TechEd 2006 - Best Practices for ASP.NET Security session

So if you put best practices in the title for a session, whether it be at TechEd, PDC or whatever, then I think it should be mandatory to actually discuss what the best practices are. Yes, I know that best practices is a dumb name for what is really prescriptive guidance, but it’s not my title.

As I sit here in a session that is titled ‘Best Practices for Building Secure Web Applications using ASP.NET and IIS 6.0’, I’m being told about authentication modes, impersonation and identity. Interesting stuff, sure. But not best practices. I don’t need to learn this stuff, as I’m already more familiar that I care to think about the various authentication modes and the user identities that are available at different times. I want to know about the challenges, limitations and (okay, I’ll say it) best practices regarding authentication and authorization.

Next up was a brief discussion of the Membership API. Again, stuff that I learned about last year. And nothing that talks to when and why I’d want to use this.

The final section was a description of ASP.NET trust levels and the impact that the levels have on web applications. Telling me stuff like, changing from Full trust to High trust can gain some benefits. But as the speaker goes into some of the details, again, I’m not getting enough information. For example, he says ‘may need to move code into the GAC’. I want to know why, but it’s not coming. The speaker talks about application pools and that each pool can be given it's own identity. But no mention of when this might be useful. Or what problems I might run into if I try to communicate between web sites in different pools.

I feel for the presenter. This is not content that lends itself very well to code demos. Which means that there are more Powerpoint slides than is optimal. And the demos deal with configuration of IIS and ASP.NET, because that’s where the changes are. Sigh