Tuesday, September 25, 2018

Checking Log in IIS Validation frequently for better results

One of the most significant functions a website has is the capacity to follow who is visiting it and from where they are coming from, and what they are doing.

Logs themselves could not always be the mainly precise measurement of what's going on, they do present a high level of overview in tracking frequent user functions and tasks. There are occurrences when definite types of data aren't logged such as referrers, cookies, user agents, and POST data. Logging can be used to trail irregular behavior such as malicious requests sent by a possible invader demanding to break into your website. These logs can be particularly priceless in recognizing if an attack was triumphant or not, as well as some of the accurate commands that an attacker may have executed.

While executing a security evaluation of Microsoft Internet Information Server (IIS), we begin to investigate logging capabilities and how they work on. Months prior, we revealed that IIS permitted an attacker to evade certain logging operational by transferring a carefully crafted request. We found out that if an attacker sends more than 4,097 characters to any logged field, IIS will alternate the data inside that field with three periods.

An attacker who wishes to exploit SQL injection susceptibility for the rationale of lifting customer data will do the whole lot probable to avoid being noticed. If an attacker can partially evade logging, they may be able to mask a particular susceptibility that may be known or unknown. Microsoft's URLScan is a very practical tool that each IIS administrator must take the time to examine. This document delineates steps to solidify your system alongside a specific threat. Documentation is done on how to allow the length restrictions on request header data that can be found at the URLScan homepage. Readers of this article are expectant to explore other configuration options in URLScan to further protect down their machine.

Microsoft also did validate that this activities works as designed. Prior versions of IIS (version 4.0 and below) were not tested for this defenselessness and may also be affected.

The .NET Application Presentation should reflect development

This is a very significant subject to reflect on when developing an application. Many elements required to be considered when choosing on the architecture of the application, such as performance, scalability and future development issues. When you are selecting on which architecture to use, first select on which of the mentioned elements you think is most important as some selections will make some sort of impact on others. For example, some choices that increase performance will bang on the scalability or future development of your design, etc.

What is n-Tier architecture?
N-Tier architecture submits to the architecture of an application that has at least three logical layers. Each layer interrelates with only the layer straightforwardly below, and has precise function that it is accountable for.

Why use n-Tier architecture?
Because each layer can be located on actually different servers with only minor code alters, hence they scale out and knob more server load. Also, what each layer does internally is completely concealed to other layers and this makes it possible to change or update one layer without recompiling or adjusting other layers. This is a very prevailing feature of n-Tier architecture, as additional features or modify to a layer can be done without redeploying the whole application. For example, by separating data access code from the business logic code, when the database servers modify then it requires to alter the data access code. Because business logic code stays the same, the business logic code does not require to be altered.

An n-Tier application frequently has three tiers, and they are called the presentation tier, the business tier and the data tier. Let's have a look at what each tier is accountable for.

Presentation Layer

Presentation Layer is the layer answerable for showing user interface and driving that interface using business tier classes and objects. In ASP.NET it includes ASPX pages, user controls, server controls and occasionally security related classes and objects.

Business Tier

Business Tier is the layer accountable for accessing the data tier to reclaim, adapt and delete data to and from the data tier and send the results to the presentation tier. This layer is also dependable for dispensation the data recovered and sent to the presentation layer.

BLL and DAL

Frequently this layer is separated into two sub layers: the Business Logic Layer (BLL), and the Data Access Layers (DAL). Business Logic Layers are above Data Access Layers, significance BLL utilizes DAL classes and objects. DAL is accountable for accessing data and forwarding it to BLL.

In ASP.NET there are four security models that can be used in web applications.

1. Form security

This is perhaps the most frequently used security model in ASP.NET websites. It's very expedient to use and is faultless for most applications. If you require role based protection then characteristically this is the way to go.

 2. Passport

If you want your visitors to be able to use their passport account at your website, you can execute the passport security model. To use this security model you require to be able to access the Internet, so it's not really appropriate for intranet applications.

3. Custom Security

If you require a more complex security system, then you will want to execute your own security system. This is characteristically done by creating your own principal and identity classes.

4. Windows Security

This is ideal for intranet websites. It converses to an Active Directory for user authentication information where all of the groups, permissions and users are supervised.

In this post we've looked at a diversity of issues connecting to the .NET web application architecture, such as tiers, security, and class design. Hopefully the tips and tricks drawn as a .NET developer have assisted you in good health for the design of your next project or application.