Professional Documents
Culture Documents
15 - Lesson 5C
15 - Lesson 5C
Knowledge Byte
In this section, you will learn about:
• Authenticode signing
• Microsoft Passport Service
Authenticode Signing
• There are two important issues in making the Internet a reliable source for
software distribution:
• Authenticity: User must be assured about the source of the code.
• Integrity: User must also be assured that code is unaltered since its
publication.
• Authenticode signing technology makes it possible to check the authenticity
and integrity of software.
• This technology uses digital signatures and digital certificates for securing
the authenticity and integrity of software.
Digital Signatures
• Digital Signatures:
• Can be used to distribute data securely
• Assure the receiver about the source of data
• Are validated when the recipient of the data wants to verify whether
the data has come from the correct source
• Does not change the data but it just encloses the data in the form of a
digital signature string
• Are generated using public key signature algorithm
• This algorithm uses two types of keys:
• Private key
• Public key
the sender.
5. The receiver then decrypts the encrypted hash using sender’s public key.
6. If sender’s hash is same as the receiver’s hash, then the document is
authenticate and has not been tampered with.
Digital Certificates
• Digital certificate:
• Is a set of data having the information required to ensure the identity of
an individual or an organization
• Ensures that public key in the certificate is the same as that of the person
to whom the certificate is being issued
• Are issued by Certification Authorities
• Enclose the following information:
• Serial number for digital certificate
• Public Key of the owner
• Name of the owner
• Name of the certification authority that issued the certificate
• Digital signature of certification authority
• Date of expiry of digital certificate
Best Practices
Implementing Security in Web Applications
• For more security for your Web applications:
• Use NTFS file system in place of FAT32.
• If there are various applications running on a server and many configuration
options need to be shared between them, then:
• Place the shared configuration settings in the machine.config and any
application specific setting in individual web.config files.
• While distributing your application:
• Distribute only the .msi file and not the setup.exe file
FAQs
• How does IIS support an “anonymous user”?
FAQs (Contd.)
• Does IIS support Web-standard basic authentication model?
FAQs (Contd.)
• Does ASP.NET protect configuration files from outside access?
FAQs (Contd.)
• What are the advantages of Configuration files?
Challenge
1. You create an ASP.NET application for tracking the Projects in Neo Solutions Inc. a
solution provider firm. You use Microsoft Windows authentication for securing the
Web application.
Project Managers working on the different projects are members of a group
named Managers, and Project Executives are members of a group named
Executives.
The root folder for the Web application is named Projects. The Projects folder
displays information about the different projects being developed at Neo Solutions
Inc. The Projects folder has a subfolder named Budget. Both the Managers and
the Executives can access pages in Projects whereas only Managers can access
pages in the Budget folder. You create the following entries in the Web.config file
for Projects folder (Line numbers in the code snippet have been included for
reference only).
Challenge (Contd.)
1 <authentication mode=“Windows” />
2 <authorization>
3 <allow roles=“Executives, Managers” />
4 <deny users=”*” />
5 </authorization
You create the following entries in the Web.config file for Budget folder.
(Line numbers in the code snippet have been included for reference only.)
1 <authentication mode=“Windows” />
2 <authorization>
3 <allow roles=“Executives, Managers” />
4 <deny users=“*” />
5 </authorization>
Challenge (Contd.)
When Managers try to access pages in the Budget folder, they receive an error
message that reads in part:
“An error occurred during the processing of a configuration file required to
service this request.”
You need to ensure that Managers can access pages in the Budget folder. What
should you do to solve this error?
a. Remove line 1 in the Web.config file in Budget.
b. Modify line 4 in the Web.config file in Budget as follows:
<allow users=“*” />
c. Add the following line between line 1 and line 2 in the Web.config file in
Projects:
<identity impersonate=“true” />
d. Add the following line between line 1 and line 2 in the Web.config file in
Budget:
<identity impersonate=“true” />
Challenge (Contd.)
e. Add the following line between line 1 and line 2 in the Web.config file in
Budget:
<identity impersonate=“false” />
Solutions
1. a. Remove line 1 in the Web.config file in Budget.