Mukarram Mukhtar

Web Security in .NET (p 1)

I had never really trusted upon .NET’s web security until I saw two US banks’ websites built in .NET. Of course there were some additional security settings like Secured Socket Layer etc etc, but the core security was implemented in .NET. Albeit I’m not a professional hacker, but still if two of the major US banks can trust upon .NET’s security against some geek professional hackers, then why can’t I?

In this article I’ll explain how easy yet sturdy Microsoft has made security implementation in .NET web applications. By using these simple techniques, without much of the coding; now you can make your web applications graceful, robust and bold enough to slap hands of any malicious hacker. Let’s see how:

Authentication Vs. Authorization:

Before we go ahead and start creating our example website, I believe it’s worth mentioning two buzz words that you’ll see a lot while implementing web security. But what you will not see a lot is, people explaining the difference between the two.

Authentication – How Application Knows Who Is Who:

So, Authentication is how application knows who is trying to access some resources or requesting some information from the application.

Authorization – How Application Decides Who Is Good:

So, Authorization is how application decides who is good and who is bad – who to grant access and who not to. The sequence of the two steps, as you might have already guessed, is exactly the same as I’ve mentioned here. First authentication, application sees who is coming to request, usually done by login/password (mostly in case of internet websites) or by using windows user account information (mostly in case of intranet websites). After application knows who has requested then comes authorization, application decides whether to grant what has been requested or not.

Creation of Intranet Application with Security:

Now let’s create a web application and assume that it would run as an internal website and then apply network security on it. For this purpose we’ll use Domain Name\User Name to authorize users to access certain portions of our web application.

Let’s start,

  • Start Microsoft Visual Studio 2003 or later.
  • Click Create New Project
  • In New Project dialog box, select Visual C# in Project types panel on left.
  • Select ASP.NET Web Application in the Templates panel on right.
  • Give a decent physical path and name to your project and select OK.

WebSecurityStartProject

  • By doing this, IDE will create a web application project with a default form added into it.
  • Now add two folders in the root of the application named, Manager and Admin; then add two web forms in each folder namely, ManagerDefault.aspx and AdminDefault.aspx respectively.

After performing above steps your project in the solution explorer should look something like this:

WebSecuritySolutionExplorer

Now in the default web form, make the form tag like this:

<form id="form1" runat="server">
<div>
Welcome <%=System.Web.HttpContext.Current.User.Identity.Name%>!
<br /><br />
Admins, Click <asp:HyperLink ID="hlAdmin" NavigateUrl="~/Admin/AdminDefault.aspx" runat="server">here</asp:HyperLink>
<br />
Managers, Click <asp:HyperLink ID="hlManager" NavigateUrl="~/Manager/ManagerDefault.aspx" runat="server">here</asp:HyperLink>
</div>
</form>

After that, add the following line in web.config, inside <system.web> tag:

<authentication mode="Windows"/>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

and run the application. The page should look something like this:

WebSecurityWelcome

Here WIT-WS52 is my computer name and mukarram is the user name in that domain. So you see, our web application has already started authenticating; in other words, website knows who is trying to access it. Now let’s see how we can authorize users, i.e. allow some users to access certain parts and deny access to some other. In order to do that, let’s prepare ground for this.

Let’s write the following lines in the body tag of ManagerDefault.aspx:

<form id="form1" runat="server">
<div>
Welcome <%=System.Web.HttpContext.Current.User.Identity.Name%>!
<br /><br />
This is Manager's page.
<br /><br />
<input type=button value="<- Back " onClick="history.back();">
</div>
</form>

Similarly change AdminDefault.aspx as follows:

<form id="form1" runat="server">
<div>
Welcome <%=System.Web.HttpContext.Current.User.Identity.Name%>!
<br /><br />
This is Admin's page.
<br /><br />
<input type=button value="<- Back " onClick="history.back();">
</div>
</form>

With the above changes our Admin and Management pages will look something like this respectively:

WebSecurityAdmin

WebSecurityManager

Now following are the rules of authorization:

  1. Only those users can access the application who have logged into their windows account
  2. mukarram is the only manager for the application
  3. mukarram will be allowed to access Default.aspx at root and ManagerDefault.aspx page in Manager folder
  4. No other user, not even Admins will be allowed to access Manager pages
  5. mukarram will not be allowed to access any page in Admin folder
  6. Any member of window’s group named WebTestAdmins will be allowed to access all pages in Admin folder

Let’s see how we can implement this, add following lines outside <system.web> tag (line numbers are given for explanation and are not part of the actual code):

01    <location path=".">
<system.web>
<authorization>
02                      <allow users="*" />
03                      <deny users="?" />
</authorization>
</system.web>
</location>

In line 01, path=”.” means the root folder of the application, which means that authorization settings in this block will be for root folder of the application. In line 02 <allow users=”*” /> means allow all logged in users. In line 03, <deny users=”?” /> means deny access to all users who are not logged into the network. By this, we’ve just implemented our authorization rule # 1. Now let’s move to authorization rules related to Manager folder; add following lines in web.config right under the above block (again, line numbers are given for explanation and are not part of the actual code):

01    <location path="Manager/ManagerDefault.aspx">
<system.web>
<authorization>
02                      <allow users="WIT-WS52\mukarram" />
03                      <deny users="*" />
</authorization>
</system.web>
</location>

Authorization In line 01, I’ve given the path as Folder Name/Page Name, since there is only one page in this folder. Furthermore, I wanted to show how you can apply security settings on page level. Folder level security settings are coming up in short. In line 02 I’ve given the user as Domain Name\User Name, considering there is only manager for this application. In line 03, I’ve denied access to all other users of the application; either they are logged in or not respectively; thus implementing rule # 2, 3 and 4.

Remember: Authorization rules in web.config, apply from top to bottom, which means first rule gets more precedence than the second one. So in the above example, we first gave mukarram access to ManagerDefault.aspx (line 02), then we denied access to all logged in users on this page (line 03); while mukarram is also a logged in user, line 03 did not apply on him because we had line 02 already giving him the access. However, if we change the order of these lines, mukarram will be deprived from the access on this page.

To deny mukarram access to Admin folder and to allow Admin role, add following lines:

01    <location path="Admin">
<system.web>
<authorization>
02                      <allow roles="WIT-WS52\WebTestAdmins" />
03                      <deny users="*" />
</authorization>
</system.web>
</location>

In line 01, I’ve given the folder name on which I want to apply these security settings. In line 02, I’ve given the window’s group name who is allowed to access any page in this folder. Line 03 and 04 deny all other users. Since I haven’t yet created WebTestAdmins group in windows accounts, after applying these settings, when I ran the application all pages opened as before except the AdminDefault.aspx showed as follows:

WebSecurityAdminDenied

Of course this error page could be displayed in a lot better format if we had applied central exception handling techniques explained in my article Exception Handling in .NET. Now let’s move forward and create a Windows NT group and add mukarram into that group so that he can access Admin page as well.

Albeit explaining how to create a Windows NT group and adding a user into it is beyond the scope of this article; nonetheless, I’m showing it here for the sake of novice programmers who don’t know this and might get stuck at this stage. So let’s start:

  1. Open Control Panel
  2. Double click User Accounts
  3. In User Accounts, select Advanced tab
  4. In Advanced tab, in Advanced user management section, select Advanced button

WebSecurityControlPanel

  1. In Local Users and Groups window, right click Groups and select New Group
  2. Type group’s name as WebTestAdmins and some brief meaningful description
  3. Next, select Add button to add a user name; i.e. WIT-WS52\mukarram
  4. Select OK, close all windows

WebSecurityNewGroup

Now before you run the application, there is one more little thing you need to do:

  1. In Visual Studio IDE, select Project menu and in this menu select [Project Name] Properties menu item.
  2. In the properties page, select Web in the left had side tab options
  3. In Servers section, select Use IIS Web server
  4. Select Create Virtual Directory button

WebSecurityProjectProperties1

Now we are all set to run our application. The reason for the above steps is, sometimes running the web application from IDE blocks its most features that are available when it’s running from IIS. Let’s run our application, when I selected Admin link this time, I got this dialog box and subsequently Admin page:

WebSecurityAdminLogin

After entering the User name/password, I got the following screen:

WebSecurityAdminAccepted

After that, if you want to add/remove users from the group, you can surely do so and running the application will allow or deny the access to the users. If adding and removing user from the role doesn’t work immediately; try restarting the web server. Sometimes a user keeps on getting access to a page even after it is removed from the role because of the cookies stored in cache.

So folks that pretty much it is; security in .NET on intranet web application is simple yet robust.

1 Comment »

  1. Hei Mukarram,
    Great article.One of the specialty,I have noticed on your articles is nothing but you are covering each and every task we have to do for building up the project.I really appreciate you.

    Thanks & Regards
    Binto THomas

    Comment by Binto — November 4, 2009 @ 5:15 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: