viEval and viSurvey security

advertisement
viEval and viSurvey Security White Paper
Prepared by: viDesktop.com
1
viDesktop.com Inc.
1. Introduction 2
2. Web Application Security ........................................................................................... 2
3. SQL Server.................................................................................................................. 2
4. User Authentication and Session Maintenance........................................................... 3
4.1 Custom Application Authentication ..................................................................... 3
4.2 Integrated Windows Authentication ..................................................................... 3
5. User Authorization ...................................................................................................... 3
1. Introduction
Demanding release schedules and restrictive budgets often require compromise in Web
development like the development of two-tear web applications instead of the n-tear
ideal.
viEval is a two-tear web applications that uses the following technology:
- Microsoft Internet Information Server (IIS)
- Active Server Pages (ASP)
- ActiveX Data Objects (ADODB) and ASP intrinsic objects
- Microsoft SQL Server
2. Web Application Security
viEval can be installed as a new web application or as a virtual website of an existing
web site. The default installation is as a new web application running on port 4000. It is
recommended to set the application protection to high so it runs in an isolated process
separated from other processes.
The Global.asa file typically stores user session variables and application start profiles.
viEval database connection string, user id and password are stored in the global.asa file
(typical to standard two-tier web application). Because the Global.asa file also includes
commands that return information to the browser, it's important to secure it. The file can
be fully protected by using NTFS file permissions.
viEval implements its own security and session maintenance so the web application
authentication method can be set to “Anonymous Access” and the ASP session state can
be disabled.
3. SQL Server
viEval requires one database to be created on the Microsoft SQL Server and an SQL
Server user id with DBO permission on the application database. The application
2
viDesktop.com Inc.
database, the user id and the required permissions will be automatically created by the
installation program.
4. User Authentication and Session Maintenance
viEval implements two types of user authentication:
- Custom user authentication
- Windows authentication
4.1 Custom Application Authentication
All user id and passwords are saved in an Employee table. The login form validates
the identity of the user based on the information in the Employee table. If the user is
authenticated, the application generates a 20 character long unique user reference.
The user reference is passed to ASP pages in HTTP GET requests or POST requests.
Before processing the request each ASP uses the user reference to validate the
identity of the user. The user reference is deleted when the user clicks the “Sign Off”
button. Orphan user references are automatically deleted 24 hours after creation time.
Important: Custom authentication results in the transmission of passwords across the
network in an unencrypted form.
4.2 Integrated Windows Authentication
Integrated Windows authentication uses a cryptographic exchange with the user’s
Internet Explorer Web browser to confirm the identity of the user.
5. User Authorization
The user authorization is a custom database based driven solution. The user authorization
is a combination of role-based access and application object privileges.
viEval has the following build in roles:
- Evaluator
- Evaluatee
- Administrator
- Team Leader
The application allows defining access various system objects like:
- Evaluations and Surveys
- System Configuration
- Templates
- People tab
3
viDesktop.com Inc.
-
Reports
Employee Profile
Employee Performance Log
4
viDesktop.com Inc.
Download