Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
PortSight SecureAccess 2.3 Training for developers and system administrators October 18th, 2005
Agenda • Introduction • Features in Detail • System Installation and Maintenance • Securing Your Applications
What is SecureAccess? • Microsoft .NET component for enterprise solution developers that allows them to secure and personalize: • ASP.NET applications and Web content • Web Services • WinForm applications • You can easily check user names and passwords, control access rights and track user activities. • It can be integrated with legal user databases and with Active Directory.
Benefits (1) PortSight Secure Access doesn’t replace the .NET Framework or Windows security, but it extends it and makes its management and use easier. • Offers a comprehensive set of security mechanisms including user roles, permissions, auditing and delegation of administration. • Reuse Existing User Profiles • Start Immediately with Short Learning Curve
Benefits (2) • Supports both Forms and Windows authentication. • Enable Self-Service and Save on Support • Reduce Your Development Time • Keep the Identities Manageable • User Management You Already Know • Organizational Units and Nested Groups
Benefits (3) • Unlimited Number of Users and Applications • Better Insight with Permission Matrix • Easier Management with Delegation • User Preferences without Cookies • User Activity Auditing • Import from External Directories (AD, ODBC) • Functionality Exposed through Web Services • Multi-Tier Architecture for Better Scalability
What’s new in SE 2.3? • Active Directory, Windows NT domain and ODBC integration • Enhanced support for securing Web Services • Authentication and authorization Web Service • The Application Configuration Wizard • Added support for Web Farms. • Permission types can be inherited from application to application parts. • Extended the Developer's Guide • Fixed bugs
Secure Access Editions • Standard • Enterprise • Includes import from external data sources. • Community • For Free! • Intended to be used for smaller projects. • It's limited to 100 users accounts. • Doesn't support organizational units and permissions
User Management • PortSight Secure Access includes a comfortable web-based user management interface. • It allows you to manage user accounts, set users' properties, passwords and organize users into (nested) groups, OUs and roles. • Storing user information, including job position, contact and shipping address, etc. • Storing unlimited number of user preferences, such as preferred language, colors, layout, etc. • The concepts are very similar to those from Microsoft Windows.
Membership in Groups and OUs • A user can be member of any number of user groups, organizational units and roles. • Groups, units and roles can be nested. • Organizational units are used to describe the hierarchical structure or your organization. • You can easily check user's membership in groups and units.
Management of Applications • Applications represent your real application you wish to secure with Secure Access • You can use these "virtual applications" to specify roles and permissions for accessing them and then check these permissions from within your application code • Each application can be split into several application parts (modules) that allow you to define permissions with higher granularity • The list of your web applications is also stored in the PortSight Secure Access catalog.
Role-Based security • Each application can have several associated user roles defined – e.g. “Editor”, “Chief-Editor”, “Designer” and “Administrator”. • You can assign users, groups or organizational units to a particular role. • You can later check in your application code if current user is in the specified role.
Resource-Based Security (Permission Matrix) • Permission types represent rights you grant to users - e. g. "create", "approve" or "delete". • The permissions are defined on application or application part level • For example you may define application parts News, Articles and Links section for a Web Portal application and define permissions for each of them e.g. Read, Edit and Approve. • Now you simply grant these user permissions for particular application or its part in the Permission Matrix; permissions could be granted to any operator (users, user groups, organizational units or roles) • You can later check in your application code if current user has a requested permission granted.
Securing Web Content • SA allows you to control access to the content of your Web site, such as media files, documents, files for download and others. • It allows you to check user’s name, membership or permissions and decide if the user is allowed to open the document. • You can specify the content using wild cards, such as “/images/*.jpg”.
Auditing • PortSight Secure Access allows you to log user actions in its auditing log. • The log contains information about user who made the action and the accessed resource, which gives you a good overview of possible attacks, attempts to access restricted zones as well as changes made to your data. • You can also store your custom information about event, such as information about data being accessed or changed.
Delegation • Group admin (OU admin, App admin for roles and permissions) can delegate management of members of particular group, role or OU, as well as management of permissions for particular applications to other users. • These privileged users can then view the objects they are responsible for and modify their members (or permissions in case of application parts and applications). • They are not allowed to modify their properties, create new ones or delete existing ones.
Storing User Preferences • Store user preferences (e.g. theme, culture) in the database instead of cookies. • You can define any number of preferences. • Each object, such as user, group, OU, application, application part, role or directory port can have an unlimited number of properties defined in their settings sections. • If you need to define a new or modify an existing property, expand the Custom Properties item in the main menu. • Access to custom properties is generally slower than to custom fields.
System Requiremenets • Deployment • Windows 2000, XP or 2003 Server • .NET Framework 1.0 or 1.1 • IIS 5.0+ • SQL Server 2000 or MSDE configured for "Mixed Mode Security” • MDAC 2.6+ • Internet Explorer 6.0+ • Development • Microsoft Visual Studio .NET 2002 or 2003
Installing and Setting up • Run the installer on your Web server. • Secure Access installation wizard will guide you through the installation process. • After installing Secure Access it is necessary to create a new PortSight Secure Access catalog (user database) and deploy the administration interface.
System Backup and Recovery • All system data are stored in the SQL Server database. • Use standard tools to regularly backup your Secure Access database. • Backup the settings of the administration application user interface: • C:\Inetpub\wwwroot\SecureAccess\Web.config • C:\Program Files\PortSight Secure Access\2.3\Catalog Manager\Catalogs.xml • C:\inetpub\wwwroot\SecureAccess\Photos The paths may be different.
Catalog Manager tool • Use this tool for managing SA Catalogs: • creating new catalog • registering an existing catalog • unregistering a catalog • modifying catalog properties • opening Web-based user interface of the catalog using IE • configuring your ASP.NET application to integrate with SA • import users, groups and OU from various data sources (e.g. Active Directory, ODBC, …)
Creating a New User Catalog (1) • Use Catalog Manager for creating new catalog or registering an existing catalog before you start using Secure Access. • Secure Access catalog consists of database and of Web-based administrative user interface. • One instance of Web-based administrative user interface can manage only one catalog (database).
Creating a New User Catalog (2) • New Catalog Wizard will guide you through the entire process of creating new catalog. • During this process it is necessary to specify • SQL Server where the catalog will be stored • database name • specify if you want to deploy the user interface • specify catalog ID that will uniquely identify this instance of SA catalog among other catalogs • It's highly recommended that you change the default administrator's password immediately after creating the new catalog.
Import Users, Groups and OUs (1) • This feature is only available in the Enterprise Edition. • Use Catalog Manager for managing the import. • You can import users, groups and OUs from various data sources: LDAP, Windows domain and ODBC-enabled databases. • You can also combine information from several data sources into one SA catalog. • The Directory Port Wizard will guide you through the entire process of setting up the import parameters.
Import Users, Groups and OUs (2) • Use Directory Port Wizard to: • map source fields to the SA fields • choose objects to be imported or filter out objects not to be imported • specify whether the objects should be imported including their membership • specify whether the import should be started manually or periodically • You can use support for ODBC data sources to import objects from any application. You only need to prepare the input data to be in certain format.
Import Users, Groups and OUs (3) Mapping properties between source/target object: • The target field you map to AR_ObjectGUID must be used only by one directory port. • The target fields may only be of string type. • The provider doesn't consider if the imported account is disabled or not in this version. • There are the following default source fields: • AR_ObjectGUID - a unique identifier • AR_Login - loginname of the imported user • AR_ObjectAlias - a unique property • AR_ObjectName – an object name (full name)
Using Windows Authentication • After you deploy the SA Web user interface it uses forms authentication by default. • When switched to Windows authentication, it compares the NT login name of the current user with the SA user name, e.g. CZ\PetrPi • In the Web.config replace the whole authentication section with following text: <authentication mode="Windows" /> • Launch IIS console and for the SA Web user interface disable Anonymous access, Digest authentication, Basic authentication and enable Integrated Windows authentication.
Securing Secure Access • Secure Access Catalog Manager stores the passwords you enter within encrypted XML file catalogs.xml that contains information about registered catalogs. Since encryption mechanism is not very strong you should allow only administrators to access this file. • SA Catalog Manager distributes the passwords (database connection string) into Web.config files in a non-encrypted form, which is a common way most developers are used to. Thus, you should allow only administrators and developers to access this file.
Installating SA on a Web Farm • PortSight Secure Access 2.3 was tested with Microsoft Application Center 2000 SP1 • Set up the Microsoft Application Center. • Install Secure Access user interface on the cluster in the Web Farm using the Catalog Manager. • You must use either StateServer or SQLServer session mode, not InProc session mode. See ASP.NET documentation for more details. • Make sure that the web.config (or machine.config) file of the Secure Access user interface or of your application contains the same machine key on all computers in the Web farm.
Administration Web Interface • Secure Access is delivered with Web-based administration console for managing objects and permissions, i.e. users, groups, OUs and secured applications. • This console is shipped with full-source code, so thanks to this could be easily customized and integrated,and its parts reused in target applications.
Application Configuration Wizard • Catalog Managerincludes a wizard that helps the developers to integrate Secure Access with their WebForm solutions • Supports both C# and VB.NET projects • Windows and Forms authentication • Modifies the following files for you: • IIS Settings • Global.asax • Web.config • Project file • Adds Secure Access User Controls to the project
Secure Access usage scenarios (1) • Authentication allows you to restrict access to your application only to authenticated users. The users have to provide their login name and password. PortSight Secure Access provides two ways of authentication: • Forms authentication - user must enter login name and password • Windows authentication - user must be logged in a domain • You can also protect only particular part of your application.
Secure Access usage scenarios (2) • You may use Secure Access for • Authentication – verifying user’s identity, usually by providing user name and password • Authorization – checking user’s roles and access rights • Auditing - storing user actions in its auditing log • Storing user settings – store any number settings, such as preferred culture, colors, default values within the user’s or group’s profile
Authentication • You may explicitly verify the user’s indentity by checking the provided user credentials against the Secure Access database. [VB.NET] authenticationResult = _ arCN.Authenticate("JohnF",_ "p&ss2vord")
Authorization – Role based security • Roles represent typical users – e.g. Administrator, Editor, Manager. You can define any number of roles for your application and assign users to these roles. Then you can simply check in your code if current user is allowed to use your application. [VB.NET] If ARHelper.IsInRole("JohnD", __ "Reports.Manager") Then ...
Authorization – Permissions • Permission-based security offers a more flexible solution for controlling access. You can define any number of permission types, such as Read, Modify, Delete or Approve. Then you can grant default permissions to roles. When business logic changes later, you can easily modify the permission matrix without recompiling the application. [VB.NET] If ARHelper.IsAuthorized("JohnD", _ "Reports. Viewer", "Read") Then ...
Auditing Trail • An important feature of the application security is auditing of user activities. It can help you detect attacks and attempts at unauthorized access to secret data and also keep track of data modifications. Some laws may even require the auditing trail. [VB.NET] ARHelper.Log("JohnD", "User changed amount to USD 5.90„, _"WorkReports.TravelExpenses")
Storing User Settings • Secure Access allows you to store any number of user settings, such as preferred culture, colors, default values etc. in the Secure Access database. [VB.NET] arcn.GetUserByLogin(User.Identity.Name)._SetPropertyValue(_ "preferred_color",_ “darkBlue”)
How to use Secure Access for • Securing Web Applications • Securing WinForm Applications • Securing Web Services It's important to understand that PortSight Secure Access is a component targeting developers, not a security application intended for immediate use by end users.
Securing Web Applications • Extends the existing authentication mechanisms. • Secure Access is delivered with ASP.NET user controls (available with full source code)
Securing WinForm Applications • The connection string to the DB could be either stored in .config file or lately set from within the code, if you need to hide it from the users • Client applications can improve overall security by connecting to the Secure Access via Web Services ARWSWebService. Secure Access is delivered with WinForm controls that simplifies this integration: • ARWSLogonCtrl –for checking provided login name and password • ARWSSetPasswordCtrl –for changing passwords
Securing WinForm Applications • Communication with ARWebService could be secured by the following WS-Security methods and their combinations: • X.509 encryption - Asymmetric encryption encodes the content of the SOAP message and thus protects it against tapping during its transmission. • X.509 signature - Digital signatures help to verify the trustworthy of the partner and of course verify that the message has not been altered since it was signed • Symmetric encryption - It may be used together with X.509 certificates for strengthening the security or it can be used as a standalone security mechanism where X.509 certificates cannot be used for some reason