ASP.NET, role-based security and SecurityPermission.ControlPrincipal

From: onthelam (onthelam_at_rogers.com)
Date: 09/08/03 

Date: Mon, 8 Sep 2003 14:27:41 -0400

I'm trying to figure out a reasonable security policy for my ASP.NET 1.1
application. One part of the story that has often been overlooked is
securing the authentication chain in ASP.NET forms authentication. Here's a
quick summary of the scenario:

1) SQL server is used to authenticate salted, hashed passwords.
2) There is a trusted connection to SQL server. There is a special account
that is setup for authentication purposes only. It calls a secured stored
procedure that takes the user name and hashed password, and returns a list
of roles that the user belongs to (if authentication is successful, of
course).
3) The code that calls the stored procedure lives in a COM+ serviced
component. The COM+ application is configured to runas the account described
in part 2).
4) The serviced component is called from a trusted assembly in the ASP.NET
web application. It makes two link demands of the trusted assembly: a) that
the account that the trusted assembly is running as is a known ASP.NET
service account (e.g. MACHINE\ASPNET) and b) that the strong name of the
trusted assembly is known.
5) The trusted assembly in the ASP.NET web application is installed into the
GAC. It has a strong name, and asserts that it has
SecurityPermission.ControlPrincipal.
6) The trusted assembly takes the set of roles returned from the call to the
Serviced Component and creates a new Principal that contains the role. It
attaches that Principal object to Thread.CurrentPrincipal.
7) Assemblies or .aspx pages that call the trusted assembly must not have
SecurityPermission.ControlPermission. I created a separate security zone
(based on Medium) that removes this permission. This makes it impossible for
code outside my trusted assembly to change the CurrentPrincipal (and thereby
subject the rest of my application code to luring attacks).
8) I configure the directory that contains .aspx pages to be writeable only
from local administrator accounts.

I think that this scenario is reasonably secure. What worries me, however,
is that I still don't have a tamper-proof chain of transfer for a password
from the user machine through to the authentication in SQL server. For
example, if someone were able to gain write privileges to the virtual
directory, they could replace .aspx dynamically generated code with their
own malicious code that could do any number of things including logging /
replaying captured passwords.

I guess what rankles me is that in V1.1, you can't assign strong names to
dynamically compiled .aspx pages nor can you assign them to their
code-behind assemblies. This makes it very difficult to create a
tamper-proof chain of transfer for the password.

I was hoping that making the .aspx directory writeable only from local admin
accounts would raise the bar high enough. Thoughts?

Another possibility that I've considered is writing the login code as a
custom HTTP Handler, which can have a strong name. This way I can assert a
secure chain all the way back from SQL server (although in a pre-Yukon
world, I can't assert the identity of the code that calls the authentication
sproc; I can only assert the identity of the caller).

Any thoughts, suggestions, criticisms of this approach would be most
welcome.

Thanks,
-John
http://www.iunknown.com

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ABN Tape - Found
    ... the previously mentioned work on x9.59 was to use strong authentication ... with account numbers. ... there is a security model called PAIN ...
    (bit.listserv.ibm-main)
  • Re: HTTP 401.3 error: Please help - Urgent.
    ... inability to logon -- when the Security log is full AND you misconfigured ... Is this really WHAT IS CAUSING AUTHENTICATION ... PROBLEMS in my server? ... > Does this have anything to do with the IUSR_Machinename account? ...
    (microsoft.public.inetserver.iis)
  • Re: How to use WindowsPrincipal properly??
    ... > If you want to check if the user is in the local computers security group ... > used by the general public you have to use Basic Authentication of course. ... You can logon a set account ... > WindowsIndentity which is then used to Impersonate. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Protecting Web Files from Direct Access
    ... built-in security of a kind. ... Forms Authentication automatically redirects users who access pages on your ... I'm trying to figure out how to rewrite an HTML ... page so that it performs the function of the HTML whilst being an ASPX page. ...
    (microsoft.public.dotnet.security)