| You can use the Internet Protocol Security (IPSec) to restrict access to your computer to certain IP addresses. Of course, this will only work if you know the IP addresses of your clients. The advantage is that you do not have to change your client application, ASP.NET code, or Web service code to use it. This is impractical for public Web sites or services where you do not know who your clients are. Internet Information Server While the focus of this chapter is on .NET security, some knowledge of IIS security is important to have. Since both Web services and ASP.NET use IIS, your IIS settings do affect these aspects of .NET security. In the previous chapters on ASP.NET and Web services, we have used the default settings of Anonymous access. Anonymous access does not require a user name or password to access an account. You run under some default user account. Anonymous access is useful for public Web sites and services that do their own authentication by asking for a user name or password or that use some other means. In such a scenario you could use ASP.NET forms-based authentication. You can build forms to get the user name and password, and then validate them against a configuration file or database. IIS supports the major HTTP authentication schemes. These schemes require you to configure IIS appropriately. These schemes are listed in Table 16-1. In each of these scenarios IIS authenticates the user if the credentials match an existing user account. Secure Sockets Layer (SSL) is used whenever you need to encrypt the HTTP communication channel. SSL degrades performance, but remains a very important Internet technology where privacy is a major concern. We do not discuss SSL further, since it is not directly relevant to .NET security. Table 16-1. IIS Authentication Schemes | Scheme | Description | | Basic | User and password information is effectively sent as plain text. This is standard HTTP authentication and is not secure. | | Basic over SSL | Basic authentication, but the communication channel is encoded so the user name and password are protected. | | Digest | Uses hashing to transmit user name and password. This is not really a secure method because the hash codes are potentially reversible by way of an exhaustive brute force attack. [*] This was introduced in HTTP 1.1 to replace Basic authentication. | | Windows Integrated Security | Traditional Windows security using NTLM or Kerberos protocols. IIS authenticates if credentials match a user account. Cannot be used across proxies and firewalls. NTLM is the legacy Windows security protocol. | | Certificates over SSL | Client obtains a certificate that is mapped to a user account. | [*] A hash code is produced by applying a hash function on some arbitrary length data. The resulting hash code is a fixed length fingerprint that is highly characteristic of the original data. A message digest is another name for the result of applying a hash function to a message. Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1) are popular hash algorithms. You can also adjust access rights to individual files (graphics, data files, etc.) and other resources (e.g., databases) for specific user accounts. For public Web sites and Web services, this approach is not useful because Web clients will not usually have user accounts. Microsoft has introduced the Passport authentication scheme as a convenience. While ASP.NET does have support for Passport ( System.Web.Security.PassportIdentity class) on the server side, developer tools to handle the client side for Passport authentication do not yet exist as of this writing. Passport avoids the problem of requiring specific accounts on specific machines, allowing the user to be authenticated by many systems, from any client machine, all with a single password. We will not discuss Passport further, since it is not directly relevant to .NET security. The security specification for SOAP is being worked on by the W3C. You could create your own custom authentication using SOAP messages. Since XML is transmitted as text, you may want to use SSL to encrypt the messages ( especially if you use tags such as <user> and <password>). In general, secure data has to be encrypted when using SOAP. | 
