1 / 29

ASP.NET Security

ASP.NET Security. MIS 424 Professor Sandvig. Overview. Today Security Concepts & Terminology Authentication and Authorization Role-based security HTTPS ASP.NET approaches: Do-it-yourself ASP.NET Identity Windows authentication. Security Terminology. Authentication

pcarolyn
Download Presentation

ASP.NET Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASP.NET Security MIS 424 Professor Sandvig

  2. Overview Today • Security Concepts & Terminology • Authentication and Authorization • Role-based security • HTTPS • ASP.NET approaches: • Do-it-yourself • ASP.NET Identity • Windows authentication

  3. Security Terminology • Authentication • Process of identifying the user • User provides credentials • Username / Password • ID card, key, finger print, eye scan… • Authentication done once at login

  4. Security Terminology • Authorization • Which resources user is allowed to access • Permissions • Type of access • Read, write, modify, delete, change permissions… • Performed with every request

  5. Example - WWU Library • Authentication • Who are you? • WWU student • Lost Canadian • Authorization • What are you allowed to do? • WWU student • Checkout books, laptops, IIL services… • Lost Canadian • Look at books, use restrooms, stay warm

  6. Security Terminology • Principle of least privilege • Every program and every user of the system should operate using the least set of privileges necessary to complete their job. • Benefits: • Protects data • Protects organization • Protects individuals

  7. Role-based Security • Permissions assigned based upon oganizational role

  8. Role-based Security • Create roles • Financial Aid counselor • Academic counselor • Network Administrator • Database Administrator • Payroll • Roles are assigned specific permissions • Principle of least privilege

  9. Role-Based Security • Groups • Collections of individuals • Examples: • Students • Faculty • Help Desk technicians • Department administrators

  10. Role-based Security Assign Users and groups to roles Source: https://docs.oracle.com/cd/E19226-01/820-7627/bnbxj/index.html

  11. Role Permissions Source: ITGlue content management system

  12. WWU Roles

  13. Role Permissions • WWU P drive

  14. Web Security • Always use HTTPS • Secure Socket Layers • Encrypts all data • Session Hijacking • All security methods pass cookie identifying user as authenticated. • Hacker gets cookie data • Impersonates authenticated user

  15. Session Hijacking

  16. Adding HTTPS • Individual controllers: namespace mis424Assignments.Controllers { [RequireHttps] [Authorize] public class RetailController : Controller • Entire Site • Global.asax protected void Application_Start() { GlobalFilters.Filters.Add(new RequireHttpsAttribute()); }

  17. ASP.NET Security • Approaches: • Do-it-yourself • ASP.NET Identity • Windows authentication

  18. Do-it-yourself Authentication • Each action method checks for authorization • Redirect unauthorized users to login • Single line of code: if (Session["authenticated"] == null) return RedirectToAction("Login");

  19. Do it yourself Authentication • Advantages • Simple • Flexible • Write own authentication code • Disadvantages • More work? • Your responsibility

  20. ASP.NET Identity Individual user accounts VS creates models & database Username, password, roles stored in DB

  21. ASP.NET Identity • Features • Contains views for: • Creating account • Modify account • Password recovery • Change password

  22. ASP.NET Identity • Features • Can use social providers for authentication • Facebook, Google, Twitter • Create roles • Assign users to roles

  23. ASP.NET Identity • Decorate action methods with Authorization rules • Individuals • Roles • Authenticates against database, Active Directory, cloud based authentication, … • Example: Secured Admin Pages

  24. Windows Authentication • Authenticate against Windows users and roles • Active Directory • Take advantage of organizational roles • Group email, file permissions, chat…

  25. Windows Authentication • MVC Implementation • Specify in web.config • <authentication mode="Windows" /> • Enable Windows Authentication in IIS

  26. Windows Authentication

  27. Windows Authentication

  28. Windows Authentication • Benefits: • Use existing Active Directory user & groups • Intranet • Not public web • Single sign-in within organization • Fine-level control of permissions • Example: WindowsAuthentication

  29. Summary • Application Security options: • Do-it-yourself • Identity User Accounts • Windows authentication • Security • Complex topic • Discuss other aspects later

More Related