01 July, 2009

ASP.NET Interview Questions on web application Security

What is the difference between Authentication and Authorization?
Authentication is the process of identifying users. Authorization is the process of granting access to those users based on identity. Together, authentication and authorization provide the means to keeping your Web application secure from intruders.

What is Anonymous access?
Anonymous access is the way most public Web sites work. Sites containing public information allow anyone to see that information, so they don’t authenticate users. ASP.NET Web applications provide anonymous access to resources on the server by impersonation. Impersonation is the process of assigning a user account to an unknown user.

What is the account that is associated with Anonymous access?
By default, the anonymous access account is named IUSER_machinename. You use that account to control anonymous users’ access to resources on the server.

What is the default user account under which an ASP.NET web application run on a web server?
Under the default settings, ASP.NET uses the ASPNET account to run the Web application. This means that if the application attempts to perform any tasks that are not included in the ASPNET account’s privileges, a security exception will occur and access will be denied.

How do you restrict the access of anonymous users?
You restrict the access of anonymous users by setting Windows file permissions. To be secure, your server must use the Microsoft Windows NT file system (NTFS). The earlier FAT or FAT32 file systems do not provide file-level security.
What are the 3 major ways to authenticate and authorize users within an ASP.NET Web application?
Windows authentication :
Identifies and authorizes users based on the server’s user list. Access to resources on the server is then granted or denied based on the user account’s privileges. This works the same way as regular Windows network security.
Forms authentication : Directs users to a logon Web form that collects user name and password information, and then authenticates the user against a user list or database that the application maintains.
Passport authentication : Directs new users to a site hosted by Microsoft so that they can register a single user name and password that will authorize their access to multiple Web sites. Existing users are prompted for their microsoft Passport user name and password, which the application then authenticates from the Passport user list.

What is the namespace where all security related classes are present?
System.Web.Security

What type of authentication can be used for Public Internet Web application?
Anonymous access. This is the common access method for most Web sites. No logon is required, and you secure restricted resources using NTFS file permissions.

What type of authentication can be used for Intranet Web application?
Windows authentication. Windows authentication authenticates network users through the domain controller. Network users have access to Web application resources as determined by their user privileges on the server.

What type of authentication can be used for Private corporate Web application?
Windows authentication. Corporate users can access the Web application using their corporate network user names and passwords. User accounts are administered using the Windows network security tools.

What type of authentication can be used for Commercial Web application?
Forms authentication. Applications that need to collect shipping and billing information should implement Forms authentication to gather and store customer information.

What type of authentication can be used for Multiple commercial Web applications?
Passport authentication. Passport authentication allows users to sign in once through a central authority. The user’s identity is then available to any application using the Passport SDK. Customer information is maintained in a Passport profile, rather than in a local database.

Can you use ASP.NET Authentication with HTM and HTML Files?
The three ASP.NET authentication modes apply to files that are part of the Web application. That includes Web forms (.aspx), modules (.asax), and other resources that are processed through the Web application’s executable. It does not automatically include HTML pages (.htm or .html). Those pages are handled by Internet Information Services (IIS), rather than ASP.NET. If you want to authenticate users who access HTML pages from within your Web application using Windows, Forms, or Passport authentication modes, you must map those files to the ASP.NET executable.

How do map .htm and .html files to the ASP.NET executable using the IIS snap-in?
To map .htm and .html files to the ASP.NET executable using the IIS snap-in, follow these steps:
1. In the IIS snap-in, select the folder containing your Web application, and then choose Properties from the Action menu. IIS displays the Properties dialog box.
2. Click the Home Directory or Virtual Directory tab, and then click Configuration. IIS displays the Application Configuration dialog box, as shown in the diagram below.

3. Click Add. IIS displays the Add/Edit Application Extension Mapping dialog box, as shown in the diagram below.

4. Click Browse, and select the aspnet_isapi.dll file. That file is stored in the Windows Microsoft .NET Framework directory; the path will be something like C:\Windows\Microsoft.NET\Framework\versionnumber\aspnet_isapi.dll.
5. Type .htm in the File Extension box, and click OK.
6. Repeat steps 3 through 5 for the .html file extension. Click OK to close the IIS dialog boxes when you’ve finished.

No comments: