SEC 401: Building Secure Multi-Platform Applications with the MSFT Identify Platform (Part 1)
Karthik Jaganathan (Program Manager, Windows Security - Microsoft)
Abstract
Learn about the security services built into the Microsoft Server family and how application developers can leverage these services to build secure applications. Focus on how these technologies can be integrated into existing legacy backend applications as well interoperating with non-Microsoft platforms. Technologies covered include: Windows 2000, IIS, Enterprise Services, SQL Server and introduce security capabilities coming in Windows Server 2003 such as Kerberos enhancements, Roles based authorization, etc.
Notes
Karthik outlines a number of different scenarios (i.e. extranet, intranet, etc.) and the requirements for each.
Karthik briefly mentions the Authorization Manager (AZMAN), which is starting to look like a totally killer management tool.
Karthik mentions the trusted subsystem vs. impersonation debate. (Something that's not very well understood by many developers.) Many of the points being made by Karthik are outlined in Tim Ewald's (excellent) book, "Transactional COM+". Essentially, impersonation kills scalability (i.e. connection pooling) for the benefit of a granular security model. On the other hand, compromising a trusted subsystem can cause a lot more damage. It really is tough to get the best of both worlds (scalability vs. security) when building systems.
Karthik is going through various types of authentication (i.e. Windows Integrated, forms, SSL, Basic/Digest, Passport) along for code snippets for each. Pretty basic stuff. He is also showing how to map x509v3 certificates to a particular AD user through IIS (by enabling the Windows directory service mapping). Yet another example of AD mapping - this time, he shows how to associate .NET Passport credentials to an AD user.
Signed messages (via PKCS#7) are typically used in an asynchronous model. (Good point.) Karthik shows an example using CAPICOM to create a signed message using a x509v3 cert. from the local store.
Protocol Transition - Kerberos S4U2self extension. (This sounds pretty cool.) Essentially, you can establish a Windows identity (i.e. Kerberos service ticket) after custom authentication. You can even get an identification service ticket without TCB. (Neat.)
using System.Security.Principal;
WindowsIdentify id = new WindowsIdentity("TESTDOM\test");
Cool!
Constrained Delegation - Kerberos S4U2proxy extension. Allows a service ticket to obtain a TGT from a KDC for delegation purposes. (Cool!)
Authorization Manager - Here we go... (I'm quickly starting to love this thing...)
AZMAN looks really sweet. (I can't believe I haven't heard more about it until now.) If you haven't seen this thing yet, get your ass to a Win2K3 machine! :-)) AZMAN should help a great deal when building large-scale applications. Roles are much a kin to COM+ roles except they are entirely logical objects; they don't map to specific groups.
UI (i.e. SOAP endpoint) <-> Windows Authorization API <-> AZMAN <-> Policy Store
Role = {Tasks}, Task = {Operations}.
Sweeeeeet.
Finally, Karthik showed a pretty cool demo showing an IE client obtaining a Kerberos ticket via HTTP from an Apache server running on UNIX. Sadly, I got a bit lost here. I am not very well versed in the Kerberos protocol. Note to self: Review the slide deck afterward. :-P
Overall, a good talk.
9:58:38 AM 
|
