1.Explain role based security ?
Role Based Security used to implement
security based on roles assigned to user groups in the organization.
Then we can allow or
deny users based on their role in the organization. Windows defines several
built-in groups, including Administrators, Users, and Guests.
EXAMPLE:
[xml]
<AUTHORIZATION><
authorization >
< allow roles=”Domain_Name\Administrators” / > < !– Allow Administrators in domain. — >
< deny users=”*” / > < !– Deny anyone else. — >
< /authorization >
< allow roles=”Domain_Name\Administrators” / > < !– Allow Administrators in domain. — >
< deny users=”*” / > < !– Deny anyone else. — >
< /authorization >
[/xml]
2.What are the advantages of Passport
authentication?
All the websites can be
accessed using single login credentials. So no need to remember login
credentials for each web site.
Users can maintain his/
her information in a single location.
3. Give
any five names of the asp.net Security Controls?
· <asp:Login>: Provides a standard login
capability that allows the users to enter their credentials.
· <asp:LoginName>: Allows you to display
the name of the logged-in user.
· <asp:LoginStatus>: Displays whether the
user is authenticated or not.
· <asp:LoginView>: Provides various login
views depending on the selected template.
·
<asp:PasswordRecovery>:email
the users their lost password.
4.How
do you impersonate the authenticated user in ASP.NET?
Impersonation means
delegating one user identity to another user. In ASP.NET, the anonymous users
impersonate the ASPNET user account by default. You can use <identity>
element of web.config file to impersonate user.
E.g.
<identity impersonate="true"/>
5.What
is impersonation in ASP.NET?
Impersonation is when a
user accesses a resource without revealing his identity.
6.How do you
provide secured communication in ASP.NET?
ASP.NET provides secured
communication using Secure Sockets Layer. The application to use SSL need to
have an encryption key called a server certificate configured in IIS. When a
user requests a secured page, the server generates an encryption key for the
user’s session. The encrypted response is then sent along with encryption key
generated. In the client side, the response is then decrypted using same
encryption key.
7.What is the authentication mode available in ASP.NET?
ASP.NET supports three
authentication modes through the System.Web.Security namespace.
Windows Authentication
The windows authentication authenticates users based on their windows accounts. In short, it uses windows network security. It uses IIS to perform authentication.
The windows authentication authenticates users based on their windows accounts. In short, it uses windows network security. It uses IIS to perform authentication.
Passport authentication
The Passport authentication uses Microsoft's passport service to authenticate users. The new user is directed to the Microsoft site where he can register his identity. This facilitates user to access multiple sites using single user name and password. You need to install the Passport SDK to enable the Passport classes in the System.Web.Security namespace.
The Passport authentication uses Microsoft's passport service to authenticate users. The new user is directed to the Microsoft site where he can register his identity. This facilitates user to access multiple sites using single user name and password. You need to install the Passport SDK to enable the Passport classes in the System.Web.Security namespace.
Form authentication
The Form authentication collects user's credential and lets the application use own logic to authenticate users. The collected user's credential is validated using the list maintained by the application. The application maintains its own user list either using <credential> element in the web.config file or using database. The advantage of using form authentication is that the users don't need to be the member of windows network to have access to the application.
The Form authentication collects user's credential and lets the application use own logic to authenticate users. The collected user's credential is validated using the list maintained by the application. The application maintains its own user list either using <credential> element in the web.config file or using database. The advantage of using form authentication is that the users don't need to be the member of windows network to have access to the application.
8.Differentiate
between windows authentication and form authentication?
Windows authentication
uses windows account whereas form authentication maintains its own user list.
Windows authentication is best suited for the application which is meant for a
corporate users whereas form authentication is preferable for the applications
which have diversified users from several places.
User lists for windows authentication are found in <authorization> element whereas in case of form authentication, lists are there in <credential> element of web.config file.
User lists for windows authentication are found in <authorization> element whereas in case of form authentication, lists are there in <credential> element of web.config file.
9.What are the types of authorization?
ASP.NET
offers the following authorization providers:
FileAuthorization
UrlAuthorization
FileAuthorization:
The
FileAuthorizationModule class performs file authorization and is active when
you use Windows authentication. FileAuthorizationModule is responsible for
performing checks on Windows Access .
Control
Lists (ACLs) to determine whether a user should have access.
UrlAuthorization:
The
UrlAuthorizationModule class performs Uniform Resource Locator (URL)
authorization, which controls authorization based on the URI namespace. URI
namespaces can be quite different from the physical folder and file paths that
NTFS permissions use.
10.What is Anonymous access?
Anonymous access is the way most public Web sites work. Sites containing public information allow anyone to see that information, so they don’t authenticate users. ASP.NET Web applications provide anonymous access to resources on the server by impersonation. Impersonation is the process of assigning a user account to an unknown user.
Anonymous access is the way most public Web sites work. Sites containing public information allow anyone to see that information, so they don’t authenticate users. ASP.NET Web applications provide anonymous access to resources on the server by impersonation. Impersonation is the process of assigning a user account to an unknown user.
.11.What is the account that is associated with Anonymous
access?
By default, the anonymous access account is named
IUSER_machinename. You use that account to control anonymous users’ access to
resources on the server.
12.What are the Windows authentication types?
The
Windows authentication workflow uses one of the following authentication
techniques:
·Basic
authentication
·Digest
authentication
·Windows Integrated Authentication
·Anonymous Authentication.
Basic Authentication: The Windows user
name and password has to be provided to connection and this information is sent
over the network in plain text, and, hence, this is an insecure method of authentication.
Digest Authentication: It is the same as basic authentication except that the password is hashed before it is sent
across the network.
Integrated Windows Authentication: In this kind of authentication technique, passwords are
not sent across the network. The application here uses either the kerberos or
challenge/response protocols to authenticate users.
Anonymous Authentication:
IIS allows any user to access the
ASP.NET application.
13.Define secured sockets layer?
Secured
Socket Layer (SSL) ensures a secured web application by encrypting the data
sent over
internet. When an application is using SSL
facility, the server generates an encryption key for the
session and page is encrypted before it sent.
The client browse uses this encryption key to
decrypt the requested Web page.
14.Explain login control and form
authentication?
Login
controls encapsulate all the features offered by Forms authentication. Login
controls
internally use FormsAuthentication class to
implement security by prompting for user credentials
validating them.
15.What are the best practices to follow to secure
connection strings in an ASP.NET web application?
a)Always store connection strings in the site's Web.config file. Web.config is very secure. Users will not be able to access web.config from the browser.
b)Do not store connection strings as plain text. To help keep the connection to your database server secure, it is recommended that you encrypt connection string information in the configuration file.
c)Never store connection strings in an aspx page.
d)Never set connection strings as declarative properties of the SqlDataSource control or other data source controls.
a)Always store connection strings in the site's Web.config file. Web.config is very secure. Users will not be able to access web.config from the browser.
b)Do not store connection strings as plain text. To help keep the connection to your database server secure, it is recommended that you encrypt connection string information in the configuration file.
c)Never store connection strings in an aspx page.
d)Never set connection strings as declarative properties of the SqlDataSource control or other data source controls.
16.Why is "Connecting to SQL Server using Integrated
Security" considered a best practice?Connecting to SQL Server using integrated security instead
of using an explicit user name and password, helps avoid the possibility of the
connection string being compromised and your user ID and password being
exposed.
17.How do you provide Secure Communication over the world
wide web?
Security is not just a matter of identifying users and preventing unauthorized users from accessing your Web applications, but it’s just as important to ensure that sensitive data sent across the Internet can’t be read by others.
Security is not just a matter of identifying users and preventing unauthorized users from accessing your Web applications, but it’s just as important to ensure that sensitive data sent across the Internet can’t be read by others.
To provide secure communication across the Internet, IIS supports a standardized means of encrypting and decrypting Web requests and responses. This cryptography requires that you request an encryption key called a server certificate from an independent third party called a certificate authority.
18.What is the largest certificate authority?
The largest certificate authority is VeriSign.
The largest certificate authority is VeriSign.
19.What are the steps to follow to use SSL in your Web
application?
. Generate a certificate request from IIS.
Request a certificate from a certificate authority.
Install the certificate on the server using IIS.
Install the certificate on browsers if you are using a test certificate.
Use the Secure Hypertext Transfer Protocol (HTTPS) when accessing secure pages in your application.
. Generate a certificate request from IIS.
Request a certificate from a certificate authority.
Install the certificate on the server using IIS.
Install the certificate on browsers if you are using a test certificate.
Use the Secure Hypertext Transfer Protocol (HTTPS) when accessing secure pages in your application.
20.What are the steps to follow to make a web page secure
in a web application?
To require secure communication for a Web page using IIS, follow these steps
To require secure communication for a Web page using IIS, follow these steps
a)Select
the folder or file that requires secure communication, and then choose
Properties from the Action menu. IIS displays the Properties
dialog box.
b)Click the Directory Security tab, and then click Edit in the Secure Communications group. IIS displays the Secure Communications dialog box.
c)Select the Require Secure Channel (SSL) check box, and click OK.
b)Click the Directory Security tab, and then click Edit in the Secure Communications group. IIS displays the Secure Communications dialog box.
c)Select the Require Secure Channel (SSL) check box, and click OK.
21What is role of validation in security?
By using the validation
we can restrict the user from inputing the wrong data which may affect the sql
queries.
22.Can a
user access secure web page over HTTP protocol instead of HTTPS?
No, When you require secure communication for a Web page, that page can’t be viewed using HTTP. The user must type in or click a link using HTTPS, otherwise, access will be denied.
No, When you require secure communication for a Web page, that page can’t be viewed using HTTP. The user must type in or click a link using HTTPS, otherwise, access will be denied.
23.What is
the protocol on which secure pages are generally requested?
HTTPS, the protocol HTTPS is what initializes the secure communication. When you’ve begun secure communication, it continues until you specify a nonsecure site.
HTTPS, the protocol HTTPS is what initializes the secure communication. When you’ve begun secure communication, it continues until you specify a nonsecure site.
24.Can you specify authorization settings both in
Web.config and in IIS?
Yes, you can specify authorization settings both in Web.config and in IIS. The IIS setting is evaluated first and then the setting in Web.config is evaluated. In general, this means that the most restrictive setting will be used.
Yes, you can specify authorization settings both in Web.config and in IIS. The IIS setting is evaluated first and then the setting in Web.config is evaluated. In general, this means that the most restrictive setting will be used.
25.What is
the user account under which an ASP.NET web application runs by default?
Web application runs under the identity of the ASP.NET user account by default.
Web application runs under the identity of the ASP.NET user account by default.
26.How can you set the web application to run under a specific user’s account?
You can set the application to run under a specific user’s account by setting the application’s identity element to enable impersonation .
27.What is
protection attribute in a forms element used for in web.config file?
The protection attribute of a forms element of web.config file is used for setting how ASP.NET protects the authentication cookie stored on the user’s machine. The default is All, which performs encryption and data validation. Other possible settings are Encryption, Validation, and None.
The protection attribute of a forms element of web.config file is used for setting how ASP.NET protects the authentication cookie stored on the user’s machine. The default is All, which performs encryption and data validation. Other possible settings are Encryption, Validation, and None.
28.Which method can be used to remove forms
authentication cookie?
Use the signout() method of FormsAuthentication class to sign out when the user has finished with the application or when you want to remove the authentication cookie from his or her machine. For example, the following code ends the user’s access to an application and requires him or her to sign back in to regain access:
Use the signout() method of FormsAuthentication class to sign out when the user has finished with the application or when you want to remove the authentication cookie from his or her machine. For example, the following code ends the user’s access to an application and requires him or her to sign back in to regain access:
FormsAuthentication.SignOut();
29.What are the advantages of storing user names
and passwords in a database rather than a file?
You can store user names and passwords in any type of file; however, using a database has the following significant advantages:
a)User names can be used as primary keys to store other information about the user.
b)Databases can provide high performance for accessing user names and passwords.
c)Adding, modifying, and accessing records are standardized through SQL.
You can store user names and passwords in any type of file; however, using a database has the following significant advantages:
a)User names can be used as primary keys to store other information about the user.
b)Databases can provide high performance for accessing user names and passwords.
c)Adding, modifying, and accessing records are standardized through SQL.
30.Can you
change authentication type in a subfolder's web.config file?
Authentication type (Windows, Forms, or Passport) can be set only at the application’s root folder. To change authentication type in a subfolder's web.config file, you must create a new Web application project and application starting point for that subfolder.
Authentication type (Windows, Forms, or Passport) can be set only at the application’s root folder. To change authentication type in a subfolder's web.config file, you must create a new Web application project and application starting point for that subfolder.
No comments:
Post a Comment