1 / 25

Security in .NET Framework

Security in .NET Framework. Sergey Baidachni MCT, MCSD, MCDBA. Overview. Introduction Code Access Security Add-on features in .NET Best Practices New Microsoft Exams Books for reading. Introduction. Security Needs Example (poor practices) Best Practices. Example (try it).

tocho
Download Presentation

Security in .NET Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in .NET Framework Sergey Baidachni MCT, MCSD, MCDBA

  2. Overview • Introduction • Code Access Security • Add-on features in.NET • Best Practices • New Microsoft Exams • Books for reading

  3. Introduction • Security Needs • Example (poor practices) • Best Practices

  4. Example (try it) “Select count(*) from UserTable Where Login=‘”+login+ “‘ and password=‘”+ pwd+ “‘” Login – sbad Password – 123’456

  5. Example (compilation error) “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’456’”

  6. Example “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’ shutdown --’” • Where is your SQL Server? It would be good if a hacker would have decided to study only one command, and namely that one of ”shutdown”...

  7. Best Practices • Parameters using SqlCommand comm=new SqlCommand( “select count(*) from UserTable Where Login=@par1 and password=@par2”, conn); comm.Parameters.Add(“@par1”,SqlDbType.VarChar,20).Value=login comm.Parameters.Add(“@par2”,SqlDbType.VarChar,20).Value=pwd • Stored procedures using

  8. Code Access Security • Least Privilege • Evidence • Permissions • Declarative Permissions • Imperative Permissions

  9. Least Privilege How much money can they steal if you have none?

  10. Evidence I would be more than glad, by I am debarred from any access Can you lend me some bank money?

  11. Permissions Lend me some bank money I would be glad to, but I have asked the bank not to give me money

  12. Declarative Permissions • Stack Walk • Demand minimal permissions • [assembly:FileIOPermission(SecurityAction.RequestMinimum, Read=@”c:\a.txt”)] • Reject redundant permissions • [assembly:FileIOPermission(SecurityAction.RequestRefuse, Unrestricted=true)] • Request unnecessary permissions • [assembly:FileIOPermission(SecurityAction.RequestOptional, Unrestricted=true)] • Caspol –resolveperm myassembly.exe

  13. Imperative Permissions • Demand and Assert • Deny and PermitOnly • LinkDemand while using SuppressUnmanagedCodeSecurityAttribute

  14. Add-on features in .NET • Form-Based Authentication • Role-Based Security • Microsoft Passport

  15. Security? Login? Password? • Authentication • You can enter, but don’t handle anything with your hands! • Authorization • Ok, you can do it.

  16.  Form-based authentication IIS 1 2 ASP.NET Forms Authentication Authenticated Not Authenticated Client requests page Username 6 4 Someone Authorized Access Denied Password Logon Page(Users enter their credentials) *********** Submit Not Authenticated 3 Authenticated Authentication Cookie Authorized 7 RequestedSecure Page 5

  17. Form-based authentication (How?) • Modify the config file <system.web> <authentication mode="Forms"> <forms name=".namesuffix" loginUrl="login.aspx" /> </authentication> </system.web> • Create method for authenticate • FormsAuthentication.Authenticate • FormsAuthentication.RedirectFromLoginPage

  18. Role-based security • Identity and Principals • Windows Identity and Principal • General Identity and Principal • Custom Identity and Principal

  19. Username = Fred Role = Manager Manager Administrator Identity and Principals • Check identity of the user • Check the role of the user

  20. Identity and Principals in .NET Framework • Identity • Windows identity (WindowsIdentity) • Generic identity (GeneralIdentity) • Custom identity (IIdentity) • Principals • Windows principal (WindowsPrincipal) • Generic principal (GeneralPrincipal) • Custom principal (IPrincipal)

  21. Microsoft Passport • How it works • Benefits • www.passport.com

  22. How Microsoft Passport Works 1 The client requests a page from the host Website.msft 2 The site redirects the client to Passport.com 3 The client is redirected and logs on to Passport.com 4 Passport returns a cookie with the ticketinformation 5 The client accesses the host, this time with ticket information Client 6 The host returns a Web Form and possibly a new cookie that it can read and write Passport.com

  23. Best Practices • Strong Names • Access Modifiers • Trace Disable • Custom Error Messages • Use Register

  24. New Microsoft Exam • 70-340 – Implementing Security for Applications with Microsoft Visual C# .NET • 70-330 – Implementing Security for Applications with Microsoft Visual Basic .NET

  25. Books for reading • Writing Secure Codeby Michael Howard, David LeBlanc • Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard

More Related