ASP NET Security MIS 424 Professor Sandvig Overview

ASP. NET Security MIS 424 Professor Sandvig

Overview Today n Security Concepts & Terminology Authentication and Authorization Role-based security HTTPS n ASP. NET approaches: Do-it-yourself ASP. NET Identity Windows authentication

Security Terminology Authentication n n Process of identifying the user User provides credentials n n n Username / Password ID card, key, finger print, eye scan… Authentication done once at login

Security Terminology Authorization n n Which resources user is allowed to access Permissions Type of access n n Read, write, modify, delete, change permissions… Performed with every request

Example - WWU Library Authentication n Who are you? WWU student Lost Canadian Authorization n What are you allowed to do? WWU student n Checkout books, laptops, IIL services… Lost Canadian n Look at books, use restrooms, stay warm

Security Terminology n Principle of least privilege Every program and every user of the system should operate using the least set of privileges necessary to complete their job. n Benefits: Protects data Protects organization Protects individuals

Role-based Security Permissions assigned based upon organizational role

Role-based Security Create roles Financial Aid counselor Academic counselor Network Administrator Database Administrator Payroll Roles are assigned specific permissions n Principle of least privilege

Role-Based Security Groups Collections of individuals n Examples: Students Faculty Help Desk technicians Department administrators

Role-based Security Assign Users and groups to roles Source: https: //docs. oracle. com/cd/E 19226 -01/820 -7627/bnbxj/index. html

Role Permissions Source: ITGlue content management system

WWU Roles

Role Permissions WWU P drive

ASP. NET Security Approaches: n n n Do-it-yourself ASP. NET Identity Windows authentication

Do-it-yourself Authentication Each action method checks for authorization Redirect unauthorized users to login Single line of code: if (Session["authenticated"] == null) return Redirect. To. Action("Login");

Do it yourself Authentication Advantages n n n Simple Flexible Write own authentication code Disadvantages n n More work? Your responsibility

ASP. NET Identity Individual user accounts VS creates models & database Username, password, roles stored in DB

ASP. NET Identity Features n Contains views for: Creating account Modify account Password recovery Change password

ASP. NET Identity Features n Can use social providers for authentication Facebook, Google, Twitter n Create roles Assign users to roles

ASP. NET Identity Decorate action methods with Authorization rules n n Individuals Roles Authenticates against database, Active Directory, cloud based authentication, … Example: Secured Admin Pages

Windows Authentication Authenticate against Windows users and roles n Active Directory Take advantage of organizational roles Group email, file permissions, chat…

Windows Authentication MVC Implementation n Specify in web. config <authentication mode="Windows" /> n Enable Windows Authentication in IIS

Windows Authentication

Windows Authentication

Windows Authentication Benefits: n Use existing Active Directory user & groups Intranet Not public web n n Single sign-in within organization Fine-level control of permissions Example 1: Windows. Authentication Example 2: Lab. Inspection

Web Security Always use HTTPS n n Secure Socket Layers Encrypts all data Session Hijacking n n n All security methods pass cookie identifying user as authenticated. Hacker gets cookie data Impersonates authenticated user

Session Hijacking

Adding HTTPS • Individual controllers: namespace mis 424 Assignments. Controllers { [Require. Https] [Authorize] public class Retail. Controller : Controller • Entire Site • Global. asax protected void Application_Start() { Global. Filters. Add(new Require. Https. Attribute()); }

Summary Application Security options: n n n Do-it-yourself Identity User Accounts Windows authentication Security n n Complex topic Discuss other aspects later