon Udell in the March Edition of Byte magazine. and "Issuing digital certificates with Microsoft Certificate Server" section of the IIS Security White Paper by Microsoft. Certificate based authentication is the way to go if
Authentication • AD/AM • AD/AM is like an LDAP server interface tightly integrated with Active Directory • Essentially AD/AM or LDAP is like a SQL Server source containing schema/information in hierarchies and groups etc • Any windows security principal can bind and be granted access using AD/AM • Each principal stored in AD/AM has a SID which uniquely identifies that principal • Can use AD/AM for authentication, personalization and authorization • Allows queries to be performed on the hierarchy of groups / common names etc
Authentication • AD/AM • AD/AM is like an LDAP server interface tightly integrated with Active Directory • In the past SQL Server has been used for role based authorization and authentication • Security sub-systems based upon AD/AM are LDAP compliant (an open standard, meaning that many existing LDAP based security products can be used with it) • AzMan can be used for policy based authorization, though its not easy to integrate with AD/AM • Easy to migrate SQL Server user tables to AD/AM
Authentication • AD/AM • In LDAP, Bind is a bit like ‘logonUser’ • In Active Directory, authenticate the user first BEFORE they can query against objects – groups information is usually stored in AD/AM • Active Directory used to be difficult to use in a DMZ but not now
Useful Links • Free Authentication component software • http://www.flicks.com/authentix/byCom/tutorial/ • http://www.flicks.com/tutorial/authentication