By default, most Web sites allow anonymous access. That is, anyone with an Internet connection can come along and view the pages on your site. Users don't need to be authenticated or have their identity validated; they can access any files available on your server. Imagine that you run a site in which members have to pay a subscription fee to view the content perhaps an insider stock picking service. Without some form of security, anyone could view the pages where you post your expert stock tips. That would be horrible for your business why should users pay for access when they don't need to? Web security is designed to restrict access to certain files to only a certain group of users.
Let's say you work at a top-secret government agency. Anyone is allowed in the lobby of the building, but only people with the proper authorization can move past the lobby. Every time you need to open a door in the secret complex, you need to provide proper authorization again by submitting to a retinal scan.
| || |
This process demonstrates the basics of a Web security transaction. The first step is authentication, which is the process of identifying the user who's requesting the information. The user is identified by his credentials, which can come in many forms (most commonly a username and password). Authentication ensures that a person is who he says he is. If the security system cannot identify the user based on his credentials, authentication fails and the unknown user is denied access. If the credentials are valid, the user is allowed into the system and is given a valid, known identity.
| || |
Once a user is given an identity, the system determines which resources he has access to. This process is known as authorization. In the secret government-complex scenario, for example, you must be authorized to enter certain doors. The system authorizes you depending on the permissions assigned to your identity. You might be allowed through some doors but not others. On the Web, certain users may have access to certain files while other users have access to different ones.
| || |
Finally, the last step is impersonation. Imagine the security system of the government building as the guardian of the complex. It has access to every room in the building and can open any door it chooses, easily bypassing the retinal scans. Now imagine that a clever spy breaks into the security system. That spy has access to every room, and the security system fails.
As an additional security measure, the designers of the security system added an impersonation feature. When a person tries to enter the building or access the computers, the guardian impersonates that person, thereby restricting its own access privileges. In other words, the guardian willingly gives up its own power so that hackers can't use it. It is similar to a general in the army taking a magical pill to make himself forget top-secret files, in case an enemy captures and interrogates him. This concept is a bit abstract, but it will make more sense as you apply it to ASP.NET pages. Figure 21.1 illustrates the process a user goes through to gain access to a secure resource.
Figure 21.1. The typical security protocol.
Essentially, security in ASP.NET is implemented with two different methods. You can authenticate and authorize credentials by comparing them to the operating system's identities (through IIS), or you can compare them to permissions in a data source (such as through web.config). The first method requires very little coding or modification to your ASP.NET pages, but it provides less control over authentication. The second, inversely, requires more coding, but gives more flexibility. We'll discuss these methods in the security sections later today.
Security in Windows
| || |
The Windows operating system supports role-based security. A role defines a type of identity. For instance, if you're in charge of maintaining a computer system and installing hardware and software, you're in the administrator's role. If someone simply wants to type a term paper or browse the Internet, she's in the guest role (that is, a guest to the computer's resources). Roles define how much control someone has over the computer and which permissions are available.
Typically, roles have several identities associated with them. You could have several people maintaining your computer, which could mean that there are several administrators. Chances are that you're also in an administrative role. In Windows, these identities are known as users.
Let's take a look at the users available on your computer. In Windows 2000, select Start, Settings, Control Panel, Users and Passwords. You should see a window similar to Figure 21.2.
Figure 21.2. A list of users and groups in Windows.
In the User Name column, you see various users who can log on to your computer. There are probably a few in there that you didn't know about! The Group column lists the roles that each user belongs to.
One common and easy-to-implement security measure is simply to remove many of the users that you are not familiar with listed in Figure 21.2. Be careful not to eliminate your own identity or the system's, though!
Scroll down until you see the IUSR_MachineName user. This is the default identity that a client uses when it accesses your machine through its local Web server. It's an anonymous account, which means that no password is required to access your machine when using this identity. As such, the permissions granted to this identity are very minimal by default.
Note that you can't set any permissions here. You'll look at how to accomplish that later today in "Authorization."