Alik Levin's

Clarity, Technology, and Solving Problems | 

May, 2007

  • Alik Levin's

    Security Educational Workshop - Authentication Explained


    I just finished building another security workshop that covers authentication and identity technologies implemented by MS products. The workshop is targeted to developers and not IT folks. It is common practice (or should I call it anti-practice) that development projects re-invent the wheel and build again and again custom authentication or identity flow mechanisms which are surest recipe for disaster from security perspective. There is plenty of reasons why and one of them is that development teams do not have solid understanding of what MS technologies offer out-of-the-box with regards to authentication.

    I have divided the workshop into four major parts:

    • Authentication premier. It covers general concepts of network authentication. It covers common threats (the only reason of security existence, no threat – drop security) and countermeasures (best practices). I call it authentication dissected. Here are some of help materials I used:
    • Implementations. This part goes over different types of authentication from NTML, Kerb, Certs, Protocol transition to CardSpace and even assemblies Evidence which is the special sort of authentication between components. It discusses the implementation for each mechanism, cons and pros. Here are some materials I used:
    • Scenarios. This part talks about how to use the implementation for common scenarios like ASP.NET to SQL Server in intranet or ASP.NET to Web Services in Internet scenario. Here are some materials I used:
    • Anti-Patterns (Hacking Exposed). This part tries to draw the punch line for the three above and demonstrates how authentication anti-patterns can be subverted by an attacker and what impact it can cause.
      • There is enough of such stuff on the net - just submit some search criteria and you got plenty :)

    I call it educational workshop influenced by what I was discussing in Security Workshops. This workshop explains what MS offers and when to use. It does not train the participants how to use it in depth assuming after completing the workshop participants will be able to deepen their knowledge after picking proper technology.

    Related posts:

  • Alik Levin's

    SOA, Strong Authentication, Standard Authorization - Cool Solution



    reposted from here

    I've previously blogged about SOA Security Inside Enterprise walls

    This time I had couple of pretty interesting requirements from one customer that targeted B2B/Partners scenario. They had a web site that communicates to partner's web services. His concerns were sincere and pretty fair:

    • I want to manage my creds that I use to authenticate with the partner's web service in secure way
    • I want to pass it it over the wire in secure standard way
    • The partner won't do any major changes to his authorization schema inside the web service
    • Authorization schema must be easy to managed and standard

    Without any hesitation I've gone to the following topic -

    How To: Call a Web Service Using Client Certificates from ASP.NET 1.1

    and implemented step by step what was described. In the code you see that one needs to  export client certs. Customer's concern was about how safe the cert is, no worries - it is getting exported without private keys:

    Last thing what I needed to do is Web Service authorization, so what I've done is I mapped the client cert to windows account on the web service machine like this:

    Then in the web service code I've applied standard Role demands (well specifically here I demand specific user, but it could be group too like "...Demand, Role =@"myServer\Group8"") 

    And when the app was calling the web service method it was picking the client cert and sending it over to the web service which in turn was mapping it to windows account and the principal permission was applied to this account. When I was calling HelloWorld1() everything was fine since it was protected by user demand to which the cert is mapped to, on other hand HelloWorld2() was rejected since the cert I was sending is NOT mapped to that user. Man, these are those rare moments that I am happy to see exceptions :) 


    Using minimal of coding (client side - couple of lines, server side - one line for each method) and standard configurations of the infrastructure I've achieved:

    • On caller's side the creds are managed in standard secure way - the client cert sits in User Store
    • Client certs authentication is considered one of the strongest authentication mechanisms
    • All the data goes over secure communications - SSL3
    • Web Service utilizes standard .Net authorization mechanisms which required no coding (almost)

    Now tell me why it is not COOL :)


  • Alik Levin's

    How I Setup Lab Domain Using VPC 2007


    To quickly set lab environment I use VPC 2007 (free download). It really saves me lots of time. For example, in order to set up environment to test impersonation, delegation, and protocol transition as described in Authentication Hub post I needed one machine for Active Directory domain (Windows Server 2003), one machine for development desktop (Windows XP), two machines as web servers (Windows Server 2003), I also set another Windows Server 2003 as Certificate Authority to issue certificates which I used in SOA, Strong Authentication, Standard Authorization - Cool Solution.

    Here are the steps I have taken:

    1. Create 4 folders: AD,"Web Service 1","Web Service 2","CA", "Base Image".
    2. Create new virtual machine based on Windows Server 2003 while storing its vmc and vhd files in AD folder
    3. Copy the resulted virtual hard disk (VHD) into “Base Image” folder – this will serve as base image for another cloned machines.
    4. Run dcpromo to convert the virtual machine into domain controller.
    5. In VPC setting configure networking “Local only” for all machines – this enable them to communicate each with other without connecting to actual network. Good when one needs to comply with corp network policy.
    6. Copy VHD file from “Base Image” folder into “Web Service1” folder.
    7. Create another virtual machine telling the wizard to use existing VHD in “Web Service1” folder.
    8. Now run inside “Web Service1” virtual machine NewSID (free download) utility to generate new seed for the newly created machine. This is needed to successfully add the machine to Domain.
    9. Configure “Web Service1” virtual machine networking – give it static IP and configure its Preferred DNS Server for Domain’s controller IP:
    10. Join the “Web Service1” machine to domain.

    Now I have, Active Directory domain with two machine and similar procedure is needed to add more machines.

    One thing that made me work hard while troubleshooting networking between the virtual machines is to make sure that VM’s have different MAC addresses.

    Inside every machine run ipconfig /all and make sure Physical Address value is different for each machine:


    If it is the same – change it opening VMC file which is simple XML file and change the value of <ethernet_card_address type="bytes">0003FF44337E</ethernet_card_address>. Your value may be other than 0003FF44337E.

    After doing this I was able to set my environment and make my machines talk to each other.

    Be aware of licensing and supportability issues described in NewSID v4.10 regarding copying images while utilizing NewSID.


Page 1 of 7 (21 items) 12345»