70-330 Implementing Security for Applications with Microsoft Visual Basic .NET Practice Exam

Demo Question 1.

You are an application developer for EliteCertify.com, which is a financial services company. You are developing an ASP.NET Web application that will be used by EliteCertify 's customers. Customers will use the application to access their portfolios and to view business and financial reports. The customers are divided into two categories named Standard and Premier. The Premier customers will have access to an additional set of reports and analysis. You plan to use roles named Standard and Premier to differentiate the two customer categories. The application will use Forms authentication to authenticate all users and assign each authenticated user to either the Standard role or the Premier role. Web pages that are accessible only be Premier customers are in a subfolder named Premier. Web pages that are accessible by both categories of customers are in the application root. You need to configure URL authorization for the application. You plan to achieve this goal by adding configuration elements to the Web.config file in the application root. Which elements should you use?

A. <authorization> <deny users=?"/> </authorization> <location path="Premier"> <system.web> <authorization> <allow roles="Premier"/> <deny users="*"/> </authorization> </system.web> </location>
B. <authorization> <deny users="?"/> </authorization> <location path="Premier"> <system.web> <authorization> <deny users="*"/> <allow roles="Premier"/> </authorization> </system.web> </location>
C. <authorization> <deny users="?"/> <deny roles="Premier"/> <allow users="*"/> </authorization> <location path="Premier"> <system.web> <authorization> <allow roles="Premier"/> </authorization> </system.web> </location>
D. <authorization> <deny users="?"/> </authorization> <location path="Premier"> <system.web>


Display Answer

Answer: A

Explanation: URL Authorization Internet Information Services (IIS)6.0 works with Authorization Manager, a management tool that is available with the Microsoft(r) Windows(r)Server 2003 family of operating systems, to implement IIS URL authorization. OverviewAuthorizing user access to Web application resources requires the management of many Access Control Lists (ACLs). In turn, maintaining ACLs requires administrators to track precisely which permissions are needed on each resource for each user or group to perform meaningful tasks. IIS URL authorization allows Windows administrators to simplify access management by authorizing user access to the URLs that comprise a Web application. When a user requests access to a URL, IIS URL authorization validates the user's access based on that user's roles, which can be defined in Lightweight Directory Access Protocol (LDAP) queries, custom user roles, and Authorization Manager scripts (BizRules). This allows administrators to simplify access control management by controlling all user access to URLs instead of controlling access per ACL on each resource. IIS URL authorization is implemented as an Internet Server API (ISAPI) interceptor (in the diagram below, URL Authz ISAPI). When an application, virtual directory, or URL is configured to use IIS URL authorization, each request to a URL will be routed to the URL authorization ISAPI interceptor. The URL authorization ISAPI interceptor will use Authorization Manager (in the diagram, .NET Authz Framework) to authorize access to the requested URL. The URL must be associated with an Authorization Manager policy store that contains the authorization policy for the URL. Once the client has been authorized to access the URL, the URL authorization ISAPI's Execute URL feature (in the diagram, ExecURL) will pass the request to the appropriate handler for the URL, such as ASP.dll, another ISAPI, or the Static File Handler. By using IIS6.0 URL authorization, an administrator can control access based on information that is only available at runtime. For example, if you have a Web page that should only be available to employees in a given cost center or to employees of a certain age, you can assign roles to the correct users based on LDAP queries that will check the cost center or age attributes on a user's object. If employees can only access certain pages on certain days of the week or during a certain time of day, a BizRule can be created which grants access to the URL based on these values or any value that can be asserted at runtime, including IIS Server Variables. Using URL AuthorizationTo use URL authorization in IIS6.0 you must enable the ISAPI interceptor, Urlauth.dll. In addition, you must set the following metabase properties on the application, virtual directory, or URL (Web site): 1. AzEnable: Enables URL authorization for the virtual directory, application, or URL that corresponds to the entry in the metabase. 2. AzStoreName: Associates an Authorization Manager store with the virtual directory, application, or URL. 3. AzScopeName: Associates the virtual directory, application, or URL with a scope. This scope will be the name of a scope in the IIS6.0 URL authorization application in the Authorization Manager policy store referred to in the AzStoreName attribute. If no scope or an empty string is specified, the default scope of the IIS6.0 URL authorization will be used. 4. AzImpersonationLevel: Determines the impersonation behavior for the application. This allows you to configure the Web application to impersonate the client user, the IIS worker process, or the IUSER_computername account for the worker process. Each setting significantly changes the environment and implied design of the Web application. Sample ScriptThe sample script below, written in Microsoft Visual Basic(r) Scripting Edition (VBScript), marks the root of the first site as a URL in "MyAZScope", which is defined in the MyAZStore.xml file. Users with URLAccess rights in this scope will be able to access the site. varobjvdir=get object("IIS://localhost/w3sv/1/root");objvdir.AzEnable true ;objvdir_AzstoreNmae="MSAML://d:\mystore.xml";objVdir _Azscopename="myAzscope";objVdir. AZimpersonationlevel=0;objVdir.setinfo();whileURL authorization controls access to other forms of authorization, such as ACLs or IIS directory security permissions settings, the application context still requires the correct IIS directory security and ACL permissions. IIS URL authorization allows the IIS directory security and ACL permissions to be more easily maintained. When IIS6.0 URL authorization is configured, the AzStoreName attribute in the IIS metabase entry for the application, virtual directory, or URL will identify an Authorization Manager policy store. To manage the authorization policy, run Authorization Manager and use the Open Policy Store. IIS6.0 URL authorization is an application in this store. The AzScopeName attribute in the metabase entry will be an authorization manager scope in the IIS6.0 URL authorization application. Use this scope to manage access to the corresponding URL. When configuring an application, virtual directory, or URL for URL authorization, a scope must be created in the authorization policy store with the same name as that specified in the corresponding metabase entries AzScopeName attribute. Enabling the ISAPI InterceptorTo use the URL authorization ISAPI interceptor (Urlauth.dll), you must first enable it for each Web site that requires URL authorization. Important You must be a member of the Administrators group on the local computer to perform the following procedure (or procedures), or you must have been delegated the appropriate authority. As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc". To enable the URL authorization ISAPI interceptor 1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site that you want, and then click Properties. 2. Click the Home Directory tab, and then in the Application settings section, click Configuration. 3. Click the Mappings tab, and then in the Wildcard application maps section, click Insert. 4. In the Add/Edit Application Extension Mapping box, click Browse and browse to the Windows\system32\inetsrv directory. 5. Click urlauth.dll, click Open, and then click OK. Related Topics* For more information on Authorization Manager, see Authorization Manager in Windows Help <authorization> Element Configures ASP.NET authorization support. The <authorization> tag helps control client access to URL resources. This element can be declared at any level (machine, site, application, subdirectory, or page). <configuration> <system.web> <authorization> <authorization> <allow users="comma-separated list of users" roles="comma-separated list of roles" verbs="comma-separated list of verbs"/> <deny users="comma-separated list of users" roles="comma-separated list of roles" verbs="comma-separated list of verbs"/></authorization>Subtags Subtag Subtag Description <allow> Allows access to a resource based following: users: A comma-separated list of u names that are granted access to th resource. A question mark (?) allo anonymous user;asterisk(*)a all users. roles: A comma-separated list of r are granted access to the resource. verbs: A comma-separated list of transmission methods that are gran access to the resource. Verbs regist ASP.NET are GET, HEAD, POST DEBUG. <deny> Denies access to a resource based following: users: A comma-separated list of u names that are denied access to the resource. A question mark (?) indi that anonymous user are denied a an asterisk (*) indicates that all use denied access. roles: A comma-separated list of r are denied access to the resource. verbs: A comma-separated list of transmission methods that are deni access to the resource. Verbs regist ASP.NET are GET, HEAD, POST DEBUG. RemarksAt run time, the authorization module iterates through the <allow> and <deny> tags until it finds the first access rule that fits a particular user. It then grants or denies access to a URL resource depending on whether the first access rule found is an <allow> or a <deny> rule. The default authorization rule in the Machine.config file is <allow users="*"/> so, by default, access is allowed unless configured otherwise. Top of page ExampleThe following example allows access to all members of the Admins role and denies access to all users. <configuration> <system.web> <authorization> <allow roles="Admins"/> <deny users="*"/> </authorization> </system.web></configuration>