Re: server authentication & ASP authentication
From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 07/05/02
- Next message: Panagiotis Konstantinidis: "security permissions of roles\users on table rows"
- Previous message: Rob Taylor: "Re: Create Table Permission for Domain Users Group"
- In reply to: Jakub Jablonski: "server authentication & ASP authentication"
- Next in thread: Jakub Jablonski: "Re: server authentication & ASP authentication"
- Reply: Jakub Jablonski: "Re: server authentication & ASP authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> Date: Fri, 5 Jul 2002 02:52:49 -0400
Is this all intranet? If not, is there a firewall between your web server
and database? Are the web server and DB on the same machine?
My primary inclination would be to use platform authentication across the
board. That is, create Windows accounts for each of the 120 users. Use
Integrated Windows or Basic authentication on the web server (disallow
anonymous access), and Windows authentication to the database. This does a
number of things for you that you would otherwise have to do in code:
* Secure management of credentials. Passwords are hashed, rather than
stored in clear text (the original password cannot be derived from the
hash). The hashes are accessible only to the OS. A user's password can be
changed only by the user or an administrator. It is also easy to enforce
password complexity, password expiration, and account lockout after a
specified number of unsuccessful attempts.
* With Integrated Windows (NTLM or Kerberos), passwords are not transmitted
over the network in the clear. With Basic authentication, add SSL to
achieve the same.
* EVERY entry point to your application and database enforces authentication
and authorization.
* Validation checks are performed correctly every time.
* Subsequent requests in the same user session are correctly associated with
the initial authentication. You don't need to set/get encrypted cookies to
determine who the user is.
With SQL Server, it is easy to map Windows groups to roles. Groups can be
defined locally -- you don't need them to be established at the domain
(although you could do that too).
Embedding passwords in text files on the hard drive is not secure --
especially if the file lives at or under your web application's vroot.
There have been vulnerabilities in the past that allow an attacker's request
for a specific file (e.g., a .asp page) to download the raw file rather than
run it on the server. (In other words, a user could download the asp page
that contains the username/password.)
HTH
-- Aaron
"Jakub Jablonski" <jakubjab@data.pl> wrote in message
news:3D24926D.6080902@data.pl...
> Hello
> I am designing quite a big database, about 50 tables, about 120 users
> divided in about 20 categories with different privileges. Users use the
> database only through the ASP application which gives them acces to
> different functions based on their name and category.
>
> My question is: how to design security. I have a few ideas:
>
> a) I create 120 server logins mapped to 120 database users, 20 database
> roles, and send login and password entered by the user directly to the
> SQL Server for authentication. I don't store passwords either in ASP
> scripts or in my custom tables.
>
> b) I create 1 server login, 1 database user and store login and password
> hard-coded in ASP script. I still need to store passwords of my users in
> a table and authenticate them in ASP.
>
> c) I create 1 application role, but I don't see much difference with
> previous solution.
>
> Could someone point out pros & cons of these solutions, or suggest
> something else?
>
>
> Jakub Jablonski
>
- Next message: Panagiotis Konstantinidis: "security permissions of roles\users on table rows"
- Previous message: Rob Taylor: "Re: Create Table Permission for Domain Users Group"
- In reply to: Jakub Jablonski: "server authentication & ASP authentication"
- Next in thread: Jakub Jablonski: "Re: server authentication & ASP authentication"
- Reply: Jakub Jablonski: "Re: server authentication & ASP authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
