An imperfectly designed application with malicious code can negatively affect the performance of other applications on the server without adequate isolation. It is very important to isolate multiple applications from one another and also from shared system within a web hosting environment for hosting security. A web hosting environment is a web server which is provided by an Internet service provider. One should always use application isolation while hosting multiple ASP.NET Web applications on a shared Web server. Without using application isolation, it is difficult to ensure that one application from one organization cannot access the sensitive data of other organizations.
For internet service providers who host different applications from different companies this issue of security levels is very crucial. For Internet service providers it is very important to make sure that installation of new applications do not affect the operation of current applications.
Here are the ways to isolate ASP.NET 2.0 application
- Use code access security- one can run application with partial trust i.e. by using ASP.NET medium trust level. By doing this they can limit the access to system resources and other forms of applications resources.
- Using separate process for each application- On Windows Server 2003 and IIS 6.0, each application is run in its own application which is designed to run under unique identity. This allows, auditing the activity of each application separately.
- Use different encryption and decryption keys- it is important to make sure that keys designed for machine key are unique and different from each application. With the help of separate and unique keys, one can make sure data integrity even when data from one application is accessed by other application.
. NET framework version 2.0
The .NET framework version 2.0 introduced changes that have option for hosting multiple applications on the shared server. Here are the few changes of .NET framework version 2.0
- .NET Framework Data Providers for OLE DB, Oracle, and ODBC run in partial trust- the .NET Framework Data Providers for OLE DB, Oracle, and ODBC can work in partial trust to access data sources as they do not need full trust.
- Decryption attribute is added for machine key element- the decryption attribute of machine key element clears the symmetric encryption algorithm which is used to encrypt and decrypt forms authentication tickets.
IIS 6.0 Process-Model Isolation
The IIS 6.0 in windows server 2003, to host separate web applications, multiple worker processes are enabled to be used. To host web applications separate instances of the IIS worker process are used.
One should run each application on shared server using unique custom account to enable isolation. This process helps to run each application separately and also to authorize different applications separately with windows ACLs (access control lists).
To improve security levels while hosting multiple applications in ASP.NET, one should follow the bellow steps
- Design your application for partial trust
- For processing isolation use application pools
- Analyze and asses machine key settings.