establishing security


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 2 of 2

Thread: establishing security

Hybrid View

  1. #1
    Chris Boyle Guest

    establishing security


    I'm in the process of architecting a new infrastructure for my present
    employer. The goal is to develop a system topology that will provide a
    highly scalable and secure environment in which to implement our customers

    web applications. An environment that a "best practices" development
    methodology can be applied against... so to speak.

    My issue is security in the context of user authentication and session state
    management.

    Overview

    We are a Microsoft Windows 2000 shop. Active Directory is run in Native
    Mode, we have multiple web servers and sites, dynamic load balancing
    through Cisco devices, a clustered Middle Tier (Application) with
    Windows 2000 Advanced Server, and an Active/Active SQL 2000 Cluster.

    The operating environment is as follows; Multiple web sites (IIS 5.0)
    developed with ASP, XSL/XML, COM+, SQL Stored Procedures.

    The Development Objective is as follows; Take advantage of Windows 2000
    security within Active Directory, assign Roles to the COM+ components,
    assign Roles to the SQL 2000 Database-Tables, create 4 generic global
    groups-accounts, assign the groups to COM+ Roles according to the level
    of security required per component, assign SQL Roles as required to map
    the required levels of security to the Database Tables.

    Issue; How to effectively develop and implement security within this
    context. Each COM+ component is dispatched for specific functions, COM+
    components are called within the security context of the identity of the
    Roles assigned to them, the IUSR account functions in a standard format,
    running under the identity of Anonymous, the identity will change when
    the user has been authenticated with their registered account within the
    database, and be allowed to perform specific functions on the public
    site.

    Functions can be broken down into Site Administrators, Registered
    Users/Buyers, Advertisers. The IUSR/Anonymous account is allowed to
    browse the site but is unable to initiate any registered user,
    advertiser, or site admin functions without having changed their
    identity which is associated with the COM+ Roles after they have been
    authenticated through Application Level Logon.

    Granular Access Control is required to the individual registered users,
    site administrators, and advertisers, to ensure the individual cannot
    gain access to other secure functions in which the COM+ Roles allow
    (through Database Tables). The Individual Access would be controlled
    through individual accounts/roles within the SQL Database, the Database
    Accounts Table would be marked by Site Admins, Registered Users, and
    Advertisers. The IUSR/Anonymous account maintains its session state
    within a Table.

    We are trying to resolve security and scalability issues by finding a
    solution which allows us to identify individual users within the
    database, requiring them to be authenticated before being allowed to
    perform functions that would be restricted to the IUSR/Anonymous account
    that is used to browse the public site. Once the account is validated
    within the database and corresponding member table it would inherit the
    permissions from the account/group within the SQL Role assigned to the
    Table, be validated at the Domain Controller, and if validated, receive a

    Kerberos ticket-key which corresponds to its generic security group, and
    be allowed access to the COM+ component that maps to the Group-Account assigned
    to the COM+ component.

    (It maps to the SQL-Table Role and COM+ Role, mapping the account,
    component, and database-table permissions through active directory and
    having a ticket lifetime assigned).

    We are trying to establish the security by controlling individual
    account administration at the Database level and N-Tier security and
    validation by mapping COM+ Roles to SQL Roles using SQL-Windows
    Authentication, OLEDB Trusted Connection string, and COM+ Role Based
    security.

    The concept is to use Delegation to bypass security checks once the
    Database role/account is Validated and the COM+ functions are checked, based
    on the user session Ticket.

    The issue we have is in trying to establish security based on initial
    validation with the SQL Database, then passing the security context
    assigned to the SQL Table - Role through to the COM+ component and
    controlling the session security.

    Thanks for your time,

    Chris


  2. #2
    Michael Howard Guest

    Re: establishing security


    "Chris Boyle" <christopher_boyle@hotmail.com> wrote:
    >

    <snip>

    Buy my book - it's all discussed in there! http://mspress.microsoft.com/books/4293.htm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center