This chapter presents guidance and recommendations that will help you build
secure ASP.NET Web applications. Much of the guidance and many of the recom-
mendations presented in this chapter also apply to the development of ASP.NET
Web services and .NET Remoting objects hosted by ASP.NET.
ASP.NET Security Architecture
ASP.NET works in conjunction with IIS, the .NET Framework, and the underlying
security services provided by the operating system, to provide a range of authentica-
tion and authorization mechanisms. These are summarized in Figure 8.1 on the next
Figure 8.1 illustrates the authentication and authorization mechanisms provided by
IIS and ASP.NET. When a client issues a Web request, the following sequence of
authentication and authorization events occurs:
1. The HTTP(S) Web request is received from the network. SSL can be used to ensure
the server identity (using server certificates) and, optionally, the client identity.
Note: SSL also provides a secure channel to protect sensitive data passed between client
and server (and vice-versa).
2. IIS authenticates the caller by using Basic, Digest, Integrated (NTLM or
Kerberos), or Certificate authentication. If all or part of your site does not require
authenticated access, IIS can be configured for anonymous authentication. IIS
creates a Windows access token for each authenticated user. If anonymous au-
thentication is selected, IIS creates an access token for the anonymous Internet
user account (which, by default, is IUSR_MACHINE).
Building Secure ASP.NET Applications
Authenticated caller’s access token
(or IUSR_MACHINE access token)
Fixed Proxy Identity