I have my intranet setup on our web server. It contains multiple
applications, but none are set up in the default application pools. In
other words, I create a webform and plop it into a directory on the web
server. My question revolves around security models for the
applications. I have been rethinking my current security strategy,
which is basically as follows:
dim strUser as string=ucase(User.Identity.Name)
dim boolAccess as boolean = false
if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3" then
boolAccess=true
end if
if boolAccess = false then
response.write(strUser & "-You are not authorized to access this
area.")
response.end
end if
This validates the user on the page load event. The only problem with
this is now I have about 50+ web forms and managing this is getting to
be an issue, not to mention if someone new needs access to the webform,
someone (me) has to go into the code and add them. This isn't
(obviously) an ideal situation, as I would like to make it so the sys
admin can add/remove users/roles from a webform. Here is what I have
contrived in my puny head about my options:
1.Create (application) roles in AD, then use this code to restrict
access in each of the webforms that need it:
string strUser =User.Identity.Name.ToUpper();
bool boolAccess = false;
if (User.IsInRole("DOMAIN\\RoleName")) {
<Allow access>
}
else {
<Deny access>
}
return;
2. Set the permissions (AD role based) on the files in IIS (I think
this is called file authorization)
There are a couple others such as URL Author & .Net Roles of which I no
little about. Option 1 above has the problem of still requiring
manipulating code if roles need adding or removing, so I don't much
like this option except for very specific functions. Option 2 seems
like the best for controlling access to a entire webform from an
non-developer admin point. The other two options I need some educating
on.
Our intranet uses integrated windows authentication with anonymous
access turned off. I don't forsee ever needing to allow
non-authenticated users access to this site.
I have downloaded information on asp.net security, but there is a
mountain of information to wade through. I was hoping someone could
give me some pointers on implementing a simple security model and maybe
share some experiences they've had. Some of this is driven by
compliance with Sarbanes-Oxley.
Any help is appreciated. 7 1598
you can use forms authentication with active directory, then you wont
have to worry about anything http://msdn.microsoft.com/library/de...l/secmod16.asp
hth
-ashish
Stephen wrote: I have my intranet setup on our web server. It contains multiple applications, but none are set up in the default application pools. In other words, I create a webform and plop it into a directory on the web server. My question revolves around security models for the applications. I have been rethinking my current security strategy, which is basically as follows:
dim strUser as string=ucase(User.Identity.Name) dim boolAccess as boolean = false if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3" then boolAccess=true end if
if boolAccess = false then response.write(strUser & "-You are not authorized to access this area.") response.end end if
This validates the user on the page load event. The only problem with this is now I have about 50+ web forms and managing this is getting to be an issue, not to mention if someone new needs access to the webform, someone (me) has to go into the code and add them. This isn't (obviously) an ideal situation, as I would like to make it so the sys admin can add/remove users/roles from a webform. Here is what I have contrived in my puny head about my options:
1.Create (application) roles in AD, then use this code to restrict access in each of the webforms that need it:
string strUser =User.Identity.Name.ToUpper(); bool boolAccess = false; if (User.IsInRole("DOMAIN\\RoleName")) { <Allow access> } else { <Deny access> } return;
2. Set the permissions (AD role based) on the files in IIS (I think this is called file authorization)
There are a couple others such as URL Author & .Net Roles of which I no little about. Option 1 above has the problem of still requiring manipulating code if roles need adding or removing, so I don't much like this option except for very specific functions. Option 2 seems like the best for controlling access to a entire webform from an non-developer admin point. The other two options I need some educating on.
Our intranet uses integrated windows authentication with anonymous access turned off. I don't forsee ever needing to allow non-authenticated users access to this site.
I have downloaded information on asp.net security, but there is a mountain of information to wade through. I was hoping someone could give me some pointers on implementing a simple security model and maybe share some experiences they've had. Some of this is driven by compliance with Sarbanes-Oxley.
Any help is appreciated.
Stephen,
Because your existing intranet uses Windows Integrated security you are
already on the right track. ALWAYS resist the temptation to apply any kind of
security to a specific user, create a role and validate membership within the
role to secure the item. Typically I find myself doing a lot of role checking
in the presentation tier, for instance I have an application that everyone in
the organization uses but some users only get to read, others get to update
others get to audit and so on depending on role membership. When you start
authenticating users to the database using Integrated Security you'll run
into the limitations of NTLM and you'll have to use kerberos, ultimately this
is what your dba's will want because it shifts the user management piece to
the network administrators. I will post more later I have an urgent task that
just came up...
"Stephen" wrote: I have my intranet setup on our web server. It contains multiple applications, but none are set up in the default application pools. In other words, I create a webform and plop it into a directory on the web server. My question revolves around security models for the applications. I have been rethinking my current security strategy, which is basically as follows:
dim strUser as string=ucase(User.Identity.Name) dim boolAccess as boolean = false if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3" then boolAccess=true end if
if boolAccess = false then response.write(strUser & "-You are not authorized to access this area.") response.end end if
This validates the user on the page load event. The only problem with this is now I have about 50+ web forms and managing this is getting to be an issue, not to mention if someone new needs access to the webform, someone (me) has to go into the code and add them. This isn't (obviously) an ideal situation, as I would like to make it so the sys admin can add/remove users/roles from a webform. Here is what I have contrived in my puny head about my options:
1.Create (application) roles in AD, then use this code to restrict access in each of the webforms that need it:
string strUser =User.Identity.Name.ToUpper(); bool boolAccess = false; if (User.IsInRole("DOMAIN\\RoleName")) { <Allow access> } else { <Deny access> } return;
2. Set the permissions (AD role based) on the files in IIS (I think this is called file authorization)
There are a couple others such as URL Author & .Net Roles of which I no little about. Option 1 above has the problem of still requiring manipulating code if roles need adding or removing, so I don't much like this option except for very specific functions. Option 2 seems like the best for controlling access to a entire webform from an non-developer admin point. The other two options I need some educating on.
Our intranet uses integrated windows authentication with anonymous access turned off. I don't forsee ever needing to allow non-authenticated users access to this site.
I have downloaded information on asp.net security, but there is a mountain of information to wade through. I was hoping someone could give me some pointers on implementing a simple security model and maybe share some experiences they've had. Some of this is driven by compliance with Sarbanes-Oxley.
Any help is appreciated.
I happen to be the dba too. One on many jobs I have here :).
I agree with you. The only problem I can see is the number of
potential roles getting out of hand. After doing some reading I am
looking into a solution using web.config files and roles. I will check
back and see what else you have to say.
Alien2_51 wrote: Stephen,
Because your existing intranet uses Windows Integrated security you
are already on the right track. ALWAYS resist the temptation to apply any
kind of security to a specific user, create a role and validate membership
within the role to secure the item. Typically I find myself doing a lot of role
checking in the presentation tier, for instance I have an application that
everyone in the organization uses but some users only get to read, others get to
update others get to audit and so on depending on role membership. When you
start authenticating users to the database using Integrated Security you'll
run into the limitations of NTLM and you'll have to use kerberos,
ultimately this is what your dba's will want because it shifts the user management
piece to the network administrators. I will post more later I have an urgent
task that just came up...
"Stephen" wrote:
I have my intranet setup on our web server. It contains multiple applications, but none are set up in the default application pools.
In other words, I create a webform and plop it into a directory on the
web server. My question revolves around security models for the applications. I have been rethinking my current security strategy, which is basically as follows:
dim strUser as string=ucase(User.Identity.Name) dim boolAccess as boolean = false if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3"
then boolAccess=true end if
if boolAccess = false then response.write(strUser & "-You are not authorized to access this area.") response.end end if
This validates the user on the page load event. The only problem
with this is now I have about 50+ web forms and managing this is getting
to be an issue, not to mention if someone new needs access to the
webform, someone (me) has to go into the code and add them. This isn't (obviously) an ideal situation, as I would like to make it so the
sys admin can add/remove users/roles from a webform. Here is what I
have contrived in my puny head about my options:
1.Create (application) roles in AD, then use this code to restrict access in each of the webforms that need it:
string strUser =User.Identity.Name.ToUpper(); bool boolAccess = false; if (User.IsInRole("DOMAIN\\RoleName")) { <Allow access> } else { <Deny access> } return;
2. Set the permissions (AD role based) on the files in IIS (I think this is called file authorization)
There are a couple others such as URL Author & .Net Roles of which
I no little about. Option 1 above has the problem of still requiring manipulating code if roles need adding or removing, so I don't much like this option except for very specific functions. Option 2
seems like the best for controlling access to a entire webform from an non-developer admin point. The other two options I need some
educating on.
Our intranet uses integrated windows authentication with anonymous access turned off. I don't forsee ever needing to allow non-authenticated users access to this site.
I have downloaded information on asp.net security, but there is a mountain of information to wade through. I was hoping someone
could give me some pointers on implementing a simple security model and
maybe share some experiences they've had. Some of this is driven by compliance with Sarbanes-Oxley.
Any help is appreciated.
Hi Stephen,
Just one thing I'd like to add, IIS is already authenticating clients
against AD, they have access by virtue of being logged into the domain and
the ACL permissions on the web server, there's no sense in having them
authenticate again using a forms authentication scenerio.
"Stephen" wrote: I happen to be the dba too. One on many jobs I have here :).
I agree with you. The only problem I can see is the number of potential roles getting out of hand. After doing some reading I am looking into a solution using web.config files and roles. I will check back and see what else you have to say.
Alien2_51 wrote: Stephen,
Because your existing intranet uses Windows Integrated security you are already on the right track. ALWAYS resist the temptation to apply any kind of security to a specific user, create a role and validate membership within the role to secure the item. Typically I find myself doing a lot of role checking in the presentation tier, for instance I have an application that everyone in the organization uses but some users only get to read, others get to update others get to audit and so on depending on role membership. When you start authenticating users to the database using Integrated Security you'll run into the limitations of NTLM and you'll have to use kerberos, ultimately this is what your dba's will want because it shifts the user management piece to the network administrators. I will post more later I have an urgent task that just came up...
"Stephen" wrote:
I have my intranet setup on our web server. It contains multiple applications, but none are set up in the default application pools. In other words, I create a webform and plop it into a directory on the web server. My question revolves around security models for the applications. I have been rethinking my current security strategy, which is basically as follows:
dim strUser as string=ucase(User.Identity.Name) dim boolAccess as boolean = false if strUser = "DOMAIN\USERNAME1" or strUser = " DOMAIN \ USERNAME3" then boolAccess=true end if
if boolAccess = false then response.write(strUser & "-You are not authorized to access this area.") response.end end if
This validates the user on the page load event. The only problem with this is now I have about 50+ web forms and managing this is getting to be an issue, not to mention if someone new needs access to the webform, someone (me) has to go into the code and add them. This isn't (obviously) an ideal situation, as I would like to make it so the sys admin can add/remove users/roles from a webform. Here is what I have contrived in my puny head about my options:
1.Create (application) roles in AD, then use this code to restrict access in each of the webforms that need it:
string strUser =User.Identity.Name.ToUpper(); bool boolAccess = false; if (User.IsInRole("DOMAIN\\RoleName")) { <Allow access> } else { <Deny access> } return;
2. Set the permissions (AD role based) on the files in IIS (I think this is called file authorization)
There are a couple others such as URL Author & .Net Roles of which I no little about. Option 1 above has the problem of still requiring manipulating code if roles need adding or removing, so I don't much like this option except for very specific functions. Option 2 seems like the best for controlling access to a entire webform from an non-developer admin point. The other two options I need some educating on.
Our intranet uses integrated windows authentication with anonymous access turned off. I don't forsee ever needing to allow non-authenticated users access to this site.
I have downloaded information on asp.net security, but there is a mountain of information to wade through. I was hoping someone could give me some pointers on implementing a simple security model and maybe share some experiences they've had. Some of this is driven by compliance with Sarbanes-Oxley.
Any help is appreciated.
I was under the impression that forms auth was meant primarily for
anomous access.
I didn't realize the breadth of security issues and methodologies
surrounding web applications. I downloaded a 600+ page document that
covered asp.net security alone.
Alien2_51 wrote: Hi Stephen,
Just one thing I'd like to add, IIS is already authenticating clients
against AD, they have access by virtue of being logged into the
domain and the ACL permissions on the web server, there's no sense in having
them authenticate again using a forms authentication scenerio.
> I was under the impression that forms auth was meant primarily for anomous access.
If you wanted anonymous access then you'd not use any authentication at all.
Forms is for authenticating users when you have your own username/password
store for such thing. Typically it's used when your users are not windows/domain
users.
-Brock
DevelopMentor http://staff.develop.com/ballen
That makes sense, anonymous is anonymous. I thought it had something
to do with AD non-authenticated users.
Thanks.
Brock Allen wrote: I was under the impression that forms auth was meant primarily for anomous access. If you wanted anonymous access then you'd not use any authentication
at all. Forms is for authenticating users when you have your own
username/password store for such thing. Typically it's used when your users are not
windows/domain users.
-Brock DevelopMentor http://staff.develop.com/ballen This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: FrodoBaggins |
last post by:
Dear Team,
I am running Visual Studio 2003 Version 7.1.3088 on Windows Server 2003.
I have written a C# application that must write to the event log. When it attempts to write to the event log,...
|
by: nickdu |
last post by:
I'm trying to isolate "applications" into their own application domain within
a single process. I've quoted applications because it's a logical
representation of an application. Basically it...
|
by: Thorpe |
last post by:
I have build a .Net (C#) winform application. The application opens and
reads and writes to an xml file that is stored with the assembly.
When I run the program on my local PC everything works....
|
by: Earl Teigrob |
last post by:
Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
|
by: Graham |
last post by:
I have been having some fun learning and using the new Controls and methods in .Net 2.0 which will make my life in the future easier and faster. Specifically the new databinding practises and...
|
by: Michael Glaesemann |
last post by:
Hello all,
Recently I've been thinking about different methods of managing users
that log into a PostgreSQL-backed application. The users I'm thinking
of are not necessarily DBAs: they're...
|
by: Oldie |
last post by:
I have built an MS Access Application under MS Office XP (but I also
own MS Office 2000). I have split the application in the pure database
tables and all the queries, forms, reports and macro's.
...
|
by: isideveloper |
last post by:
I'm building a new C# web application that will provide my company
some administrative operations that were previously only completed
by tweaking the data in the database.
1. Encrypted password...
|
by: Frank Rizzo |
last post by:
I have a c# 2.0 winform app that runs under a user account with very
limited rights. The application crashes on some actions (the Send Error
to Microsoft screen) with unauthorized exception.
...
|
by: mxdevit |
last post by:
Task: run application from ASP.NET
for example,
you have a button on ASP.NET page, when press this button - one
application is invoked.
the code to run application (for example, notepad) is...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |