Authentication and Authorization - Configuring Authorization
(Page 4 of 4 )
Impersonation is a technique that allows the ASP.NET process to act as the authenticated user, or as an arbitrary specified user. ASP.NET impersonation is controlled by entries in the application’s web.config file. By default, impersonation is disabled. Including the following code in the file can explicitly turn impersonation off:
<identity impersonate=”false”/>
ASP.NET does not perform impersonation if the above piece of code is found in the file. This means that ASP.NET will run with its own privileges. After the user has been authenticated, ASP.NET uses it own identity to request access to resources.
By default, ASP.NET runs as an unprivileged account. By changing the userName attribute of the processModel section in the machine.config file, the account can be changed from a low-privileged one to a high-privileged one. When this modification is made, it applies to all sites on the server. If the userName attribute of the processModel is changed to SYSTEM, the user account becomes a high privileged account. However, this is a security risk as it elevates the privileges of the ASP.NET process and the OS may be at risk.
To enable impersonation, the following code should be included:
<identity impersonate =”true”/>
In this case, ASP.NET takes on the identity IIS passes to it. If anonymous access is allowed in IIS, ASP.NET will impersonate the IUSR_ComputerName account that IIS uses. If anonymous access is not allowed, ASP.NET will take on the credentials of the authenticated user and makes requests for resources taking on that identity. A further important feature of any ASP.NET application is that a particular identity can also be used for all authenticated requests. To accomplish this, the following line of code needs to be included:
<identity impersonate=”true” username=”DOMAINusername” password=”password”/>
In this case, all authenticated users will be taking on the identity <DOMAINusername> and using this identity ASP.NET makes all requests for resources. The drawback to this technique is that the password must be coded in plain text in the web.config file. Though ASP.NET does not allow for this file to be downloaded, it is still a security risk.
Best Practices
Below is a list of some best practices to help you in choosing an authentication mode and configuring authorization:
If there is no sensitive data in the application, no anonymous authentication is the best authentication mode. This allows all users, who have access to the host, to access the application.
If authentication of users needs to be performed, there are several choices. Windows Authentication in ASP.NET is the best authentication mode to use if all user accounts exist on the network in which the application is running. If not all users have accounts on the network, then forms authorization can be used.
If different users, having different sets of privileges, need to access the application then impersonation in the ASP.NET configuration file should be turned on.
*ISAPI: Internet Server Application Program Interface - is a programming interface on IIS, Microsoft's web server. It allows third parties (and Microsoft) to add functionality to web servers running Microsoft IIS.
**ISAPI Filter: A DLL that uses the ISAPI to register for web server events and edit the data stream going to and coming from the Microsoft IIS web server.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
