1 / 28

Security Features of MS .Net

Security Features of MS .Net. Julia Vortman. Framework Overview. The .NET Framework is a component of the Microsoft Windows operating system used to build and run Windows-based applications

delbert
Download Presentation

Security Features of MS .Net

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Features of MS .Net Julia Vortman

  2. Framework Overview • The .NET Framework is a component of the Microsoft Windows operating system used to build and run Windows-based applications • .NET Framework is a robust platform that simplifies development of high-performance systems featuring great performance, scalability, integration, reliability, and security, with minimal deployment and management costs.

  3. Framework Security Features • Managing user identity (trust of user) • Role-Based Security • Web Applications Security • Managing code on the client, server, or framework (trust of code) • Evidence-Based Security • Code Access Security • Cryptography

  4. Role-Based Security Enforces security permissions based on user identity by implementing the following concepts: • Authentication • Examines user, or a principal identity through username and password verifications • Authorization • Enables or restricts principal access to specific applications/roles

  5. .NET Framework Unified Classes ASP.NET Common Language Runtime Windows Operating System Services Web Application Security Provides web application security

  6. Web Applications Security (Cont’d) • Additional Authentication • Authentication protocols: Microsoft Passport, Form-Based (cookie), etc. • Additional Authorization • URL authorization allows or denies access to URLs based on user identity or roles

  7. Evidence-Based Security • Controls application’s access rights based on who wrote the code, what the code is trying to do, where it was installed from, and who is trying to run it • Before the code is executed, the security policy system examines it based on the evidence • Then, access is granted (or denied), but the code execution is limited by the allowed permissions

  8. Evidence-Based Security Advantage • Major advantage to evidence-based security is that the code management can be restricted to using only well-defined interfaces • Code can be downloaded from unsecured sources and safely executed • Applications composed of many components can be safely installed with multiple security levels

  9. Code Access Security • Security policy built on an evidence-based security policy system • Specifies the level of access the code has to resources and operations • Enforces security with different levels of trust • Caspol.exe is a code access security policy tool that allows a developer to examine and modify machine, user, and enterprise-level code access security policies

  10. Code Access Security Policy • Increases the reliability and security of applications • Governed by a configurable set of rules • Determines which resources code is allowed to access and which code is allowed to run

  11. Security Policy Levels There are four levels in the security policy system: • Enterprise Policy • Machine Policy • User Policy • Application Domain Policy

  12. Enterprise Policy • Defined by enterprise administrators who set policy for enterprise domains • Affects every computer and user on the network • Evaluated at the runtime

  13. Machine Policy • Defined by machine administrators who set policy for one computer • Can set policy that excludes modification from the user level but not from the enterprise level

  14. User Policy • Lowest administrable policy level • Defined by users who set policy for a single logon account • This level is configurable by the current logged-on user

  15. Application Domain Policy • Defined by the runtime host for setting load-time policy • Cannot be administered

  16. Code Access Security (Cont’d) • Prevents illegal attempts to execute a protected operation based on access permissions • The code has to pass a verification process

  17. Verification • Verification ensures that the code uses only well-defined interfaces in interacting with other objects • For instance, PEverify.exe performs MSIL type safety verification checks and metadata validation checks on a specified assembly

  18. Cryptography • Provides functions for: • Encryption • Digital signatures • Hashing • Random number generation • The implementation uses a stream-based model • A file stream is routed into an encryption object and the resulting stream is sent to the network

  19. Cryptography (Cont’d) • Encryption is a set of algorithms to secure data • Asymmetric encryption such as RSA and DSA • Symmetric encryption such as DES, TripleDES, and RC2 • Hashes - MD5, SHA1 • Digital Signatures • Signcode.exe signs a portable executable (PE) file with an authenticode digital signature

  20. Cryptography (Cont’d) • Tracking XML digital signatures • Easy way for application programmers to sign XML documents and fragments. • Signed XML is a means to securely send asynchronous messages over the web

  21. Instructor’s Editorial Comments • One of the weaknesses of PC security is that it is more of an add-on than part of the original design of the operating system. The first personal computers from Radio Shack and Apple came with 16 kilobytes of memory, and the original IBM PC with 64 kb. Since that had to include both operating system and application programs, operating system security was minimal. Windows is a direct descendent of an O/S called CP/M, an acronym for Control Program for Microcomputers.

  22. Comments continued • Mainframes had much more elaborate security measures built into the operating system and the hardware because they had the resources to do that. Mainframes sold for millions of dollars, while personal computers originally cost a few hundred. • One difference is that mainframes tend to separate programs from data. There is a legacy of that in our security discussions when we talk about data protection measures.

  23. Comments continued • The idea of securing data separately in an operating system is similar to putting a safe in a convenience store. Because money is more attractive to thieves than food, it is kept in a safe while the food is kept on an open shelf. • Object Oriented Systems challenge the whole paradigm of separation of program behavior from data, because both are encapsulated in each object. This creates additional problems for security system designers.

  24. Comments continued • Microsoft referred to the limited resource problem in announcing a 64 bit version of Windows. • "We've done a lot of work with Intel and AMD who have changed how software is processed at the chip level, to enable new levels of security in 64-bit computing.” • "We've done work at the core of the system, such that if a virus attacks your machine it will prevent it from taking over your PC.”

  25. Comments continued • "So there are things that we've done at the core that will enable higher levels of security than we see today." • (from an interview with Microsoft’s Brad Goldberg, reported on BBC News, 64-bit launch showcases Longhorn , http://news.bbc.co.uk/, Friday, 6 May, 2005.)

  26. Glossary • Principal - the user on whose behalf code is executed. May have multiple roles. • Evidence - facts known about the code, i.e. digital signatures, the URL, site the code comes from, etc. • Permission - right to access a protected resource.

  27. References • The Microsoft .NET Framework 1.1 Evaluation Guide http://msdn.microsoft.com/netframework/technologyinfo/evalguide/default.aspx • About .Net Security http://www.gotdotnet.com/team/clr/about_security.aspx • Technology Overview http://msdn.microsoft.com/netframework/technologyinfo/overview/default.aspx • MS .NET Framework, http://msdn.microsoft.com/net

  28. References (Cont’d) • Security policy best practices http://www.gotdotnet.com/team/clr/SecurityPolicyBestPractices.htm • .Net Framework Cryptography http://www.gotdotnet.com/team/clr/cryptofaq.htm

More Related