Thinking Securely

Security is a central aspect of maintaining a Web server computer and creating Web applications. Security experts recommend that you think about security at the beginning of your projects and that you make security an integral part of your Web application design. I hope that the information that I’ve presented throughout the book and in this appendix has helped you understand and anticipate the security issues that you’ll face as you create ASP.NET Web pages.

Appendix B: Deploying Web Matrix Applications

Throughout this book, I’ve been assuming that you’re working entirely on your local computer. You’re developing Web pages and keeping them in a local folder, and I recommended early in the book that you use the Web Matrix Web server to view your pages. In addition, whether you work with MSDE or SQL Server, the database tables you’ve created have also been on your computer.

To make your Web applications available to others, however, you need to publish, or deploy , the applications. As I explained in Chapter 3, you can either host a Web site on your computer, or you can copy your Web pages to a hosting site. Either way, you need to take specific steps to make your Web pages available to others. In this appendix, I’ll explain what you need to host your pages on a local Web site and how to copy pages and data to a hosting site. I’ll begin by discussing a locally hosted Web site.

Deploying Web Pages on a Local Web Site

If you’re using your own computer to host a Web site, you can use the Web pages you created in this book unchanged. However, you need to configure Internet Information Services (IIS) so that it can find your pages. You also need to make sure that your Web application can access MSDE or SQL Server properly.

Important

Remember that if you’re using your computer to host a Web site, you must take appropriate security precautions to protect your computer from malicious users. See Appendix A for details.

Configuring IIS for a Local Web Site

When you use your computer to host a Web site, you must use IIS as your Web server. The Web Matrix Web server that you’ve probably been using won’t accept Web page requests from outside of your computer, so you can’t use it to host Web pages publicly . IIS must also be able to find your Web pages when users make a request to your Web site. In this book, I recommended that you keep your Web pages in a folder such as C:\WebMatrix. By default, IIS can find Web pages only when they are in the root path of the Web server, typically C:\inetpub\wwwroot, or in a subdirectory under the Web server root. You therefore have two choices. The first choice is to create a subdirectory under C:\inetpub\ wwwroot and copy the entire C:\WebMatrix folder and its subfolders to the subdirectory. The second choice is to configure IIS to find your files by creating a virtual root , or alias, so that IIS knows where your files are located.

Note

Don’t forget to configure your firewall to accept requests on port 80. Refer to the documentation for your firewall for instructions on how to configure it.

If you copy all your files to a subdirectory under C:\inetpub\wwwroot, you’ll need to edit the files in that subdirectory when you want to make changes. In other words, you won’t maintain files in C:\WebMatrix any more. If you create a virtual root in IIS, on the other hand, you can continue to edit files in the C:\WebMatrix folder, because IIS will read the pages from that folder. The choice is up to you. If you’ll be working with other IIS applications, you might find it convenient to keep all your Web applications under the same wwwroot folder. From a security perspective, you’re better off keeping your Web pages under the root of the Web server rather than in a folder such as C:\WebMatrix.

If you want to keep your Web pages under the Web server root folder, use Windows Explorer to create a folder under C:\inetpub\wwwroot. You can name the folder anything you like—that is, you don’t need to name it WebMatrix— but don’t include any spaces in the folder name. When users request pages from your Web site, they’ll use the folder name as the name of the application. For example, if you create a folder C:\inetpub\wwwroot\yourapplication, users will use a URL to navigate to your Guestbook.aspx page: http:// 10.231.40.54/yourapplication/Guestbook.aspx , but of course using the appropriate IP address or domain name instead of 10.231.40.54.

If you want to leave your pages in C:\WebMatrix and create a virtual root, you can do so in two ways. The easy way is to have Web Matrix create the virtual root for you. Close Web Matrix if it’s open, and then reopen it. Open any page that you’ve created and then run it. Web Matrix displays the Start Web Application dialog box. Instead of accepting the default choice of Use ASP.NET Web Matrix Server, select Use Or Create An IIS Virtual Root and then enter the application (alias) name, as shown in Figure B-1.

click to expand
Figure B-1: Creating an IIS virtual root using the Start Web Application dialog box.

When you click the Start button, Web Matrix creates an IIS virtual root with the name you specify. Alternatively, you can manually create a virtual root using the IIS management tools.

Create a virtual root using IIS tools

In the Windows Control Panel, open Administrative Tools and then open Internet Information Services.
Open the node for your computer.
Right-click the Default Web Site node, choose New, and then choose Virtual Directory. IIS opens the Virtual Directory Creation Wizard.
Assign an application name (alias) to the virtual root, and then specify where IIS should look for your pages—probably in C:\WebMatrix.
Select Read and Run Scripts access permissions. For security reasons, don’t select any additional access permissions.
Click Finish to create the new virtual root.

No matter which way you’ve created the virtual root, test it after you’ve finished creating it. Open your browser and type a URL like the following: http://localhost/ virtualroot /Guestbook.aspx , where virtualroot is the name you’ve assigned to the virtual root. If the page appears, IIS has recognized the virtual root name.

Configuring Database Access for a Local Web Site

When you connected to a database in Web Matrix (whether MSDE or SQL Server), you probably used Windows Authentication. When you ran Web pages, the pages connected to the database under your Windows account name. However, when pages run under IIS, they don’t run under your account name; instead, the pages run under the ASPNET account, as I explained in Appendix A. As a result, by default, when pages run under IIS, your pages have a problem: they can’t connect to the database because the MSDE or SQL Server isn’t configured to allow access to the ASPNET account.

The solution is to configure MSDE or SQL Server to allow access to the ASPNET account. If you’re working with SQL Server, you can use the SQL administrative tools to set permissions. Refer to the SQL Server Books Online that comes with SQL Server for information on setting user permissions if you need help. MSDE doesn’t include any graphical administrative tools. However, you can use a command-line utility named osql to allow the ASPNET account to access MSDE. Open a command window and enter the following commands:

osql -E -S

MSDEinstance

-Q "sp_grantlogin ’

computer

\ASPNET’ osql -E -S

MSDEinstance

-d WebMatrix -Q "sp_grantdbaccess ’

computer

\ASPNET’ osql -E -S

MSDEinstance

-d WebMatrix -Q "sp_addrolemember ’db_owner’, ’

computer

\ASP NET’"

You need to substitute appropriate values for MSDEinstance and computer . The value for MSDEinstance is the instance name of MSDE on your computer. The value of computer is your computer ID, which you can find by right-clicking My Computer on the desktop and looking at the Computer Name tab. The value of computer is your full computer name, not including any domain information. For example, if your computer is named family-1 and you connect to MSDE using the instance name localhost , the first osql command looks like this:

osql -E -S

localhost



-Q "sp_grantlogin

’family- 1

\ASPNET’"

Execute all three of the commands that I listed earlier, in order. The three commands allow the ASPNET user to log in to MSDE; give the ASPNET user access to the WebMatrix database you’ve been using; and grant owner privileges to the ASPNET user for the WebMatrix database, meaning the user can perform tasks such as creating new tables. The command syntax is fussy, so make sure you enter all the capitalization and quotation marks correctly. After you’ve run the three commands successfully, the ASPNET user account on your computer will be able to access MSDE.