If I put something like this in my ASP.NET web application's web.config:
<authorization>
<allow roles="MyUsers" />
<deny users="*" />
</authorization>
and then have an ActiveDirectory group SpecialGroup that is inside MyUsers, will a member of SpecialGroup be allowed to access my application?
Yes, it will. When you log on, a security token is constructed containing details of all¹ of the groups you're a member of, and that includes all nested groups. That token is what's used to determine access. This is why you have to log off and on when you're added to a group.
But just to be sure, I tested it on on of my sites and it worked as described.
¹ actually, it's possible to be in so many groups that they won't all fit in the token (which has a limited size) in which case, your token contains the first 'n' groups (which depends on the order returned by the domain controller, so you can see some odd behaviour).
Related
I'm trying to get authenticated username in my ASP.NET page using Request.ServerVariables(“LOGON_USER”) variable. It gives me an empty string. There are a lot of topics about this variable. The common point is using an authentication type other than None and denying anonymous access. So I added these lines in my web.config:
<authentication mode="Forms"/>
<authorization>
<deny users = "?" /> <!-- This denies access to the Anonymous user -->
<allow users ="*" /> <!-- This allows access to all users -->
</authorization>
I still get an empty string. How can I get the username?
Also tried:
Request.ServerVariables["REMOTE_USER"];
Request.ServerVariables["UNMAPPED_REMOTE_USER"];
Request.ServerVariables["AUTH_USER"];
HttpContext.Current.User.Identity.Name;
Finally fixed. You should disable anonymous access in IIS if you want to use Request.ServerVariables(“LOGON_USER”).
PS: Disabling anonymous access has some side effects such as infinite login redirect loop
During security review of our asp.net web application we got reported that some input fields doesn't restrict length of user input on server side. There is said in execution report that this vulnerability can be used to consume large amount of resources in the server or database which can cause Denial of Service attacks.
I would like to ask what options are here to fix this. Of course we can implement the validation on web server side for every field and e.g. throw some exception and reject if input is longer then some predefined value. But I am curious if there is some more other ways how to do it. Maybe some configuration in web.config or on IIS server level, some global handler etc.
Check out maxRequestLength setting in web.config.
Specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server.
The default is 4096 (4 MB).
<configuration>
<system.web>
<httpRuntime maxRequestLength="1024" />
</system.web>
</configuration>
This would be a better solution than restricting each individual field as it is protecting your application as a whole as it sounds like they haven't found any specific inputs that are vulnerable.
If you want this to only apply to certain sections of your application you could add an override using the <location> element:
<location path="Attachments/Upload">
<system.web>
<httpRuntime maxRequestLength="20480" />
</system.web>
</location>
Using ASP.NET 2.0, with forms authentication.
Just for a test, I configured the roles cookie in web.config like this :
<roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPXROLES" cookieTimeout="2"></roleManager>
I wanted to see what would happen when the cached role cookie expired.
Using Fiddler, after 2 minutes had elapsed, I could see that the raw value of the role cookie had changed.
I was expecting that on expiry, that ASP.NET would simply re-read the roles information from the database, and repopulate the cookie with the same value. So my question is, why would the raw value of the cookie change after expiry ? The cookie value is not human-readable (base 64 encoded and/or encrypted ?), so I can't tell if the information in it is the same, although the application still seems to work fine.
EDIT :
It looks like each time the roles are encrypted and cached in the cookie, it gets a different raw value.
e.g. if you run the following code :
RolePrincipal rp = (RolePrincipal) User;
string str = rp.ToEncryptedTicket();
Label1.Text = str;
You get a different value each time.
So the behavior seems normal.
Well the aspxroles cookie only pertains to role queries on the user. Unless you're doing things with the roles that would cause it to function differently (web.config auth?) then you're not going to see anything by expiring the cookie.
Can you share your web.config and basic pages that you're using to test this?
Have you tried that particular configuration to see what changes after the expiration?
<location path="img/logo.png">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="CanSeeLogo"/>
</authorization>
</system.web>
</location>
Based on the question edit:
In my web.config under <configuration><system.web> I have this key:
<machineKey decryption="AES" decryptionKey="{64bits random hex}" validation="SHA1" validationKey="{128 bits random hex}"/>
I'm curious if you set that "manually" if you'll have a constantly changing encrypted string. Also, this is set by default in your C:\Windows\Microsoft.Net\Framework\etc folders, but you can redefine it (obviously) in your web.config to override it per application. This also allows you to share the same cookie cross-app within your domain.
Link to generate random hex strings
https://www.grc.com/passwords.htm
concat the first result from two page refreshes for the second one. Removing the web.config key later doesn't impact your app negatively (of course it wouldn't)
Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:
<authorization>
<allow roles="Global, Region" />
<deny users="*" />
</authorization>
I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:
<authorization>
<allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
<deny users="*" />
</authorization>
Any ideas? I realize I probably should have a new role for this scenario, but I'd like to avoid that. Thanks!
I don't think you can do this via the current configs allowed in web.config. What you could do though is something like the following... as the very first line in your Page_Load event for the page in question, use the following code (VB):
If Not (User.IsInRole("Role1") AndAlso User.IsInRole("Role2")) Then _
FormsAuthentication.RedirectToLoginPage()
This line of course is assuming you are using FormsAuthentication. If not, you would need to replace FormsAuthentication.RedirectToLoginPage() with the appropriate code depending on your authentication method.
I don't know your situation exactly, but based on your code, it looks like you could go one step further, and add a table with a mapping of users to sites, and do something like the following:
In a public module, add the following code:
<System.Runtime.CompilerServices.Extension()> _
Public Function ManagesSite(target As System.Security.Principal.IPrincipal, siteName As String) As Boolean
Return [ code here to look up whether this user can access the site specified ]
End Function
Then you can write the previous code as something more logical, such as:
If Not (User.IsInRole("SiteManager") AndAlso User.ManagesSite(Request.Url.Host)) Then _
FormsAuthentication.RedirectToLoginPage()
The method I usually use to solve this is when setting the user roles, create virtual roles. Therefore if the you wanted to only allow Student Administrators access to a page were a user has both Student and Administrator roles you could add a new StudentAdministrator role.
I have a SQL Server 2000, C# & ASP.net web app. We want to control access to it by using Active Directory groups. I can get authentication to work if the group I put in is a 'Global' but not if the group is 'Universal'.
How can I make this work with 'Universal' groups an well?
Here's my authorization block:
<authorization>
<allow roles="domain\Group Name Here"/>
<allow roles="domain\Group Name Here2"/>
<allow roles="domain\Group Name Here3"/>
<deny users="*"/>
</authorization>
Depending on your Active Directory topology, you might have to wait for the Universal Group membership to replicate around to all the Domain Controllers. Active Directory recommends the following though:
Create a Global group for each domain, e.g., "Domain A Authorized Users", "Domain B Authorized Users"
Put the users you want from Domain A in the "Domain A Authorized Users" group, etc
Create a Universal group in the root domain "All Authorized Users"
Put the Global groups in the Universal group
Secure the resource using the Universal group: <allow roles="root domain\All Authorized Users/>
Wait for replication
One advantage of this scheme is that when you add a new user to one of the Global groups, you won't have to wait for GC replication.
Turns out I needed to use the "Pre Win2000" id not the regular one.