Learning Windows Server 2003
9.5. Security
Despite the precedent I set earlier in this book, I'm going to discuss security toward the beginning of this chapter, for several reasons:
Code access security is an entirely new concept introduced by the .NET Framework. Traditional security models rely solely on the identification of the user in order to apply the appropriate permissions. .NET supplements this model with another model running in parallel, the code access security model. In code access security, the running code, not the user, is identified using "evidence" of its origin, and permissions are applied depending on that evidence. This is very useful in many scenarios, but perhaps the most evident example is the case of spyware and viruses. In a code access security model, you can limit the functionality available to an application. This can prevent an Internet-based application from modifying the registry, accessing the network, accessing certain files, or performing virtually any action you choose to define. As I mentioned earlier, code is identified based on evidence. Table 9-3 lists different types of evidence that can be exposed.
From the type of evidence exposed, the runtime places the code into one or more code groups. This is done by evaluating the membership condition of each defined code group. An example of a membership condition is Site = http://www.microsoft.com/. The default code groups correspond to zones in Table 9-4.
Each code group is associated with a single permission set, which is, as you might have guessed, a set of permissions. Each permission in the permission set is configured individually. Many different permissions exist, most corresponding to libraries within the .NET Class Library. There are too many permissions to list and describe here, so I recommend firing up the .NET Configuration MMC shown in Figure 9-2. By double-clicking a specific permission in the right pane, you can view the applicable parameters available for that permission and how the permission is configured for that permission set. Figure 9-2. .NET Configuration MMC permission list
This is obviously a lot of information to digest, so I recommend diving into the configuration panel to get some hands-on experience. Also, keep in mind that the information presented is from a system administration perspective. Plus, the developers among us can utilize permissions within code and libraries, which introduces virtually limitless options for further levels of security . 9.5.1. Role-Based Security
.NET also provides a robust model for role-based security. This model relies on first identifying the user and the user's roles. Once the user is identified, access checks are made within the application to determine, based on the roles, whether a user is authorized to use a resource or perform an action. A user is identified using a method of authentication. Three types of authentication are provided within the .NET Framework:
In addition to these authentication types, .NET provides a schema to implement custom authentication schemes, most likely using an organization's existing infrastructure. Once a user is authenticated, authorization comes into play. You can implement authorization in different ways depending on the type of application. Windows applications typically perform authorization checks before a user attempts an action. Web applications often perform authorization checks before a user accesses a URL. The security administration for web applications is much more flexible because of the introduction of security settings into web.config. Windows applications cannot be afforded this flexibility because of the obvious security risk of a user being able to manipulate the settings in the application configuration file. Example 9-2 shows a very simple authentication and authorization scheme defined in web.config. Example 9-2. Simple web application role-based configuration
The authentication element specifies forms authentication, and the forms parameters are defined within. In this case, the users are actually defined within the forms element. Keep in mind this would be practical only for the simplest of cases. Several pitfalls of this approach are as follows:
The authorization section in Example 9-2 reflects the simplicity of the inline user store. The authorization section lists two conditions. The first condition specifies that all anonymous users, abbreviated as ?, are denied. The second condition, which is redundant with the default configuration, specifies that all users are allowed. By the configuration being applied top down, this would disallow anonymous users and allow authenticated users. A more practical, but more system-dependent, web.config is shown in Example 9-3. Example 9-3. Practical web application role-based configuration
This file specifies to use Windows security for authentication. The authorization section has several conditions, all based on roles. As the file is evaluated, first the user is checked to see if he is in the Banned Users group. If so, he is denied access immediately. Next, Windows checks to see if he is either an administrator or a user with a normal account, and he is admitted if either of these is true. Finally, all other users are denied access. Both Examples 9-2 and 9-3 apply security to the entire directory structure in which web.config is located. For more granular security, you can place web.config files in subdirectories to specify different authorization logic. In this case, the authorization checks are merged between all web.config files in the hierarchy with the deepest subdirectory checks being evaluated first.
|