Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

viEval and viSurvey security

advertisement 
viEval and viSurvey Security White Paper
Prepared by: viDesktop.com
1
viDesktop.com Inc.
1. Introduction 2
2. Web Application Security ........................................................................................... 2
3. SQL Server.................................................................................................................. 2
4. User Authentication and Session Maintenance........................................................... 3
4.1 Custom Application Authentication ..................................................................... 3
4.2 Integrated Windows Authentication ..................................................................... 3
5. User Authorization ...................................................................................................... 3
1. Introduction
Demanding release schedules and restrictive budgets often require compromise in Web
development like the development of two-tear web applications instead of the n-tear
ideal.
viEval is a two-tear web applications that uses the following technology:
- Microsoft Internet Information Server (IIS)
- Active Server Pages (ASP)
- ActiveX Data Objects (ADODB) and ASP intrinsic objects
- Microsoft SQL Server
2. Web Application Security
viEval can be installed as a new web application or as a virtual website of an existing
web site. The default installation is as a new web application running on port 4000. It is
recommended to set the application protection to high so it runs in an isolated process
separated from other processes.
The Global.asa file typically stores user session variables and application start profiles.
viEval database connection string, user id and password are stored in the global.asa file
(typical to standard two-tier web application). Because the Global.asa file also includes
commands that return information to the browser, it's important to secure it. The file can
be fully protected by using NTFS file permissions.
viEval implements its own security and session maintenance so the web application
authentication method can be set to “Anonymous Access” and the ASP session state can
be disabled.
3. SQL Server
viEval requires one database to be created on the Microsoft SQL Server and an SQL
Server user id with DBO permission on the application database. The application
2
viDesktop.com Inc.
database, the user id and the required permissions will be automatically created by the
installation program.
4. User Authentication and Session Maintenance
viEval implements two types of user authentication:
- Custom user authentication
- Windows authentication
4.1 Custom Application Authentication
All user id and passwords are saved in an Employee table. The login form validates
the identity of the user based on the information in the Employee table. If the user is
authenticated, the application generates a 20 character long unique user reference.
The user reference is passed to ASP pages in HTTP GET requests or POST requests.
Before processing the request each ASP uses the user reference to validate the
identity of the user. The user reference is deleted when the user clicks the “Sign Off”
button. Orphan user references are automatically deleted 24 hours after creation time.
Important: Custom authentication results in the transmission of passwords across the
network in an unencrypted form.
4.2 Integrated Windows Authentication
Integrated Windows authentication uses a cryptographic exchange with the user’s
Internet Explorer Web browser to confirm the identity of the user.
5. User Authorization
The user authorization is a custom database based driven solution. The user authorization
is a combination of role-based access and application object privileges.
viEval has the following build in roles:
- Evaluator
- Evaluatee
- Administrator
- Team Leader
The application allows defining access various system objects like:
- Evaluations and Surveys
- System Configuration
- Templates
- People tab
3
viDesktop.com Inc.
-
Reports
Employee Profile
Employee Performance Log
4
viDesktop.com Inc.
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
Chapter 11 HW
Chapter 11 HW
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
Davis
Davis
cryptography and network security
cryptography and network security
sequence authentication
sequence authentication
CS 5352 - Computer Security Spring 2010 Course Syllabus Course
CS 5352 - Computer Security Spring 2010 Course Syllabus Course
USC CSci530 Computer Security Systems Lecture notes * Spring
USC CSci530 Computer Security Systems Lecture notes * Spring
Introduction to Security
Introduction to Security
Mobile Assisted Bit Sequence Authentication and
Mobile Assisted Bit Sequence Authentication and
Acronyms - BlackBerry
Acronyms - BlackBerry
Security in the Microsoft® .NET Framework
Security in the Microsoft® .NET Framework
Authorization - Bill Buchanan
Authorization - Bill Buchanan
Authenticating Users Using SecurAccess Server by SecurEnvoy
Authenticating Users Using SecurAccess Server by SecurEnvoy
A Security Architect.. - University of Virginia
A Security Architect.. - University of Virginia
Module: User management and authentication options
Module: User management and authentication options
Identification and Implementation of Authentication and
Identification and Implementation of Authentication and
Security in the Microsoft .NET Framework
Security in the Microsoft .NET Framework
Authentication, Authorization, and Accounting
Authentication, Authorization, and Accounting
Chapter 10 ASP.NET Security
Chapter 10 ASP.NET Security
Day3.6 - ODU Computer Science
Day3.6 - ODU Computer Science
5.0 What is Identification Authentication and Authorization?
5.0 What is Identification Authentication and Authorization?
Download
advertisement