Secure Access 2.2
Deploy a Robust Security Infrastructure
By Don Kiely
Despite the advances made by Microsoft and the rest of the software industry over the last few years, writing secure applications is still just plain hard. All the tools you need are available in the .NET Framework, but it takes a lot of work to write the code to implement secure access to your applications and resources. Worst of all, you must write the infrastructure goo over and over for new applications.
PortSight s Secure Access 2.2 Enterprise Edition is a comprehensive set of tools that take care of most of the infrastructure needed to authenticate users and authorize them to take various actions. It provides a complete, vertical solution to secure access to your applications and the resources it requires, from the SQL Server database store to the UI components you can drop into either Windows or Web Forms applications to collect security credentials from users. You can access its features either directly through the supplied DLLs or through a Web service that you control. It does have a couple of potential security flaws, which I ll discuss later in this article, but none that are fatal to the product as long as you re aware of them.
Secure Access provides support for both the authentication and authorization aspects of secure applications. It supports authorization through the use of a SQL Server database that has a complex schema for storing user information (including a lot of information unrelated to security, such as contact information, shipping address, and several customizable fields); membership in roles, groups, and organizational units; and other ancillary data. You can create as many security catalogs as you wish to manage as many applications as you need.
You can manage the catalogs either with the Catalog Manager or programmatically using the included API. The Catalog Manager, shown in Figure 1, gives you complete administrative control. It acts as a dashboard for creating new catalogs, registering existing catalogs for use, setting properties, and configuring applications to use Secure Access. The application configuration wizard adds a connection string to the catalog to your web.config or app.config file, and makes other settings so that the application is ready to go. None of the changes it makes are magic, and all are fully documented so you can tweak them as necessary.
Figure 1: The Secure Access Catalog Manager lets you manage the SQL Server databases with an application s security information. You can also configure your application to use the catalog automatically, which modifies your .NET project as needed.
For managing users in a catalog, and to define organizational units, roles, groups, and permissions, you can use the Web-based administrative interface, shown in Figure 2. I didn t find it specified anywhere (other than a reference to using the user controls), but I couldn t get this tool to work in anything other than Internet Explorer. That s annoying, but not a big deal.
Figure 2: The Web-based administration interface is the key GUI tool used to control users and hierarchies to which they belong. Most of the ASP.NET controls are also available for use in your own applications.
Secure Access uses the SQL Server catalog to store all user information for use in your applications. But if you need to integrate with other security metadatabases, you can import users and groups using Catalog Manager. The product can import from Active Directory, a Windows domain, and any other ODBC data store. A nice feature is that you can set it to refresh the list periodically, so that it always reflects current users and their credentials.
After you have a security catalog set up and loaded with users, Secure Access can use either ASP.NET forms or Windows authentication. You can use either the ASP.NET or Windows Forms user controls to drop the functionality into your custom form, or handle it all yourself programmatically using the included API. This is where you really start to see the benefit of Secure Access, because it provides so much of the security infrastructure for authenticating users.
If there is a single word to describe Secure Access, it is flexible. This is demonstrated nowhere better than the three ways it provides for authorizing users once they are authenticated. The group membership- and role-based authorizations pretty much mirror the similar features you ll find throughout the .NET Framework. I won t dwell on them any more here, other than to say that the Secure Access API has full support for these authorization methods once a user has successfully authenticated. Where Secure Access really gets interesting is its permissions-based authorization.
Permissions-based authorization provides a granular way of granting access to various features of your application. You can define actions, such as Read, Write, and Update, for a particular resource, then assign users or groups the rights to those actions. Then you can check in code whether a user has a particular permission before performing an operation. This is an area where Secure Access provides the infrastructure for going well beyond what is provided in the .NET Framework, opening up some very flexible authorization schemes.
One other nice feature included with Secure Access is its support for protecting content. Like most of what s included in the product, this doesn t provide anything you couldn t do yourself as long as you were willing to write all the infrastructure code to do it. You can specify permissions to access a particular type of content, say Acrobat PDF files on your site, and refuse access to those files to unauthorized users. This requires adding the .PDF file extension to the ASP.NET ISAPPI filter in IIS, but then the content is protected as you define.
Secure Access includes complete auditing tools and logs for recording security actions in your applications. I m not sure that this feature adds much to what is already available in Windows and ASP.NET, but it s handy to use one API for all secure access features.
The Secure Access Package
Secure Access is a complex product with plenty of moving parts, and it takes some work to learn it. Fortunately, the documentation for this product is some of the very best I ve seen. It is comprehensive, almost to the point of being overwhelming, and is generally well-written and clear. It provides high-level architecture diagrams and then details everything down to the many APIs available. One example of the thought that went into the documentation is that many of the steps in the tutorial-type entries have a what you did summary that explains the effect of the code you just entered into the application or the setting you set. Even the documentation of the database structure, entities, stored procedures, and views is thorough. A long morning spent perusing the documentation and trying the tutorials will bring you up to speed on how to make best use of the tools in your applications.
The product also includes several sample projects that you can use to learn Secure Access, as well as verify that you ve configured it correctly. These are great to play with, but my one faint criticism is that they are too hard to configure. All the details are in the documentation, but that means you have to go find them in the online help file. I think that the Secure Access installation could do a better job for users, such as by creating the necessary virtual directories in IIS. But once they are configured, they are a great source of ideas and information, with plenty of code to steal for your custom applications. And don t miss that the product includes the VB.NET source code for the ARWebService, a Web service you can use to access Secure Access features on a server.
For a product that purports to enhance the security of custom applications, Secure Access itself has some potential security holes. Its biggest problem is that a user must run with administrative privileges to use it, particularly the Catalog Manager. After it is installed, registering the product using Help | Register Product fails with a worthless error message because it writes to the application directory in C:\Program Files, a security breach. Creating a new catalog seems to succeed, as indicated by the The installation has been completed successfully. message shown in Figure 3. But the same dialog indicates that there was an error registering the catalog, with no explanation of the problem. Because the new catalog is not registered, it is unusable.
Figure 3: Secure Access sometimes isn t. The Secure Access Catalog Manager requires administrative privileges to run. That s bad enough, but when non-administrators use its features, operations fail without any explanation.
Other security problems surface as you explore how Secure Access works. One example is that the product inexplicably saves user passwords created using Catalog Manager in a catalogs.xml file in the application directory (another reason the Manager breaks when running as a non-administrator). The passwords are encrypted, but the key is hard coded into Catalog Manager, which is available to anyone who disassembles the tool. To the company s credit, they disclose this in the documentation, but that doesn t justify the security hole.
Another security problem is that by default, user passwords are saved in clear text in the database. No modern application should ever do this, even as an option. Fortunately, you can opt to hash passwords using either MD5 or SHA1, or encrypt them with AES256 but you must be sure that you select one of these options.
Such security problems are disturbing, and forced me to raise my privilege level on my development machine to run the application with administrative rights in order to complete this review. Although it has some great features that can enhance Web and Windows Forms applications, its own security problems cast doubts on its efficacy to secure your applications. You ll have to decide for yourself whether the benefits to you and your applications are great enough to tolerate and work around the potential security problems in the product.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
Web Site: http://www.portsight.com