How to improve the security on a ASP.NET site?

Question

I have an ASP.NET site and some clients want a better layer of security for accessing it. The site today asks for a username and password, but a lot of clients want to restrict the access to some machines and I need to do this on my server side. So, I'm asking for some advice.

1. Use a VPN to restrict the access? (With mobile devices will not work)

2. Is possible to check the mac address?

3. Is possible to use client certificate?

Answer 1

Easiest for the User

I would examine multi-factor authentication (to which Andrew Walters' comment alludes) with all content delivered over SSL and extra care taken around things like page timeout, session fixation, password policies, etc.

A PIN delivered to a cell phone is a commonly used second factor.

I assert that this is "easiest for the user" because so many large sites (e.g. Google and Facebook, their bank) operate in this fashion. There's nothing to install and nothing new to learn.

This many not be desirable from a business perspective.

VPN

Use a VPN to restrict the access? (With mobile devices will not work)

This is a common option in corporate environments and is typically considered secure (although not an excuse for abandoning other good practices like password policies). However, you do have options for mobile devices.

See F5's SSL VPNs, specifically their whitepaper on mobile access for iOS and Android which states, "The BIG-IP Edge Portal app for iOS and Android devices streamlines secure mobile access to corporate web applications [...] users can access internal web pages and web applications securely."

You can increase security by adding another factor into the authentication process: a token with a continually changing PIN.

Certificates

Is possible to use client certificate ?

Yes, it is possible; whether or not it meets your business needs is a different matter (e.g. there is skill/time required in managing such a solution).

If you aren't familiar with the subject, I suggest reading this KB article (a quick read).

For implementation, here's an old but highly detailed walkthrough and a newer walkthrough for IIS 7.

Answer 2

If you want to lock down access to certain machines, use IIS's http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions. Specify which IPs have access > make sure you set them to static in dhcp. This is the "access on a need be basis approach" used by payroll vendors and credit card companies in IIS.