|
Layered Defenses
Critical pieces of security in any application are making sure anyone requiring access is properly validated, giving them only the permissions they need and holding them accountable for their actions.
With most applications, control is applied when the user first authenticates via a username and password. They are usually not reauthenticated as they move deeper into authorized resources; so, if someone hijacks the session, they could have broad access to crack deeper into the enterprise.
In addition, even legitimate users tend to be given wider access than they need based on file permissions.
.NET addresses both problems by allowing programmers to build security into each level or tier of operation: Web server, programming language, operating system and database.
Typically, a user would first interact with the IIS Web server for basic authentication and limited access. .NET enables...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
enterprises to build in security at each tier as the user works with additional resources, downloading mobile code to work with business and commercial apps and accessing data on the corporate back end.
Let's track this through the .NET environment. Users connect to a system via the Web server, where they can be validated with a certificate and basic password; they're granted authorization based on their subnet and given access to the application. The application can require a Passport account, perform URL validation and be assigned to certain .NET roles. After the application performs its checks, the server can also authenticate. Finally, when the user tries to access the data, Windows authentication is performed, and users are only given access to information based on object roles built into SQL server.
These roles are a differentiating point for .NET, helping developers tighten security and make it easier to manage.
|
 |
|
