Export (0) Print
Expand All

Step 4: Configure Application Security

Published: February 29, 2012

Updated: February 29, 2012

Applies To: Windows Server 2012, Windows Server 2012 R2



In this phase of building your ASP.NET website, you configure the security settings that are available in IIS. The following sections discuss common security settings for ASP.NET applications:

Implement the following recommendations to isolate websites and web applications on your server.

  • Use one application pool per website or web application.

  • Limit access to site folders and files to the application pool identity.

  • Set up a separate ASP.NET temp folder per site and only give access to the application pool identity.

  • Make sure to set an ACL (access control list) on each site root to allow only access to the application pool identity.

If you have more than one application per application pool, consider creating enough application pools and moving some of the applications to the new pools.

  1. Open IIS Manager.

  2. In the Connections pane, click Application Pools.

  3. In the Actions pane, click Add Application Pool.

  4. In the Name box, type a unique name for the application pool.

  5. Select the .NET Framework version and Managed pipeline mode.

  6. Click OK.

  1. Open IIS Manager.

  2. In the Connections page, select the website or web application you want to move.

  3. In the Actions pane, click Basic Settings.

  4. On the Edit Site dialog, click Select to open the Select Application Pool dialog, and then select the application pool from the Application pool menu.

  5. Click OK to close the Select Application Pool dialog, and click OK to close the Edit Site menu.

  1. Open Windows Explorer and navigate to the folder or file.

  2. Right click the folder or file, and then click Properties.

  3. Select the Security tab, and then click Edit.

  4. Click Add, click Locations, and select your server as the location to search.

  5. In the Enter the object names to select box, type IIS APPPOOL\applicationPoolName, where applicationPoolName is the application pool identity.

  6. Click OK, click OK, and click OK again to close the dialogs.

This section describes how to set application trust level by using either IIS Manager UI or the command line.

  1. Open IIS Manager and navigate to the level you want to manage.

  2. In Features View, double-click .NET Trust Levels.

  3. On the .NET Trust Levels page, select a trust level from the Trust level drop-down list, and then click Apply in the Actions pane.

  1. To set a trust level, use the following syntax:

    appcmd set config /commit:WEBROOT /section:trust /level: Full | High | Medium | Low | Minimal

    The level attribute uses one of five values that correspond to preconfigured CAS policy files. For example, to set a trust level of Full, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:trust /level:Full

    noteNote
    When you use Appcmd.exe to configure the trust element at the global level in IIS 8, specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

In Plan an ASP.NET Website on IIS, you made design decisions about what authentication mode was right for your application. The following sections decide how to configure authentication for your ASP.NET application:

  1. ASP.NET Forms Authentication

  2. ASP.NET Impersonation Authentication

This section describes how to configure ASP.NET forms authentication by using either the IIS Manager UI or the command line.

  1. Open IIS Manager and navigate to the level you want to manage.

  2. In Features View, double-click Authentication.

  3. On the Authentication page, select Forms Authentication.

  4. In the Actions pane, click Enable to use Forms authentication with the default settings.

  5. In the Actions pane, click Edit.

  6. In the Edit Forms Authentication Settings dialog box, in the Login URL text box, type the name of the page where clients log in.

  7. In the Authentication cookie time-out (in minutes) text box, type the number of minutes you want to use for the time-out value.

  8. From the Mode list, select the cookie mode you want to use.

  9. In the Name text box, type the name of the cookie.

  10. From the Protection mode list, select the protection mode you want to use.

  11. Select the Requires SSL check box.

  12. Select the Extend cookie expiration on every request check box, and then click OK.

  • To enable forms authentication, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /mode: None | Windows | Windows Live ID | Forms

    By default, IIS 8 sets the mode attribute to Windows, which disables Forms authentication. If you set the attribute to Forms, you enable Forms authentication. For example, to enable Forms authentication, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /mode:Forms

    noteNote
    When you use Appcmd.exe to configure the authentication element at the global level in IIS 8, specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

  • To specify the login URL for Forms authentication, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.loginURL: string

    The variable forms.loginURL string is the name of the page where clients login. The default value is Login.aspx. For example, to specify the login URL for Forms authentication, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.loginURL: login.aspx

    noteNote
    When you use Appcmd.exe to configure the authentication element at the global level in IIS 8, specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

  • To specify the authentication time-out for Forms authentication, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.timeout: TimeSpan

    The variable forms.timeout TimeSpan is the time in minutes when the cookie used for authentication expires. The default value is 30 minutes. For example, to specify the authentication time-out for Forms authentication, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.timeout: 30

    noteNote
    When you use Appcmd.exe to configure the authentication element at the global level in IIS 8, you must specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

  • To configure the cookie name for Forms authentication, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.name: string

    The variable forms.name name is the name of the cookie used for Forms authentication. The default value is .ASPXAUTH. For example, to configure the cookie name for Forms authentication, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.name: .ASPXUTH

  • To configure the cookie mode for Forms authentication, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.cookieless: UseUri | UseCookies | AutoDetect | UseDeviceProfile

    The default value for forms.cookieless is UseDeviceProfile. For example, to configure the cookie mode for Forms authentication to use the setting Use Device Profile, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.cookieless:UseDeviceProfile

  • To configure the cookie protection mode for Forms authentication, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.protection: All | None | Encryption | Validation

    The default value for forms.protection is All. For example, to configure the cookie protection mode for Forms authentication to use the setting Encryption and Validation, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.protection:All

  • To require SSL for an authentication cookie, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.requireSSL: True | False

    The default value for forms.requireSSL is False. If you set this attribute to True, you require SSL. For example, to require SSL for an authentication cookie, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.requireSSL:True

  • To cache frequently requested content, use the following syntax:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.slidingExpiration: True | False

    The default value for forms.slidingExpiration is True. For example, to cache frequently requested content, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.slidingExpiration:True

  1. Open IIS Manager and navigate to the level you want to manage.

  2. In Features View, double-click Authentication.

  3. On the Authentication page, select ASP.NET Impersonation.

  4. In the Actions pane, click Enable to use ASP.NET Impersonation authentication with the default settings.

  5. Optionally, in the Actions pane, click Edit to set the security principal.

  6. In the Edit ASP.NET Impersonation Settings dialog box, select either Specific user or Authenticated user. Whichever you decide, IIS uses this identity for the security context of the ASP.NET application. By default, IIS 8 is set to impersonate the authenticated user.

  7. Click OK to finish or proceed to the next optional steps to change the identity to impersonate.

  8. Optionally, click Set to change the Specific user identity.

  9. In the Set Credentials dialog box, enter the name of an existing user account in User name, the password associated with that user account in Password, and then the exact same value in Confirm password for a new account IIS should use for anonymous access.

  10. Click OK to close the Set Credentials dialog box.

  11. Click OK to close the Edit ASP.NET Impersonation Settings dialog box.

  • To enable or disable ASP.NET Impersonation, use the following syntax:

    appcmd set config /commit:WEBROOT /section:identity /impersonate:true | false

    By default, IIS sets the impersonate attribute to false, which disables ASP.NET Impersonation authentication. If you set the attribute to true, you enable ASP.NET Impersonation authentication. For example, to enable ASP.NET Impersonation authentication, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:identity /impersonate:true

  • Optionally, you can set the account for IIS to impersonate, using the following syntax:

    appcmd set config /commit:WEBROOT /section:identity /userName: string /password: string

    The variable userName string is the account IIS uses to impersonate and the variable password string is the password. For example, to use an account named Moe for IIS to impersonate, type the following at the command prompt, and then press ENTER:

    appcmd set config /commit:WEBROOT /section:identity /userName: Moe /password: pass@word1

    noteNote
    When you use Appcmd.exe to configure the identity element at the global level in IIS 8, specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

This section describes how to generate machine keys for your ASP.NET application by using the IIS Manager UI.

  1. Open IIS Manager and navigate to the level you want to manage.

  2. In Features View, double-click Machine Key.

  3. On the Machine Key page, select a validation method from the Validation method list. The default validation method is SHA1.

  4. Choose an encryption method from the Encryption method list. The default encryption method is Auto.

  5. Optionally, configure settings for validation and decryption keys.

  6. In the Actions pane, click Generate Keys, and then click Apply.

This section describes how to configure TLS/SSL security for your application.

After obtaining a server certificate from a certification authority (CA), work through the procedures in the following sections:

  1. SSL Binding

  2. Require SSL for Your Site

  3. Client Certificates

This section describes how to add an SSL binding to your site by using either the IIS Manager UI or the command line.

  1. Open IIS Manager.

  2. In the Connections pane, expand the Sites node in the tree, and then click to select the site for which you want to add a binding.

  3. In the Actions pane, click Bindings.

  4. In the Site Bindings dialog box, click Add.

  5. In the Add Site Binding dialog box, in the Type list, select https.

  6. From the IP address list, select All Unassigned (unless there is a specific IP address you want to use).

  7. In the Port box, type the number of the port (the default is 443).

  8. In the Host name box, type the name of the host computer.

  9. If you want multiple secure websites to be served using the same IP address, select the Require Server Name Indication check box.

  10. From the SSL certificate list, select the certificate for your website. If your certificate doesn’t appear in the list, click Select and search for the certificate using the Select Certificate dialog box.

  11. Click OK.

  1. To add a binding to a site, use the following syntax:

    appcmd set site /site.name: string /+bindings.[protocol=' string ',bindingInformation=' string ']

    The variable site.name string is name of the site to which you want to add a binding. The variable protocol string is the protocol that you want to use, and the variable bindingInformation string is the combination of IP address, port, and host header.

    For example, to configure a site named contoso to have an HTTPS binding for all IP addresses, on port 443, without a host header, type the following at the command prompt, and then press ENTER:

    appcmd set site /site.name: contoso /+bindings.[protocol='https',bindingInformation='*:443:']

This section describes how to require SSL for your website by using the IIS Manager UI or the command line.

  1. Open IIS Manager and navigate to the level you want to manage.

    Make sure that you are at the site, application, or directory level; SSL Settings are not available at the server level.

    noteNote
    If you want to configure SSL at the file level, navigate to the file in Content View and then click Switch to Features View in the Actions pane.

  2. In Features View, double-click SSL Settings.

  3. On the SSL Settings page, select Require SSL.

  4. In the Actions pane, click Apply.

  • To require SSL, use the following syntax:

    appcmd set config " site | URL " /section: access /sslFlags:Ssl /commit:APPHOST

    The variable site | URL is the site, application, virtual directory, or file where you want IIS 8 to require SSL. For example, to require SSL for the Default Web Site, type the following at the command prompt, and then press ENTER:

    appcmd set config " Default Web Site " /section: access /sslFlags:Ssl /commit:APPHOST

  • To require SSL for the file iisstart.htm on the Default Web Site, type the following at the command prompt, and then press ENTER:

    appcmd set config " http://localhost/iisstart.htm " /section: access /sslFlags:Ssl /commit:APPHOST

This section describes how to

  1. Open IIS Manager and navigate to the level you want to manage.

    Make sure that you are at the site, application, or directory level; SSL Settings are not available at the server level.

    noteNote
    If you want to configure SSL at the file level, navigate to the file in Content View and then click Switch to Features View in the Actions pane.

  2. In Features View, double-click SSL Settings.

  3. On the SSL Settings page, optionally select Require SSL. You do not need SSL to Ignore or Accept client certificates.

  4. On the SSL Settings page, in the Client certificates area, use one of the following procedures:

    • Select Ignore if you do not want to accept a client certificate even if a client presents one.

    • Select Accept to accept client certificates.

    • Select Require to require client certificates. To use Require Client Certificates, you must enable Require SSL.

  5. In the Actions pane, click Apply.

  • To specify whether to use client certificates, use the following syntax:

    appcmd set config " site | URL "/section: access /sslFlags: Ssl | SslNegotiateCert | SslRequireCert /commit:APPHOST

    The variable site | URL is the site, application, virtual directory, or file where you want IIS to enable client certificates. For example, to accept client certificates for the Default Web Site, type the following at the command prompt, and then press ENTER:

    appcmd set config " Default Web Site "/section: access /sslFlags:SslNegotiateCert /commit:APPHOST

  • To accept client certificates for the file iisstart.htm on the Default Web Site, type the following at the command prompt, and then press ENTER:

    appcmd set config " http://localhost/iisstart.htm "/section: access /sslFlags:SslNegotiateCert /commit:APPHOST

    You can specify one or more of the values for the sslFlags attribute. If you want more than one value, separate each value with a comma (,). For example, to specify a requirement for both SSL and client certificates on the Default Web Site, type the following at the command prompt, and then press ENTER:

    appcmd set config " Default Web Site "/section: access /sslFlags:Ssl,SslRequireCert /commit:APPHOST

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft