ASP.NET security advice wanted

[Bill Zack]

We have an interesting ASP.NET security design problem. I think that
I have worked out a solution, but I want to make sure that I am not
off base. I would appreciate any advice that anyone might be willing
to give me.

For a new application we have both Intranet and Extranet users. For
Extranet user we cannot use inter-domain trusts (the normal Extranet
design pattern) for political reasons.

We are using Windows 2000/Active Directory. The application will be
written in ASP.NET. SSL will be used for all requests. The server(s)
will have certificates, but the clients will not.

1. Extranet users
First time Extranet users must go through an ASP.NET registration
application. In this application IIS security is set to only allow
request from certain IP addresses and Domains (Own and clients) IIS
Authenticates them as an Anonymous users. ASP.NET Authenticates with
Forms Authentication, redirecting them to a Logon page. The Logon
page uses Impersonation with the identity of a specific user that can
add new users to the AD domain. They are then added to the domain as
a member of a special Extranet group with minimal/no privileges.

Note: I realize that this will allow anyone to add themselves as
users. Later, an administrator will use another ASP.NET application
(using Windows Integrated Authentication) to increase their
privileges, put them in specific groups that have specific roles, etc.
We may also need to clean up "ghost" users periodically.

Then, after registration, they can be authenticated using Windows
Integrated Security as described below.

2. Intranet users
Intranet users (and registered Extranet users) will be authenticated
by IIS using Windows Integrated security and ASP.NET Windows security.
Since Intranet users are already authenticated by Windows they will
not be required to present their credentials when entering the
application. Extranet users will be forced to present their
credentials when entering our domain since their passwords in their
home and our local domain will most likely be different. (This is the
part that I am not sure of.) Once they do they will be authenticated
as domain users in our domain.

Impersonation/Delegation will then be used to access a middle tier
application that accesses an Oracle database. The Oracle database
will use their passed credentials to limit them to seeing only their
own data.

Are there any holes in my logic for handling Extranet users?


Thanks
Bill Zack

[MSFT]

Hi Bill,

As a supply, I think you may consider adding firewall between clients and
IIS server, and between IIS server and Database server. For example, forbid
some ports to avoid vicious attack from outter side.

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[TM]

"Bill Zack" <wzack@compuserve.com> wrote in message
news:e32aaa56.0311011656.6db799cd@posting.google.c om...

> For a new application we have both Intranet and Extranet users. For
> Extranet user we cannot use inter-domain trusts (the normal Extranet
> design pattern) for political reasons.
>

I would only use AD for internal authentication (your employees). I would
seal/prevent outsiders from logging in to my AD at all if possible . I would
use Oracle Security Authentication for outsiders (similar to MS/SQL
Authentication method). In MS/SQL, you can design a so called "Application
Role based" security. This way, only your application can access to certain
part in your database. I do not know if Oracle does support Role Based
security. It is the best so far for me.

Thomas