How to secure web application???

  • Thread starter Thread starter Daniel Walzenbach
  • Start date Start date
D

Daniel Walzenbach

Hi,



Imagine the following: I want to secure an intranet web site (with all users having windows domain accounts) in a way that only users of the domain should be allowed to log in. I therefore set

<authentication mode="Windows" />

in the web.config. This point done :-)

I now want users to prevent starting anywhere in the application (by modifying the URL) but instead let them all start on a defined page (let it be default.aspx if you want). How can I do this?

I now want to connect to a SQL Server 2000. I would like to use ONE (for connection pooling) defined domain account for accessing SQL Server with integrated security. How can this be done? I don't want to use the ASPNET user as I imagine using different users for different applications. Does anybody know how this can be done?

How do you like this approach? What else would you recommend for making the application MORE secure? Installing a certificate using SSL for communication is what I'd expect but what other ideas do you have?



Thank you a lot in advance!!


Best regards

Daniel Walzenbach

P.S. If you need to contact me simply remove ".NOSPAM" from my email address.
 
For everybody else interessted in this toppic get a grip on the following msdn articles:
http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/
http://msdn.microsoft.com/msdnmag/issues/02/05/ASPSec2/default.aspx

Hi,



Imagine the following: I want to secure an intranet web site (with all users having windows domain accounts) in a way that only users of the domain should be allowed to log in. I therefore set

<authentication mode="Windows" />

in the web.config. This point done :-)

I now want users to prevent starting anywhere in the application (by modifying the URL) but instead let them all start on a defined page (let it be default.aspx if you want). How can I do this?

I now want to connect to a SQL Server 2000. I would like to use ONE (for connection pooling) defined domain account for accessing SQL Server with integrated security. How can this be done? I don't want to use the ASPNET user as I imagine using different users for different applications. Does anybody know how this can be done?

How do you like this approach? What else would you recommend for making the application MORE secure? Installing a certificate using SSL for communication is what I'd expect but what other ideas do you have?



Thank you a lot in advance!!


Best regards

Daniel Walzenbach

P.S. If you need to contact me simply remove ".NOSPAM" from my email address.
 
I now want users to prevent starting anywhere in the application (by modifying the URL) but instead let them all start on a defined page (let it be default.aspx if you want). How can I do this?
Click to expand...

You would add an entry to the global.asax file in the SessionStart
event. Check the current page, if it is not the page you want it to be
redirect them to the proper page.

Mike
 
Hi Daniel,

Since you want all user start from a particualr web form, it sounds like
Form authentication in ASP.NET. You take a look at following article to see
if it is you want:

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using C# .NET
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q301240

Regarding the problem connecting to SQL server with a particualr account, I
think you may consider impersonate in ASP.NET. ALl request to the web form
will be impersonate to a particualr windows account:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Thanks to both of you . I'll give it a try as soon as I can.

Cheers
Daniel
 
Back
Top