security - Security in the.NET Framework Framework Mike...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Security in the .NET Framework Framework Mike Kass Product Manager Microsoft Corp. The .NET Framework Perl Java … Windows Forms … Secure, easily deployable rich client classes XML Enterprise Services C# ADO.NET C++ ASP.NET Windows Forms VB ASP.NET Classes and engine for building, deploying, and running Web applications and services Common Language Runtime Message Trans- Active Message IIS Queuing actions Directory Management ADO.NET … Common Language Runtime Executes code, maintains security, handles component “plumbing” and dependencies Classes for loosely-coupled data access Enterprise Services A complete set of features enabling transactions, message queuing, etc. . NET Framework Security NET Role-based Security Cryptographic Library Code Access Security Role-Based Security: Authentication Authentication Unified programming model for all Unified forms of authentication: forms Basic Digest NTLM Kerberos Microsoft Passport Forms/Custom Client Certificates Role-Based Security: Authorization Authorization Maximum flexibility again Access Control Lists Active Directory URL Authorization via Config Files Custom Custom Cryptographic Library Cryptographic Comprehensive, progressive set of Comprehensive, APIs in the .NET Framework APIs Easy, unified, stream-based architecture Encryption Digital signatures Hashing Random-number generation Pluggable extensibility (new algorithms) Uses Windows CryptoAPI functionality Code Access Security Code Allows partially trusted code to run Allows with reduced rights with Evidence-based security model No more “all-or-none” or “sandbox” Granular permissions Flexible, extensible 3 Key Elements Key Evidence Permissions Inputs to policy about code Strong name, site, zone, Authenticode Strong signature, hash value, app directory, etc. signature, Specific authorizations for code (not users) Define a level of access to a resource or Define operation operation Policy Matches permissions to evidence via “code Matches groups” groups” Grants permissions to an assembly Permissions Protect Resources Permissions Socket FileIO Web FileDialog DNS IsolatedStorage IsolatedStorage OleDb Environment SQLClient Registry MessageQueue UI UI EventLog Printing DirectoryServices Reflection Reflection … extensible Security Execution, Assertion, Skip Verification, Unmanaged code, Control evidence, Control policy, Control principal, Control threads policy, Loading An Assembly Loading Assembly Assembly Requests Requests Assembly Assembly Evidence 0. Compile code 0. 1. Load assembly 2. Gather evidence 3. Load policy 4. Grant permissions 5. Verify MSIL 6. Execute code Policy Policy Granted Granted Permissions Permissions Demands Make It Work Demands Demand of FileIOPermission (…) causes stack walk If all frames pass: Succeed, allow operation Otherwise: SecurityException(…) Ø Got Permission? Got Permission? MYAPP (semi­trusted) . . . . myComponent.ReadSetting(key); . . . . Exception Calls MYCOMPONENT (fully trusted) . . . . Stream fileStream = FileStream.Open(“settings.xml”); . . . . Calls FRAMEWORK public FileStream (string name) { FileIOPermission fp = new FileIOPermission(name) fp.Demand() . . . . } Default Security Policies Default Default code groups set around origin of Default code according to I.E. “zones” code Local machine – i.e. code installed locally Local Intranet Internet (enabled in version 1.1 of the Internet .NET Framework… currently in beta) .NET Trusted sites Restricted sites Local Machine Permissions Local FullTrust PermissionSet Full access to all machine capabilities But: App must be installed on machine by machine’s admin Intranet Permissions Intranet Unlimited UI Same protocol access to site & DNS File read access to origin Open/Save File Dialog Default printer Unlimited Isolated Storage Unlimited Write to Event Log Env for USERNAME, TEMP, TMP Changing Security Policies Changing Systems administrators can adjust Systems current policies or create new policies via new code groups via .NET Framework Configuration Tool .NET (MMC snap-in) (MMC Caspol (Command line) Policies may be set at application, Policies user, machine, and enterprise levels. Programmatic access Programmatic APIs to access code access security APIs system system Refuse unnecessary permissions Refuse to run if not granted necessary Refuse permissions permissions Check to see if granted a permission and Check tweak app behavior based on response tweak Partially Trusted ASP.NET Partially Coming in version 1.1… For shared IIS 5.0 server, use CAS Isolate apps running in same process Set permissions on virtualized resources For shared IIS 6.0 server, use CAS Isolate apps you choose to run in same Isolate process process Set permissions on virtualized resources Trustworthy Computing Trustworthy External review, penetration testing Foundstone’s “Security in the Foundstone’s Microsoft .NET Framework”: Microsoft Foundstone, CORE Security Foundstone, Technologies Technologies “Used appropriately, we believe that Used the .NET Framework is one of the best platforms for developing enterprise and Web applications with strict security requirements.” requirements.” Ongoing internal security reviews & Ongoing testing testing STPP and the .NET Framework STPP Windows Update + Patch Roll-ups Help customers get patches they need ASAP 2 Service Packs shipped to date The .NET Framework in Curriculum The Multi-language runtime environment Use a powerful IDE to access easy-to-use learning tools Use the language you like Access the same class libraries to do similar tasks Visual Studio .NET Academic Experience programming with .NET by building your own Terrarium creature at the Hands-On Lab (Booth #301) Microsoft Resources for Faculty Microsoft MSDN Academic Alliance New program from Microsoft New Software Annual membership fee of $799 per Annual department department for computer science courses Membership runs from July-June Web site that supports program: ( Visual Studio .NET Academic All the features of Visual Studio .NET All Professional plus Course Management Tools Tools Questions? Questions? More info at: ...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online