Home > Ask the Information Security Experts > Questions & Answers > Is it secure to use .NET membership class for user authentication?
Ask The Security UK Expert: Questions & Answers
EMAIL THIS

Is it secure to use .NET membership class for user authentication?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security UK Categories
Meet all Security UK Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 08 November 2007
Our developers are looking to create an online Internet-facing application and use .NET membership class for user authentication. Users would be commercial clients, not employees. Active Directory was eschewed in order to have the option of different password controls available, depending on the nature of the data in a particular application. AD can also facilitate different business groups that handle user administration. Is this a "secure enough" authentication framework?

>
EXPERT RESPONSE

There are two parts to your application: a Web-based customer-facing front end and a back end directory service or data store with authenticated users. The authentication feature in .NET needs both pieces. Since a user directory is required, no matter what you do, the issue isn't just about only relying on the .NET membership classes on the front end. It's also about the directory services, and connecting to them on the back end.

Here's a quick overview of authentication in .NET with some options to consider.

On the Web side, ASP .NET 2.0 provides ready-made code for creating log-in pages and server controls. Prior versions of ASP .NET didn't have this feature, and log-in pages for new Web applications had to be coded from scratch.

On the directory side, there are two built-in membership classes for connecting to Active Directory (AD) or SQL Server, which is no surprise since both are also Microsoft products just like .NET itself. The two classes, ActiveDirectoryMembershipProvider and SqlMembershipProvider, work with a configuration file called Web.config.

But, if you want to use some other directory service, a custom provider can be created by deriving from the MembershpProvider abstract class and tweaking the Web.config file.

Either way, these provider classes manage all the heavy lifting for connecting to the directory services, whether they're Microsoft or not. They are used for adding and deleting users, modifying users and their groups and other access management tasks, such as changing passwords.

The question isn't whether the .NET authentication framework is secure enough; it's how secure is the back-end directory service, which is what drives the application. Since .NET is compatible with its sister Microsoft product, AD, it would probably make the most sense to stick with that.

If flexibility is an issue, there are many options that allow access to multiple directory services for the same application. The details, however, are beyond the scope of this brief answer. Code and instructions are available on Microsoft's Web site and its developer network, MSDN.

For more information:

  • In this expert Q&A, Michael Cobb discusses using Sender ID as an email authentication tool.
  • Security pro Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Provisioning
    How to avoid being stung by disgruntled (ex) employees after a redundancy
    Securing Windows services to prevent hacker attacks
    Single sign-on implementation lets South Manchester doctors work more effectively
    Virtualisation success requires security preparation
    Identity management still eludes most companies
    Bank security chief explains how to avoid internal threats
    Information protection: Using Windows Rights Management Services to secure data
    Partner access: Balancing security and availability
    IBM releases simplified Tivoli Identity Manager
    Top 10 access-related controls for PCI compliance

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts