How to secure Elmah.axd? - asp.net-mvc

We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.
This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?
We running an ASP.NET MVC app on IIS 6.

The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.
Here's what I would recommend you:
Disable completely the elmah.axd handler on your main site
Configure elmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.
If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.

I found this is most acceptable for MVC applications:
http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html

You can point the elmah http handler to another url (for example "Secure/elmah.axd") in web.config. You can secure the url as any other asp.net page in the web config.
<httpHandlers>
...
<add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
<system.web>
<authorization>
<deny users="?" />
<!-- Or anything else... -->
</authorization>
</system.web>
</location>
We are successfully using this approach on IIS7 using active directory membership providers, and it works great. I am not sure if it works on IIS6 though.

If you're using ASP.NET Membership, it's pretty easy to restrict access to the elmah.axd HttpHandler for anonymous users and only allow logged in users in an "Administrators" group. I've done it like this:
<configuration>
...
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Anybody who's logged in AND member of the "Administrators" role can access the page now.

Here are some useful links:
Securely Implement ELMAH For Plug And Play Error Logging
Securing Error Log Pages

If your intention is to disable remote users from accessing it, simply change the value of <security allowRemoteAccess="yes" /> to <security allowRemoteAccess="no" />

I used IP Restrictions from the IIS 7 configuration. By default, you can't simply apply it in <location path="elmah.axd"> because it's locked on the parent configuration level. As such, I created an empty folder "logs" and applied restrictions in IIS to this folder, then modified the location path for the elmah.axd file. That's it! You have remote access to yourdomain.com/logs/elmah.axd, but only from specific IPs.

Related

Asp.net Web API 2 and mixed Authentication using both Integrated Windows and Token based

I have an asp.net Web API server running under IIS, that until now has used windows authentication as it has only had other services running on the same domain conencting to it.
So, in my web.config I have the following settings...
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
....
With this I can use a browser (or the services) on the same domain and reach my services.
Now we want to allow Mobile applications to also connect. We will be using a a token based scheme based on this, and so far to use this I need to turn off the Windows authentication in my web.config to use this. If I leave in the windows configuration as above, I don't even get any of the Owin middle where methods (or custom filters) called when I, for example, se Postman to call a route with no windows authentication set.
So my question is
How can I allow either authentication, so that even a Browser (on the same domain) can still call the routes and be authenticated (via the Negotiate), but also allow other clients to use the token based scheme? Also (very important) how do I configure this in web.config to allow both?
Thanks in advance for any help!

Protect ignored route from anonymous access in MVC.NET

Like the title says, I want to protect a directory from anonymous access and that directory is ignored for routing because it contains static content.
I should also mention I'm just using the out of box individual accounts identity stuff in my MVC app.
The other catch I have is that I will be hosting as an Azure web app.
Ignore route looks like:
routes.IgnoreRoute("Cordova/{*pathInfo}");
That works just fine.
I thought I could just add a location exclusion in my web.config:
<location path="Cordova" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
With just that, I can still access the content as an unauthenticated user, so that isn't it alone.
Then in the Web.config, system.webServer->modules section I added:
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
Now it will deny access to the directory (when using the location element above), BUT it will not allow access to any authenticated user.
I saw a few other suggestions that involved tweaking IIS settings or local directory permissions, but since I'm hosting in Azure, that is not an option for me.
UPDATE
I implemented forms authentication in the web config, and manually added the FormsAuthentication calls in my Account controller. AND it works!
So I'm guessing the web.config deny="?" in the location element is only enforceable with forms auth??
Now I have the forms auth mixed in with the OWIN cookie auth stuff. I thought one used the other (what happened to app.UseFormsAuthentication?) but its not looking that way. I'm making a mess.
How should I be doing this?
UPDATE2
And in doing so now my WebAPI security is broken.

Azure Active Directory Organizational Authentication Mechasnim

I have recently started on developing an ASP.NET MVC web app which uses organizational authentication on Azure Active Directory.
I followed this tutorial: http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory
And I managed to deploy the application and it runs correctly.
However, I'm still unsure of the underlying working mechanism of the Federation WS used to provide the Active Directory organization authentication.
The application immediately redirects the users to the Microsoft login site when the website is run before rendering the home page. I could not find any piece of codes in the application that make this happen. I tried to comment out the IdentityConfig method in Global.asax but the redirection is still happening.
I would like to know when and how does the application start the authentication process and is it possible and safe to suppress the authentication process until the Sign In hyperlink is clicked by the user.
For adding AD authentication to ASP.NET WebApps/VNext you can use the new ADAL Library, there are many samples available here https://github.com/AzureADSamples. You can use this for example: https://github.com/AzureADSamples/WebApp-WSFederation-DotNet, this is completely driven by user actions.
I found out that the solution is pretty easy. Just remove:
<system.web>
<!-- remove/comment out
<authorization>
<deny users="?" />
</authorization>
-->
</system.web>
in Web.config. This will tell WSFederationAuthenticationModule not to execute the redirection event and allow anonymous users in public pages.
Apply [Authorize] attribute to the action or controller when authentication is needed if you are developing in ASP.NET MVC.
If you are developing in ASP.NET Web Form, add the following:
<configuration>
<!-- Add the following configuration-->
<location path="Admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
The above configuration will force the users to login Azure Active Directory in order to access the relative location path of 'Admin' in your web application (e.g. http://localhost:8080/Admin).

Secure ASP.NET MVC application with SSL and client certificate authentication

I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.
I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)
Require SSL communication for all requests
Map multiple client certificates to a single user
Require the user to be authenticated
Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.
So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<authentication>
<anonymousAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
<manyToOneMappings>
<add name="Authentication Certificate"
enabled="true"
permissionMode="Allow"
userName="foo"
password="bar">
<rules>
<add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
Going in order:
Require SSL communication for all requests - Yes. In IIS, set the site with only an https binding, and delete the http binding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors from http://mysite.com to https://mysite.com. You can find many examples of how to do this using various tools.
Map multiple client certificates to a single user - I dunno. I will pass on this one.
Require the user to be authenticated - Yes. In the web.config file, in the <system.web> element, add the following:
<authorization>
<deny users="?"/>
</authorization>

Why is my style sheet redirecting me to login?

I am sure this has something to do with IIS but I can't figure it out.
I have a website using forms authentication. When my website tries to access any file resources (javascript files, css, etc), I am redirected to the forms login page set in my web.config. I also get redirected if I just type the address into the address bar.
The web.config entry for forms auth is pretty basic:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
There are also two location nodes to deny users from other parts of the site:
<location path="n2">
<system.web>
<authorization>
<allow roles="Editors" />
</authorization>
</system.web>
</location>
<location path="web.config">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
I am using the standard IIS7 install on Windows Server 2008 R2.
Edit
So, if I add a random auth cookie (FormsAuthentication.SetAuthCookie()), the resources become available, I know it has to be my authentication model that's messed up somehow. It works on another server (I just copied it over). Any ideas how I can track the problem down?
I had the same error, in my case the trick was setting Anonymous Authentication to use the App Pool identity instead of IUSR in IIS
Open IIS
Expand Sites
Select [YourWebSite]
Double click Authentication (will be under the IIS "Area" or the Security "Category")
Select Anonymous Authentication
Click Edit in the Actions pane
Click the 'Application pool identity' radio button
Don't use <location> tags in web.config to handle authorization in an ASP.NET MVC application as locations have no longer any sense. All you need in web.config is the authentication tag. In MVC authorization could be achieved by decorating proper controllers and/or actions with the [Authorize] attribute.
I use allow * for my Content folder. That will prevent any authorization from happening for static content.
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Rick
In IIS, my Anonymous Authentication was on correctly and the user was set to IUSR. Therefore, I needed to go into Windows Explorer, navigate to my web app directory, right-click for Properties, Security tab, Edit button, and give IUSR Read, List, and Read & Execute permissions (the default set). Ensure the changes will be inherited by all children, apply, possibly wait, and you're good to go.
It's been along time since I did any asp.net forms work but the first questions would be - are you sure your user is a member of the "Editors" role. You can use the Web Site Administration tool to set this up I think?
http://msdn.microsoft.com/en-us/library/ssa0wsyf.aspx
That is because you have set deny to everyone. In IIS 7, because of the integrated pipeline you will get redirected even when you try to browse CSS or any static page.
Put the static content inside a folder if you like and allow access to it.
I had exactly the same and found it was because I had forgotten to allow anonymous access to the website from inside IIS! This meant that the FormsAuthentication was always kicking in, even for the static resources that were not protected.

Resources