Authorization in asp.net

By | March 23, 2018

When it comes to access control in asp.net we are all familiar with the access control elements found in the web.config. Below I will cover the best way to secure a website with the authorization element?

An overview of authorization

The bullets refer to the example below.

  • action attribute – valid options are allow or deny
  • verbvalue attribute – GET or POST
  • to – valid options are users or roles
  • typevalue options are:
    • * (all known and anonymous)
    • ? (all anonymous)
    • or the specific value. Example <allow roles=Admin/> //Allows users in Admin role
<authorization>
<action verb=verbvalue type=typevalue />
</authorization>

Best way to secure a website

Best practice is to always go from the most restrictive configuration and relax it per resource as needed. Having a website that is structured to allow for ease of access control will help.

  1. Who may access the website at its highest level. Define as required.
    <authorization>
    <allow users="*" />  <!--All users-->
    </authorization>
    
    <authorization>
    <deny users="?" /> <!--Deny anonymous users-->
    </authorization>
    
  2. Deny access to each root folder and root file. By denying access to everything it means that even if an attacker somehow sneaked a trojan onto the website he would not be able to access it.
    <location path="App_Data">
    <system.web>
    <authorization>
    <deny users="*" />
    </authorization>
    </system.web>
    </location>
    <location path="Global.asax">
    <system.web>
    <authorization>
    <deny users="*" />
    </authorization>
    </system.web>
    </location>
    <location path="Default.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    </authorization>
    </system.web>
    </location>
    
  3. Review and adjust the access to the root folders or files. Use Fiddler or a simular type of tool and look at which requests are being denied. It is best to make individual file entries to allow access.
    <location path="Default.aspx">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>
    <location path="Pages/Default.aspx">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>
    
  4. Review and adjust access to folder and files again and apply the HTTP verb to be allowed. Should these locations be accessible by GET or POST? Go back and apply the verbs to the sections defined above.
    <location path="Default.aspx">
    <system.web>
    <authorization>
    <allow verbs="GET,POST" users="*" />
    </authorization>
    </system.web>
    </location>
    <location path="Pages/Default.aspx">
    <system.web>
    <authorization>
    <allow verbs="GET,POST" users="*" />
    </authorization>
    </system.web>
    </location>
    
  5. For each root folder evaluate its contents by applying the step 2 –  5 and repeat.

If these basic steps are followed it will be near impossible for an attacker to penetrate a website through a fault in the access control.

You might also be interested in these posts.

How to disable insecure cipher suits
Enable secure cookies over HTTPS
Remove the IIS version from HTTP response header
Custom Error Pages

Leave a Reply

Your email address will not be published.