IIS 6/ASP.NET 2.0 Security Demystified – Part 1

This week I have been working on a custom security module for ASP.NET
2.0 (you mean to say that Windows authentication and Forms
authentication is not enough?).   My development process has
involved wading through .NET Framework security code (thanks to Lutz Roeder for Reflector), and
reading articles on IIS (Internet Information Server) security in MSDN Magazine (just so happens that
this month’s issue is all about security). 

Understanding computer security can be a tough nut to crack, and I’ll
be the first to admit that I am not an expert on this
subject. This post is the first of a few, containing bits of
information from the various articles I have read, and findings from
development of the above mentioned custom security module. 

Before you get too engrossed in my post, I should mention that the posts in this
series contain overview information.  If you’re looking for
in depth knowledge into IIS/ASP.NET security models, then I would
recommend reading one of the many books published on this subject.

Let’s start this first post with an overview of the security components.  The image below, from the latest MSDN publication,
defines the component parts involved with IIS 6/ASP.NET 2.0 security.

That many components involved in IIS/ASP.NET security – who knew?

The above image mentions most of the active security components involved in the
security process of an ASP.NET web request, I’ll discuss a subset of
the components briefly: 

The http.sys driver is responsible for processing the incoming request at a low level in IIS, and passing the request to the w3wp.exe worker process – the process that does all the work in IIS (in version 5 of IIS, a separate process – aspnet_wp.exe – was launched to process ASP.NET web requests, in IIS 6 the process is part of the IIS worker process). 

The SSL Requirement module handles all incoming  SSL requests, and
the IP Restrictions module filters requests based on IP address ranges.

and Authorization modules handle authentication of a
particular user issuing the web request, and authorized access to the
requested web resource.

The Extension Restrictions module restricts access to certain file types, based on the file type extension.

The aspnet_filter.dll is a small ISAPI library used to backup
the cookie-less session state for ASP.NET, and also filters requests for
protected files in web application bin directories.

The aspnet_isapi.dll is the main ISAPI library for ASP.NET,
which hosts a instance of the .NET Framework CLR (Common Language
Runtime), and is responsible for execution of all ASP.NET web

ASP.NET also adds it’s own level of security when processing web
requests.  The Authentication module and Authorization module look
after user authentication and authorized access to protected web resources
for each ASP.NET application.

Finally the handler mapper is responsible for executing, framework supplied and custom HTTP Handlers and HTTP Modules.

Each of the modules, mentioned above, deserves a post in it’s own right to provide
enough knowledge on their inner workings.  Instead, I have
attempted to provide a snapshot from 30,000ft of each component, and
part that each plays in securing web requests.  My next post will
be concerned with the various authentication options in IIS.