Chapter 7: Internet Security

Overview

Internet applications have large audiences, many potential uses, and varied security requirements. They range from portal applications that require no user authentication, through Web applications that provide content for registered users, to large scale e-commerce applications that require full authentication, authorization, credit card validation, and secure communication of sensitive data over public and internal networks.

As Internet application developers, you face a challenge to ensure that your application uses appropriate defense mechanisms and is designed to be scalable, high performance, and secure. Some of the challenges you face include:

• Choosing an appropriate user credential store, for example, a custom database or Active Directory® directory service.

• Making your application work through firewalls.

• Flowing security credentials across the multiple tiers of your application.

• Performing authorization.

• Ensuring the integrity and privacy of data as it flows across public and internal networks.

• Securing your application’s state with a database.

• Ensuring the integrity of your application’s data.

• Implementing a solution that can scale to potentially huge numbers of users.

The two common Internet application scenarios presented in this chapter, which are used to illustrate recommended authentication, authorization, and secure communication techniques are:

• ASP.NET to SQL Server

• ASP.NET to Remote Enterprise Services to SQL Server

  Note

  Several scenarios described in this chapter change the password of the default ASPNET account to allow duplicated accounts to be created on remote computers for network authentication purposes. This requires an update to the <processModel> element of Machine.config. <processModel> credentials should not be stored in plain text in machine.config. Instead use the aspnet_setreg.exe utility to store encrypted credentials in the registry. For more information, see Chapter 8, “ASP.NET Security” and article Q329290, “HOWTO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings” in the Microsoft Knowledge Base.