Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Security design question

Reply
Thread Tools

Security design question

 
 
John Lee
Guest
Posts: n/a
 
      01-12-2005
Hi,

Here is the environment related context:
================================================== =======================
Website are hosted in DMZ - subdomain created dmz.companydomain.com
We have our web farm (3-5 web servers) running under one NT Domain account
with least privileges.
Website all 3 level of access: anonymous, registered and verified
We will use form authentication to authenticate registered and verified user
SQL server will be used to host user authentication information and Session
state
All Line of business web services are hosted internally with Windows
authentication only
AzMan is used to perform access check on all public web methods
================================================== =======================
My question are:

Is this a good practice? Any obvious flaw?
What is the best way to encrypt session state because it might contain
sensitive data?
If the internal web service trust the NT domain account that hosts the web
site, it means that if someone gain access/control to the site then he could
possibly call any of the web service methods, is this correct? how to
prevent it from happening?
What is the best way to secure public access website that will
retrieve/update internal business data?

Thanks very much!
John



 
Reply With Quote
 
 
 
 
[MSFT]
Guest
Posts: n/a
 
      01-13-2005
Hi John,

From the design, you may consider add some firewall between outside and
your web site, either, between your web server and Web serivce
server/database. This can help block the attcks. Here are some good
articles on ASP.NET security, you may take a look first to see they will
help:


Securing Your ASP.NET Application and Web Services
http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/THCMCh19.asp

Securing .NET Web Applications in an Intranet Environment
http://msdn.microsoft.com/library/de...us/secmod/html
/secmod05.asp

An Introductory Guide to Building and Deploying More Secure Sites with
ASP.NET and IIS
http://msdn.microsoft.com/msdnmag/is...c/default.aspx

Luke

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
class design/ design pattern question Bartholomew Simpson C++ 2 06-12-2007 08:51 PM
Security design question Jeremy Chapman ASP .Net Security 3 04-20-2006 04:25 PM
OO design in servlet design question dave Java 5 07-17-2004 12:58 PM
J2EE Security Design Question Ryan Pape Java 1 09-12-2003 07:40 PM
IT-Security, Security, e-security COMSOLIT Messmer Computer Support 0 09-05-2003 08:34 AM



Advertisments