How to secure IIS Web Server - asp.net

We have a web application which consists of an IIS web server which is on the internet, and a database server, which IIS accesses over a VPN link.
The problem we have is that we need to store the connectstring somewhere (which obviously can't be in the database).
I note that it is possible to encrypt web.config connect strings using aspnet_regiis :
https://msdn.microsoft.com/en-us/library/dx0f3cf2%28v=vs.85%29.aspx
Can anyone comment on how robust this is. What we do not want is the database being hacked from the internet.
One thing which concerns me is the aspnet_regiis is used to decrypt and encrypt and is installed on the machine itself. So if the machine was compromised and this exe was on there, discovering the passwords would not be that hard.
So assuming that this method of securing a password is not recommended, what other options do I have.
Note that in case it is relevant, IIS is running in the context of IIS APPPOOL\DefaultAppPool account.
Thanks.

You do not encrypt your configuration files to prevent being hacked from the internet. IIS will never serve *.config files. You encrypt configuration files to hide the information therein from server administrators.
If a remote attacker has access to the server and can run arbitrary executables, all bets are off. There's nothing you can do to secure the server after that.
How to prevent the server from being accessed remotely is too broad to answer, check OWASP for general hints.

If possible, give your app pool identity (in your case IIS APPPOOL\DefaultAppPool) access to the SQL Server.
Then use integrated authentication instead of password and username in your connection string:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;

Related

ASP.NET Web APP set up with a server with no SQL Server installed

I have an ASP.NET 2 (very old) web app that I am trying to migrate to a new server. BTW, I am a complete ASP.NET noob but have a good amount experience with other web technologies.
In the web.config, I can see the following connection string XML:
<connectionStrings>
<add name="myCon"
connectionString="Data Source=DEVELOP\DEV_SQL2008R2;Initial Catalog=QO2_New;Persist Security Info=True;User ID=sa;Password=q"/>
</connectionStrings>
I did "nslookup" on the machine name 'DEVELOP' and RDP into the server. To my surprise, I don't see any SQL Server process running. Also, there is no SQL Server installed on that server. I am 100% that the app is running and I am very confident that there are content that comes from the database. I also did a search on the code base and it seems like the connection string is being used.
On a side note, we do have some other databases on separate machines. My questions are the following:
Can the machine DEVELOP somehow redirect the DB connection to somewhere else? If yes, how do I find out which IP is it being redirected at?
If DB connection cannot be redirected, then what is going here exactly?
Unfortunately, I have very little people whom I can ask what is going with this app. Any tips that you can share is much appreciated.
Nslookup uses DNS but there is a chance your machine has a hosts file entry that points DEVELOP to somewhere else..
However, if you RDP'ed into DEVELOP (as in, used that name when connecting RDP, not the ip address given by nslookup) then you should have been able to see a sqlserver install in the list of services.
If there is surely no sqlserver installed there then, from within your RDP session, use TCPView from sysinternals to see what process is listening on port 1433. Could be some kind of TCP redirector like PortTunnel from SteelBytes, bouncing the connection somewhere else. Remember to run tcpview on the server, not your local machine
Perhaps you can try getting connected to the sqlserver using management studio, using the credentials in the web config, you can get sqlserver itself to tell you more about where it is running, such as:
SQL - Query to get server's IP address
Using Environment variables in T-SQL
I am truly ashamed to inform everyone that the database in the web config was never being used. Therefore, even though it is pointing to a non-existing database, it still works. The data from the old database have been converted to static files.
I should have checked this the first thing I came across it. Thanks again for all the help.

How to publish an asp.net website on work network?

I have been developing an ASP.NET application and I would like my work colleagues to give me feedback on it. I tried running it on IIS but because the database is located on a remote server, I am unable to host it properly?
Also, how can the colleagues access that site? my host name, etc
You can update your connection string to your remote server (providing the DB accepts external requests).
Something like (assuming SQL)
Data Source=190.190.200.100,1433;Network Library=DBMSSOCN;Initial Catalog=myDataBase; User ID=myUsername;Password=myPassword;
It's an ugly hack, but you can do an if else statement, detect the DomainName (Environment.UserDomainName()) and if matches the server then use one connection string, if it's your office's domain, then use that!
This means, you can still use your local IIS!
You can publish your web site on a local server which has IIS running on it. You can create your application on IIS and your colleagues can access your web site from the intranet via the name of the server easily.
Such as:
http://servername/yourprojectdirectory
And also the local server should have internet access for the remote database.

WCF service hosted on IIS and client website on IIS

Here's the desired setup:
Service with wsHttpBinding is on IIS 6 on Machine 1 behind the firewall.
Client is front end website on IIS 6 on Machine 2 on a DMZ.
We are currently able to authenticate the client using Windows authentication, but with impersonation
<identity impersonate="true" userName="OurCompany\Me" password="Blahblahblah" />
since the website would use the "ASPNET" as username, which is not in the domain.
We now want to move away from this method, because of safety issue; we don't want to expose this kind of info on the DMZ.
Is there any way to get authenticated properly without using
the impersonate on the client
config?
If we changed so that we use
certificate authentication, would it
affect service operations that
require impersonations (needed
impersonations for file access on
the network for example)?
thanks.
This has been resolved now, and I think it'd be constructive to share the solutions.
In terms of my original question - whether it's able to do impersonation without setting it explicitly in the config or in the front end code. As mentioned by the above, the App Pool method does work, but only when both the client and server are on the same domain.
Since the web site client being situated in the DMZ has no access of the local network at all, meaning we are unable to impersonate any network user (this is a flaw in my original question, saying the impersonation works - it was actually not working).
So the only way to go was using certificate. Since this is internal communications, I have generated a test certificate on each of the server / client sides with the makecert. Using peer trust certificate authentications, I am able to get the communication working between the client and the server. This will ensure that no Windows / network user account information is presented in the DMZ zone.

How to authenticate to a Kerberos (Apple Open Directory) server in ASP.Net

Here at work we just implemented an Apple Open Directory server. It stores everyone's usernames and passwords and implements LDAP and Kerberos. I've been tasked with configuring all of our ASP.Net web applications to authenticate with it--so users can use their Open Directory usernames and passwords to log into our ASP.Net applications.
I need something like mod_auth_kerb, except for IIS and ASP.Net--and I'd like to use forms-based authentication.
Is this possible?
IIS only supports kerberos for NTLM authentication as far as I know. I have never seen a secondary kerberos capable library or software. (true kerberos I mean) Now you could use the LDAP libraries in .Net to communicate between the servers in a kerberos fashion, but the connection between user client and asp.net server would still be an SSL plain/text connection.
I've also never seen it done, but it should be able to be done ... if the asp.net server had a trust relationship with the Apple Open Directory server with an LDAP connection made between the two, it might be possible to enable the NTLM authentication at the IIS level, and that would (in theory) extend the kerberos connectivity to the AOD through the trust. Again, I've never even contemplated it so I don't know what the pitfalls would be of attempting it.
I have successfully used DirectoryServices to connect to other Active Directories through the LDAP protocol, but I still have not found a way to embed the kerberos connectivity between client and authentication server without NTLM.
To use Kerberos authentication in IIS, your authentication type for the protected resource should be "Windows Authentication". This will make IIS use Negotiate (spnego) authentication. The server must be a member of a domain for Kerberos to work. I'd recommend using a Server 2008 or Server 2008 R2 machine for this if possible as it handles Kerberos authentication more gracefully.
I haven't gotten a chance to work with a Mac server for a while, but It's my understanding that Open Directory is capable of serving a Windows domain member. For authorization, you'll have to query the LDAP directory from ASP or use your own internal authorization mechanism.
Edit: This Microsoft KB article might be of some use to you: http://msdn.microsoft.com/en-us/library/aa480475.aspx

Windows authentication problems using asp.net

I have an asp.net application that should access data from two SQL Servers. One of the SQL Servers is present on the same machine as IIS (let us call it SQLSERVER1) whereas the other SQL server is present on another machine (SQLSERVER2).
The connection strings are trusted for both the SQL servers. Impersonation has been set to true in my web.config file. I am using Windows authentication in both IIS and web.config.
When I try to access data from SQLSERVER2, I get login failed for user(null) error. The user through which I have logged in through Windows exists as a SQL server account in SQLSERVER2.
What could be the possible reason?
NOTE: This is a newbie question IMHO.
NOTE: The IIS used is 6.0 (Windows 2003). It is not set to IIS 5.0 isolation mode.
EDIT:The user getting impersonated is a domain user
Addition:
I also want to state that I get this error message when I access it as a client of the server where IIS is running. In other words, let me say I am working on machine A, the IIS and SQLSERVER1 are on machine B, and SQLSERVER2 is on machine C.
I do not get this error message when I am working on machine B. This is stumping me more.
This is absolutely a delegation problem. As one person pointed out, you need to make sure Kereberos authentication is being used. The old style NTLM isn't going to cut it. Here's more on Kerberos vs. NTLM.
In a nutshell, if you have a webserver and a database and you want the webserver to impersonate the user when making database requests (so that you can set up permissions on the database directly on a per-user or user-group basis) you're performing a double-hop. Credentials must past first from the user's computer to the webserver and again to the database. As you can imagine, the database has to trust the webserver to "do no evil" or this could be an extremely dangerous security hole. As a result, you have to set up what is called in the Windows Server world "delegation"...
Microsoft has a good article about all this here. Further, you can look over an article like this to get an idea of how to set it all up. We've run into this frequently, and it can be a pain at first, especially since as a developer you're probably not in control of the servers directly (especially production ones) and you'll have to spend a lot of time with the server guys down the hall.
You're probably running into this problem because non-Kerberos based impersonation (NTLM) is only valid on the local machine (the webserver). If you want to be able to use those credentials to access another machine, you're going to need to make sure you're using Kerberos.
Try this: http://support.microsoft.com/kb/810572
Your authentication to the webserver is not passed through to the sql server. The web server is authenticating to the SQL Server using the account that your application pool is running under.
You should check that the machine account for SQLSERVER1 has trusted for delegation enabled. Otherwise SQLSERVER2 won't trust the impersonation running on SQLSERVER1. This is in addition to confirming that Kerberos is used to set up the impersonation in the first place. This also assumes that the servers and the users are all members of the same domain.
BTW, are sure you want to do things this way, you end up creating a lot more connections because they end up being unique to a user?
Have you tried to access the database on server2 using SQL SErver administrator from Server1 and made a successful connection?
If not then this could be because by default SQL Server installs itself with tcp turned off by default.
You will need to make sure that this is turned on for server2 to allow server1 to connect.
server1 has no problems connecting due to the fact it can use the shared memory connection.

Resources