October 19, 2010

0 Troubleshooting Security Issues In ASP.NET

This chapter presents a process for troubleshooting and provides a range of techniques
and tools that can be used to help diagnose security related problems.


Process for Troubleshooting

The following approach has proven to be helpful for resolving security and security
context related issues.

1. Start by describing the problem very clearly. Make sure you know precisely what
is supposed to happen, what is actually happening, and most importantly, the
detailed steps required to reproduce the problem.

2. Isolate the problem as accurately as you can. Try to determine at which stage
during the processing of a request the problem occurs. Is it a client or server
related issue? Does it appear to be a configuration or code related error? Try to
isolate the problem by stripping away application layers. For example, consider
building a simple console-based test client application to take the place of more
complex client applications.

3. Analyze error messages and stack traces (if they are available). Always start by
consulting the Windows event and security logs.

4. Check the Microsoft Knowledge Base to see if the problem has been documented
as a Knowledge Base article.

5. Many security related problems relate to the identity used to run code; these are
not always the identities you imagine are running the code. Use the code
samples presented in the “Determining Identity” subsection of the “ASP.NET”
section in this chapter to retrieve and diagnose identity information.

If the identities appear incorrect, check the configuration settings in web.config and
machine.config and also check the IIS authentication settings for your application’s virtual directory. Factors that can affect identity within an ASP.NET

Web application include:
The <processModel> element in machine.config used to determine the
process identity of the ASP.NET worker process (aspnet_wp.exe).
Authentication settings in IIS.
Authentication settings in web.config.
Impersonation settings in web.config.

6. Even if it appears that the correct settings are being used and displayed, you
may want to explicitly configure a web.config file for your application (in the
application’s virtual directory) to make sure it is not inheriting settings from a
higher level application (perhaps from a web.config in a higher-level virtual
directory) or from machine.config.

7. Use some of the troubleshooting tools listed in the “Troubleshooting Tools”
section later in this chapter to capture additional diagnostics.

8. Attempt to reproduce the problem on another computer. This can help isolate
environmental related problems and can indicate whether or not the problem is
in your application’s code or configuration.

9. If your application is having problems accessing a remote resource, you may be
running into impersonation/delegation related problems. Identify the security
context being used for the remote resource access, and if you are using Windows
authentication, verify that the account providing the context (for example, a
process account), should be able to be authenticated by the remote computer.

10. Search newsgroups to see if the problem has already been reported. If not, post
the problem to the newsgroup to see if anyone within the development community
can provide assistance.

The online newsgroup for ASP.NET is located at: http://communities.microsoft.com
/newsgroups/default.asp?icp=mscom&slcid=US&newsgroup=microsoft.public.dotnet
.framework.aspnet

11. Call the Microsoft Support Center. For details, see the Microsoft Knowledge
Base.

Searching for Implementation Solutions

If you have a specific issue and need to understand the best way to tackle the
problem, use the following approach.
Search in Chapters 5, 6, and 7of this guide for your scenario or a similar scenarios.
Consult the MSDN library documentation and samples.

Refer to one of the many ASP.NET information Web sites, such as:
www.asp.net
www.gotdotnet.com
www.asptoday.com
Search the Microsoft Knowledge Base for an appropriate How To article.
Post questions to newsgroups.
Call the Microsoft Support Center.

0 comments:

Post a Comment

Blogger Themes

 
Powered by Blogger