ASP.NET Web Application Security   Designing Secure ASP.NET Applications

---

In this scenario, an administrator is setting up an application on an intranet Web site for posting employee information. However, some of the information is for managers only. The manager information can be posted to a subdirectory of the general employee information, so that access to it can be limited. The scenario also assumes that:

• The administrator is using a Windows NT or Windows 2000 server.
• The hard disk is formatted for NTFS.
• IIS 5.0 is the Web server.
• All employees needing access are using Windows platforms.

The administrator:

1. Creates the files and directories shown in the following figure.

   Files and directories

   

2. Creates a Windows group called Managers that contains all users who should have access to the ManagerInfo.aspx file.
3. Sets up Windows authentication using the IIS administration tool ( window ).
4. Sets the impersonate element in the ASP.NET configuration file to true.
5. Sets the NTFS ACL for the ManagerInformation directory to allow access to only those identities that are in the Windows Manager group. Note that the local system still needs access as well so that the ASP.NET process itself can read the files. Settings in this directory typically resemble the following:
   1. Remove access from the Everyone group, if it has access.
   2. Deny anonymous users.
   3. Add accounts that are to have access privileges.
   4. Give the system account access.

This provides the necessary security without the necessity of writing any code.

ASP.NET Impersonation

Books and more ...

Custom Search

Suggested Reading

Need a break ?