|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Securing a .NET webapp with ActiveDir and SQL-server?and MS SQL server. Am now about to develop a secure webapp in .NET to be used on our intranet, and I'd appreciate some input. We are using Active Directory (AD), and MS SQL-server. I need some SSL in the mix also. The word "Kerberos" was also mentioned at the brainstorm. And encryption of some of the data fields. For simplicity.. I'll try to describe my database using Nwind example. Each Employee in the Employees table is also in AD. And member of af security group called "MyAppGrp". Only users in MyAppGrp are allowed to access the webapp. Using Inetmgr I go to tab "directory security" and make sure only "Integrated windows" is checked. In my web.config I go to "authorization" and put "allow roles="MyAppGrp" and "deny users="*" I've been looking at "impersonation" but can't quite see how I should implement this. So I am going to use the "trusted subsystem" method, and build my own authorisation store in SQL-server. Then my app checks the current users permissions, and if ok, connects to sql-server as the db administrator, a connection string with username and pwd), and retrieves the data. Have now read some MS papers that says "Bad thing! Use AD." But I can't see how I can do that, since I have no "datareaders"-role and "datawriters"-role. In my database there are no Orders. There are Regions. Each Customer belongs to a Region. Each Employee deals with Customers in one or more Regions. Several Employees can deal with the same Region(s) / Customer(s). If an Employee isn't allowed access to Region A, those Customers are "invisible" to that Employee. I was going to make a webform with a list of customers, the Employee chooses one and I call another form frmDetails?CustID=12345. Every time an Employee sees details of a customer, I want to log that. If the Employee tries a bit of querystring manipulation, to see a Customer he does not have access to, I want that logged too. I would like the logging to be done as close to the source/database as possible. Maybe in a stored procedure that retrieves the data. How is this best done ? An Employee (with correct region) can update data of a Customer. One of the fields has sensitive data and should be encrypted. I followed some of the security courses from MS, and there seems to be a lot of ways to do this. RIjndael, tripleDES etc. And PKI. Any suggestions ? They all need a key, or a salt ? Where do I store this ? In DPAPI machine store ? When transmitting this encrypted data, I should use SSL ? I haven't found any good introductions to SSL (or Kerberos). Mostly theory-stuff. But I've read somewhere that sessionsvariables etc are not carried over if you switch from non-SSL til SSL. And that SSL is bad for performance. My app is small, and not heavily used so performance is not an issue. Should I not just do the whole thing over SSL ? I have pretty much full control over the IIS and the SQLserver. I have little control (but can suggest things) over the AD. The app is going to be used with new (5x+) IE browsers. I am currently using VS 2003 (VB.net) and framework 1. Would this be a lot easier in framework 2 ? Anything I have missed ? Any suggestions ? Obvious securityholes ? Code-samples ? tia /jim hi,
some thoughts: - enable integrated in IIS, disable anonymous - authorization settings are ok - use the domain\groupname format - why do you need authorization inside your app? are only specific emps allowed to see specific customers? - don't connect to sql server using administrative privileges - wrap all data acess in stored procedures - the user that connects to the db should only be allowed to execte the sprocs, no direct table access - use SSL - for IIS and SQL Server - logging should be done on the web server in your case - encryption is a complex topic. Will the web application also decrypt the data again? Or is this done in a separate app? Single Server or Cluster? switching to 2.0 is recommended. This is an overview - if you have any questions regarding the above point, feel free to ask --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I have previosly developed some small apps in Visual Studio .NET 2003 > and MS SQL server. > Am now about to develop a secure webapp in .NET to be used on our > intranet, and I'd appreciate some input. > We are using Active Directory (AD), and MS SQL-server. I need some SSL > in the mix also. The word "Kerberos" was also mentioned at the > brainstorm. And encryption of some of the data fields. > > For simplicity.. I'll try to describe my database using Nwind example. > Each Employee in the Employees table is also in AD. And member of af > security group called "MyAppGrp". > Only users in MyAppGrp are allowed to access the webapp. > Using Inetmgr I go to tab "directory security" and make sure only > "Integrated windows" is checked. > > In my web.config I go to "authorization" and put "allow > roles="MyAppGrp" and "deny users="*" > > I've been looking at "impersonation" but can't quite see how I should > implement this. So I am going to use the "trusted subsystem" method, > and build my own authorisation store in SQL-server. Then my app checks > the current users permissions, and if ok, connects to sql-server as > the db administrator, a connection string with username and pwd), and > retrieves the data. > > Have now read some MS papers that says "Bad thing! Use AD." > > But I can't see how I can do that, since I have no "datareaders"-role > and "datawriters"-role. > > In my database there are no Orders. There are Regions. Each Customer > belongs to a Region. > Each Employee deals with Customers in one or more Regions. Several > Employees can deal with the same Region(s) / Customer(s). > If an Employee isn't allowed access to Region A, those Customers are > "invisible" to that Employee. > I was going to make a webform with a list of customers, the Employee > chooses one and I call another form > > frmDetails?CustID=12345. Every time an Employee sees details of a > customer, I want to log that. If the Employee tries a bit of > querystring manipulation, to see a Customer he does not have access > to, I want that logged too. I would like the logging to be done as > close to the source/database as possible. Maybe in a stored procedure > that retrieves the data. How is this best done ? > > An Employee (with correct region) can update data of a Customer. One > of the fields has sensitive data and should be encrypted. I followed > some of the security courses from MS, and there seems to be a lot of > ways to do this. RIjndael, tripleDES etc. And PKI. Any suggestions ? > They all need a key, or a salt ? Where do I store this ? In DPAPI > machine store ? > > When transmitting this encrypted data, I should use SSL ? I haven't > found any good introductions to SSL (or Kerberos). Mostly > theory-stuff. But I've read somewhere that sessionsvariables etc are > not carried over if you switch from non-SSL til SSL. And that SSL is > bad for performance. My app is small, and not heavily used so > performance is not an issue. Should I not just do the whole thing over > SSL ? > > I have pretty much full control over the IIS and the SQLserver. I have > little control (but can suggest things) over the AD. The app is going > to be used with new (5x+) IE browsers. > > I am currently using VS 2003 (VB.net) and framework 1. Would this be a > lot easier in framework 2 ? > > Anything I have missed ? Any suggestions ? Obvious securityholes ? > Code-samples ? > > tia > > /jim > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> skrev i en meddelelse news:4580be631950c68c7e8a73326e05e@news.microsoft.com... Hi Dominick> - enable integrated in IIS, disable anonymous Didn't I do that correctly ?>> Using Inetmgr I go to tab "directory security" and make sure only Yes.>> "Integrated windows" is checked. > - why do you need authorization inside your app? are only specific emps > allowed to see specific customers? > - don't connect to sql server using administrative privileges I created a user and put him in the db_owner role for the specific database.> - wrap all data acess in stored procedures - the user that connects to the Ok. But should I have my webapp supply the sproc with the name/identity of > db should only be allowed to execte the sprocs, no direct table access the user as an argument, and have the sproc make an access-check, and create a logrecord in my logtable and THEN pass data back to the webapp, or should my webapp call a series of sprocs ? > - use SSL - for IIS and SQL Server Elaborate please ? When the user clicks the "See Customer Details" button I > - logging should be done on the web server in your case should call a logging-sproc, and then a getcustomerdetails sproc ? > - encryption is a complex topic. Will the web application also decrypt the The webapp must be able to show the unencrypted data. When user clicks the > data again? Or is this done in a separate app? Single Server or Cluster? "Update Customer Details" the sensitive data (one field) should be encrypted, and stored in sql-server. When he clicks "See Customer Details" the unencrypted data (clear text) should be shown to the user in a webform. Can I have sql-server (sproc) encrypt/decrypt the data instead of the webapp (.net) ? > switching to 2.0 is recommended. In general or for this specific purpose ?> This is an overview - if you have any questions regarding the above point, You asked for it !> feel free to ask /jim That's what I would do. Hope it helps.
> > - why do you need authorization inside your app? are only specific emps Use Forms authentication + SSL in the asp.net app. User.isInRole could> > allowed to see specific customers? > > Yes. help. > Ok. But should I have my webapp supply the sproc with the name/identity of If you impersonate the web app, use integrated security (windows login)> the user as an argument, and have the sproc make an access-check, and create > a logrecord in my logtable and THEN pass data back to the webapp, or should > my webapp call a series of sprocs ? and grant exec on the sproc to the desired roles that shouldn't be necesary. Maybe this is not too clear.. > Can I have sql-server (sproc) encrypt/decrypt the data instead of the webapp The webapp IMHO. I don't remember how can the SQL server - Web App can> (.net) ? be encrypted using SSL, but it is a good thing. > > switching to 2.0 is recommended. Both things. 2.0 security is better than 1.x (1.x is NOT insecure) and> > In general or for this specific purpose ? 2.0 has great ASP.NET things. "bradbury9" <ray.bradbu***@gmail.com> skrev i en meddelelse Don't want users to log in (again).news:1137509057.147132.251050@g43g2000cwa.googlegroups.com... > That's what I would do. Hope it helps. > >> > - why do you need authorization inside your app? are only specific emps >> > allowed to see specific customers? >> >> Yes. > > Use Forms authentication + SSL in the asp.net app. >> Ok. But should I have my webapp supply the sproc with the name/identity hmm.... no its not clear :-)>> of >> the user as an argument, and have the sproc make an access-check, and >> create >> a logrecord in my logtable and THEN pass data back to the webapp, or >> should >> my webapp call a series of sprocs ? > > If you impersonate the web app, use integrated security (windows login) > and grant exec on the sproc to the desired roles that shouldn't be > necesary. Maybe this is not too clear.. I need to log all kind of access to the data. >> > switching to 2.0 is recommended. Any specifics that apply to this problem ?>> >> In general or for this specific purpose ? > > Both things. 2.0 security is better than 1.x (1.x is NOT insecure) /jim inline
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > "Dominick Baier [DevelopMentor]" looks like> <dbaier@pleasepleasenospamdevelop.com> skrev i en meddelelse > news:4580be631950c68c7e8a73326e05e@news.microsoft.com... > > Hi Dominick > >> - enable integrated in IIS, disable anonymous >> > Didn't I do that correctly ? > just create a normal user. wrap all data access in sprocs. Grant that user >>> Using Inetmgr I go to tab "directory security" and make sure only >>> "Integrated windows" is checked. >>> >> - why do you need authorization inside your app? are only specific >> emps allowed to see specific customers? >> > Yes. > >> - don't connect to sql server using administrative privileges >> > I created a user and put him in the db_owner role for the specific > database. exec rights on the sprocs - nothing else - no table access Show quoteHide quote > well thats philosophy. SQL server is a database and should not be responsible >> - wrap all data acess in stored procedures - the user that connects >> to the db should only be allowed to execte the sprocs, no direct >> table access >> > Ok. But should I have my webapp supply the sproc with the > name/identity of the user as an argument, and have the sproc make an > access-check, and create a logrecord in my logtable and THEN pass data > back to the webapp, or should my webapp call a series of sprocs ? > >> - use SSL - for IIS and SQL Server >> >> - logging should be done on the web server in your case >> > Elaborate please ? When the user clicks the "See Customer Details" > button I should call a logging-sproc, and then a getcustomerdetails > sproc ? for auditing your application. Initiate the logging from the web app. How you log (e.g. in a database using a sproc) is up to you. > Then you should go for some form of symmetric encryption. DPAPI (or ProtectedData >> - encryption is a complex topic. Will the web application also >> decrypt the data again? Or is this done in a separate app? Single >> Server or Cluster? >> > The webapp must be able to show the unencrypted data. When user clicks > the "Update Customer Details" the sensitive data (one field) should be > encrypted, and stored in sql-server. When he clicks "See Customer > Details" the unencrypted data (clear text) should be shown to the user > in a webform. in 2.0) may be an option - but data will only be decryptable on the web server (but this may be desired). Plain AES gives you the most flexibility. But i wouldn't recommend implementing that on your own without having at least basic crypto knowledge (a little bit more than that is required to be honest) SQL Server 2005 features built-in encryption of data - this may be the most painless approach. Show quoteHide quote > > Can I have sql-server (sproc) encrypt/decrypt the data instead of the > webapp (.net) ? > >> switching to 2.0 is recommended. >> > In general or for this specific purpose ? > >> This is an overview - if you have any questions regarding the above >> point, feel free to ask >> > You asked for it ! > > /jim > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> skrev i en meddelelse news:4580be631952bb8c7ea2ed640ec52@news.microsoft.com... Done. Seems to work like a charm.> just create a normal user. wrap all data access in sprocs. Grant that user > exec rights on the sprocs - nothing else - no table access > Then you should go for some form of symmetric encryption. DPAPI (or Sigh..... I know, but thats probably a year away... I can live with the "one > ProtectedData in 2.0) may be an option - but data will only be decryptable > on the web server (but this may be desired). > SQL Server 2005 features built-in encryption of data - this may be the > most painless approach. webserver decryption only" untill then. thx for the tips ! /jim 
Other interesting topics
Issuing X.509 Certificates
System.Security.SecurityException: Request failed. authentication problem migrating a Winform+WS to asp.net20+WS deploying a group policy to grant signed assemblies FULLTRUST Understanding FullTrust and CAS Using caspol to import a strong name codegroup How to make Windows inaccessible from my software user? Couldn;t load assembly Instantiate Shell.Explorer.2 at runtime for a web page RSACryptoServiceProvider throw exception on .net 2.0? |
|||||||||||||||||||||||
