Lesson 1: Authenticating and Authorizing Users

The purpose of this lesson is to provide basic security concepts and implementation guidance for ASP.NET Web applications running on IIS 5.x and versions earlier. This lesson introduces the concepts of authentication, authorization, impersonation and anonymous access.

• "ASP.NET Web applications provide anonymous access to resources by impersonation."

The local Windows account, named in the form IUSER_machinename, is used to "impersonate" users allowed anonymous access permissions. This account should belong to a security group with reduced privileges.

• "Under the default settings, ASP.NET uses the ASPNET account to run the Web application."

When impersonation is not enabled, the Web application uses the ASPNET account to access all resources. The ASPNET account can, say, have higher privileges than IUSER_machinename or lower ones for an authenticated administrative account. So when impersonation is enabled, security settings can be spread out among multiple Windows accounts.

• "You restrict the access of anonymous users by setting Windows file permissions."

This design requires NTFS file systems and error pages designed to capture security exceptions is optional.

• "There are three major ways to authenticate and authorize users..."

Passport authentication stands apart from Windows authentication and forms authentication as Microsoft's "single sign-on" solution. All of these solutions depend on the System.Web.Security namespace. However, as of the publication of this lesson, Passport involves an SDK and redirection to a Microsoft Web site.

• "If you want to authenticate users who access HTML pages from within your Web application using Windows, Forms, or Passport authentication modes, you must map those files to the ASP.NET executable."