Securing an ASP.Net application

[Xarky]

Hi,
I am writing a web application, and would like to make it secure. By
secure I mean, that the data that is transmitted is not altered, and
if data is stolen the data that they view has no meaning to them.

I was trying to following this link, though I don't know if I am on
the correct path.

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT16.asp[/url]

Also on that link I am finding a problem. In the part To Generate a
certificate request, in the Directory Security tab, the Server
Certificate is unavailable for all type of files and directories.

Can someone give me further help.
Thanks in Advance

[swat]

SSL provides authentication, private communication (traffic between
client and server is encrypted), and data integrity (ensures that data
has not been tampered with during transmission). So to answer your
first question: You are NOT on the wrong track by choosing SSL.

Server certificates are set up on a per website basis, and not on
virtual directories, files, or folders.

Did you select a website before opening the properties dialog box?

[xarky d_best]

Hi,

I am doing as follows.

Control Panel -> Administrative Tools -> Internet Information Services

I open the MyComputer Icon->WebSites->MyProject and then select an aspx
file. I right click on this file, but the tab Directory Security is not
found.

The Tabs I have available are:
File, File Security, Http Headers, Custom Errors.

In the File Security, within Secure Communications, there is a Server
certificate, but this is also disabled.

What should my problem be?

I am using Windows XP Professional SP2.
Internet Information Services - Version: 5.1
Microsoft Dot Net Framework 1.1

Can someone help me out.
Thanks in Advance

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***

[swat]

Hi xarky d_best,

You are selecting a file instead of a website.

In your case of "MyComputer Icon > WebSites > MyProject", MyProject
would be the web site, unless you skipped listing "Default Web Site" in
your path (MyComputer Icon > WebSites > Default Web Site > MyProject).

If MyProject is a web site, you must right click on it (do not select a
file under it first), select Properties, click on Directory Security
tab and continue with the settings as described in the document on
MSDN. The first tab selected in the properties dialog box when you open
it should have the title "Web Site" and not "Virtual Directory",
"Directory", or "File".

If MyProject is not a website, but a virtual directory or directory,
you must set up a web site to run your project under of use the
"Default Web Site" if MyProject is listed under it.

HTH

[swat]

Hi xarky d_best,

You are selecting a file instead of a website.

In your case of "MyComputer Icon > WebSites > MyProject", MyProject
would be the web site, unless you skipped listing "Default Web Site" in
your path (MyComputer Icon > WebSites > Default Web Site > MyProject).

If MyProject is a web site, you must right click on it (do not select a
file under it first), select Properties, click on Directory Security
tab and continue with the settings as described in the document on
MSDN. The first tab selected in the properties dialog box when you open
it should have the title "Web Site" and not "Virtual Directory",
"Directory", or "File".

If MyProject is not a website, but a virtual directory or directory,
you must set up a web site to run your project under or use the
"Default Web Site" if MyProject is listed under it.

HTH

[xarky d_best]

Hi,
Under My Web Sites folder, I have the Default Web Site

-Web Sites
- Default Web Site
+ IIS Help
+ Printers
+ aspnet_client
+ MyProject

Right-Cliking on MyProject, the Server Certificate under the Security
tab is disabled.

Right-Cliking on Default Web Site, the Server Certificate under the
Securtiy tab is enabled. Should I continue to follow the instructions
from here?

Thanks

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***

[swat]

Yes.

Another option is to create a new web site, host your application under
it, and set up SSL for the new web site.

Note: You can have only one server certificate per web site.

[xarky d_best]

Hi,
How can I create my own Web Site, and then put my project into.

Also, following the instructions, there seems to make a request to a CA.
Does this generally take long?

After following all those steps given in that link, should that all be
the process of securing my web application.


Thanks for all your help.



*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***

[swat]

Sorry. I forgot you were using Win XP. I don't think you can create
multiple web sites on Win XP. Check out this link for a possible
workaround:
[url]http://dotnetjunkies.com/WebLog/mjordan/archive/2003/12/30/5033.aspx[/url]

You need Microsoft Certificate Services installed on a computer on your
network to be able to generate your own certificates, which don't take
long to generate.

After following the steps, you would have set up SSL for your
application. And since your requirement was "secure communication", SSL
would cover this.

[swat]

Sorry. I forgot you were using Win XP. I don't think you can create
multiple web sites on Win XP. Check out this link for a possible
workaround:
[url]http://dotnetjunkies.com/WebLog/mjordan/archive/2003/12/30/5033.aspx[/url]

You need Microsoft Certificate Services installed on a computer on your
network to be able to generate your own certificates, which don't take
long to generate.

After following the steps, you would have set up SSL for your
application. And since your requirement was "secure communication", SSL
would cover this.

[xarky d_best]

Hi,

> You need Microsoft Certificate Services installed on a
> computer on your network to be able to generate your own
> certificates, which don't take long to generate.

Can the Mircosoft Certificate Services be installed on my(same) PC.
Frow where can these be downloaded or installed?

Thanks

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***

[swat]

Certificate Services is available as a Windows Component in Windows
2000 server and Windows 2003 server. It can be installed on the same PC
you are requesting a certificate from.

[xarky d_best]

On WinXP?


*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***

[Dominick Baier [DevelopMentor]]

Hello xarky d_best,

nope - only on servers.

---------------------------------------
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

> On WinXP?
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
>

[xarky d_best]

So its useless trying this solution :(

Is there another way how I can secure data transfering?



*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***

[Dominick Baier [DevelopMentor]]

Hello xarky d_best,

Well - you only need the server to get the certificate - SSL will work fine
on XP...

---------------------------------------
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

> So its useless trying this solution :(
>
> Is there another way how I can secure data transfering?
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
>