Professional Web Applications Themes

security policy for many users - ASP.NET Security

I am developing for an Intranet with about 100 users (we do computer training). We're running about 12 different ASP.NET applications. 4 of these applications require authentication. Windows authentication is not an option, as for Windows most of our users have a blank password (so it would be too easy for one user to impersonate another). For my secure applications all users will have their own password, and it should be the same password for the 4 applications. They should have an option to change their own password. What will be the best policy to avoid duplicating code and information ...

  1. #1

    Default security policy for many users

    I am developing for an Intranet with about 100 users
    (we do computer training).
    We're running about 12 different ASP.NET applications.
    4 of these applications require authentication.

    Windows authentication is not an option, as for Windows
    most of our users have a blank password (so it would
    be too easy for one user to impersonate another).

    For my secure applications all users will have their own
    password, and it should be the same password for the
    4 applications. They should have an option to change
    their own password.

    What will be the best policy to avoid duplicating code
    and information about users and passwords?

    My first thoughts were:
    - to use a database with user names and (encrypted)
    passwords
    - to share the database code and functionality (checking
    credentials, changing passwords) through a web service
    - to call the web service whenever a user is logging on.

    Is this a good path to follow?
    Or can it be done with one single web.config file?
    Any other suggestions?

    --

    Jos



    Jos Guest

  2. #2

    Default security policy for many users

    Why not get passwords set for the domain? Why write
    password and user id management into your web applications
    when it is already supplied by the OS?
    I don't mean to avoid the question but it seems to me you
    are going about this the wrong way.
    As for the question.
    You would have to put the ids and passwords in some form
    of storage and the DB is a good idea. Store the passwords
    with one of the available one-way hash algorithms. As for
    sharing the code to manage a web service means you'll have
    to decide how to secure the web service. Also consider
    whether you will support things such as expiring accounts,
    expiring passwords, password complexity, etc. Also if you
    call the web service with a plain text password it could
    be a vulnerability issue. I'd seriously consider getting
    windows passwords in a domain if possible.
    >-----Original Message-----
    >I am developing for an Intranet with about 100 users
    >(we do computer training).
    >We're running about 12 different ASP.NET applications.
    >4 of these applications require authentication.
    >
    >Windows authentication is not an option, as for Windows
    >most of our users have a blank password (so it would
    >be too easy for one user to impersonate another).
    >
    >For my secure applications all users will have their own
    >password, and it should be the same password for the
    >4 applications. They should have an option to change
    >their own password.
    >
    >What will be the best policy to avoid duplicating code
    >and information about users and passwords?
    >
    >My first thoughts were:
    >- to use a database with user names and (encrypted)
    > passwords
    >- to share the database code and functionality (checking
    > credentials, changing passwords) through a web service
    >- to call the web service whenever a user is logging on.
    >
    >Is this a good path to follow?
    >Or can it be done with one single web.config file?
    >Any other suggestions?
    >
    >--
    >
    >Jos
    >
    >
    >
    >.
    >
    Kevin Brown Guest

  3. #3

    Default Re: security policy for many users

    You could write a common class, shared via assembly throughout all the apps
    for authentication purposes.

    For the Windows auth, why not force a minimum password? It would make
    things a little easier in some ways, all things being equal...

    But I feel the best way would be to write a common class that encapsulates
    the auth functions: [pseudo-C# code] ;-)
    public class CommonAuthentication
    {
    public bool AuthenticateUser(string username, string password)
    { /* would return true if db has user and password matches */ }
    public string[] GetUserRoles(string username)
    { /* would return a string array of user roles... not neccesary if not
    using this feature */ }
    public void ChangePassword(string username, string oldPassword, string
    newPassword)
    {
    if( this.AuthenticateUser(username,oldPassword) == true )
    // update password in database
    }
    }

    then just wrap that class into its own project that all the other projects
    reference, and you've got it.

    HTH


    --
    Eric Newton
    [email]ericensoft-software.com[/email]
    C#/ASP.net Solutions developer
    "Jos" <josnospambrandersfastmail.fm> wrote in message
    news:uCH4sGcXDHA.2256TK2MSFTNGP10.phx.gbl...
    > I am developing for an Intranet with about 100 users
    > (we do computer training).
    > We're running about 12 different ASP.NET applications.
    > 4 of these applications require authentication.
    >
    > Windows authentication is not an option, as for Windows
    > most of our users have a blank password (so it would
    > be too easy for one user to impersonate another).
    >
    > For my secure applications all users will have their own
    > password, and it should be the same password for the
    > 4 applications. They should have an option to change
    > their own password.
    >
    > What will be the best policy to avoid duplicating code
    > and information about users and passwords?
    >
    > My first thoughts were:
    > - to use a database with user names and (encrypted)
    > passwords
    > - to share the database code and functionality (checking
    > credentials, changing passwords) through a web service
    > - to call the web service whenever a user is logging on.
    >
    > Is this a good path to follow?
    > Or can it be done with one single web.config file?
    > Any other suggestions?
    >
    > --
    >
    > Jos
    >
    >
    >

    Eric Newton Guest

Similar Threads

  1. Replies: 0
    Last Post: November 3rd, 03:49 PM
  2. Security Policy
    By Simon Metcalf in forum Windows Server
    Replies: 3
    Last Post: July 12th, 08:59 PM
  3. Group policy and traveling users
    By BigHaig in forum Windows Setup, Administration & Security
    Replies: 1
    Last Post: July 15th, 12:16 AM
  4. Local security policy
    By Chris in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 8th, 11:06 AM
  5. Error Security Policy.
    By Chance Hopkins in forum ASP.NET General
    Replies: 0
    Last Post: June 28th, 07:16 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139