Security in .NET Framework - PowerPoint PPT Presentation

security in net framework n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security in .NET Framework PowerPoint Presentation
Download Presentation
Security in .NET Framework

play fullscreen
1 / 25
Security in .NET Framework
99 Views
Download Presentation
tocho
Download Presentation

Security in .NET Framework

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security in .NET Framework Sergey Baidachni MCT, MCSD, MCDBA

  2. Overview • Introduction • Code Access Security • Add-on features in.NET • Best Practices • New Microsoft Exams • Books for reading

  3. Introduction • Security Needs • Example (poor practices) • Best Practices

  4. Example (try it) “Select count(*) from UserTable Where Login=‘”+login+ “‘ and password=‘”+ pwd+ “‘” Login – sbad Password – 123’456

  5. Example (compilation error) “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’456’”

  6. Example “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’ shutdown --’” • Where is your SQL Server? It would be good if a hacker would have decided to study only one command, and namely that one of ”shutdown”...

  7. Best Practices • Parameters using SqlCommand comm=new SqlCommand( “select count(*) from UserTable Where Login=@par1 and password=@par2”, conn); comm.Parameters.Add(“@par1”,SqlDbType.VarChar,20).Value=login comm.Parameters.Add(“@par2”,SqlDbType.VarChar,20).Value=pwd • Stored procedures using

  8. Code Access Security • Least Privilege • Evidence • Permissions • Declarative Permissions • Imperative Permissions

  9. Least Privilege How much money can they steal if you have none?

  10. Evidence I would be more than glad, by I am debarred from any access Can you lend me some bank money?

  11. Permissions Lend me some bank money I would be glad to, but I have asked the bank not to give me money

  12. Declarative Permissions • Stack Walk • Demand minimal permissions • [assembly:FileIOPermission(SecurityAction.RequestMinimum, Read=@”c:\a.txt”)] • Reject redundant permissions • [assembly:FileIOPermission(SecurityAction.RequestRefuse, Unrestricted=true)] • Request unnecessary permissions • [assembly:FileIOPermission(SecurityAction.RequestOptional, Unrestricted=true)] • Caspol –resolveperm myassembly.exe

  13. Imperative Permissions • Demand and Assert • Deny and PermitOnly • LinkDemand while using SuppressUnmanagedCodeSecurityAttribute

  14. Add-on features in .NET • Form-Based Authentication • Role-Based Security • Microsoft Passport

  15. Security? Login? Password? • Authentication • You can enter, but don’t handle anything with your hands! • Authorization • Ok, you can do it.

  16.  Form-based authentication IIS 1 2 ASP.NET Forms Authentication Authenticated Not Authenticated Client requests page Username 6 4 Someone Authorized Access Denied Password Logon Page(Users enter their credentials) *********** Submit Not Authenticated 3 Authenticated Authentication Cookie Authorized 7 RequestedSecure Page 5

  17. Form-based authentication (How?) • Modify the config file <system.web> <authentication mode="Forms"> <forms name=".namesuffix" loginUrl="login.aspx" /> </authentication> </system.web> • Create method for authenticate • FormsAuthentication.Authenticate • FormsAuthentication.RedirectFromLoginPage

  18. Role-based security • Identity and Principals • Windows Identity and Principal • General Identity and Principal • Custom Identity and Principal

  19. Username = Fred Role = Manager Manager Administrator Identity and Principals • Check identity of the user • Check the role of the user

  20. Identity and Principals in .NET Framework • Identity • Windows identity (WindowsIdentity) • Generic identity (GeneralIdentity) • Custom identity (IIdentity) • Principals • Windows principal (WindowsPrincipal) • Generic principal (GeneralPrincipal) • Custom principal (IPrincipal)

  21. Microsoft Passport • How it works • Benefits • www.passport.com

  22. How Microsoft Passport Works 1 The client requests a page from the host Website.msft 2 The site redirects the client to Passport.com 3 The client is redirected and logs on to Passport.com 4 Passport returns a cookie with the ticketinformation 5 The client accesses the host, this time with ticket information Client 6 The host returns a Web Form and possibly a new cookie that it can read and write Passport.com

  23. Best Practices • Strong Names • Access Modifiers • Trace Disable • Custom Error Messages • Use Register

  24. New Microsoft Exam • 70-340 – Implementing Security for Applications with Microsoft Visual C# .NET • 70-330 – Implementing Security for Applications with Microsoft Visual Basic .NET

  25. Books for reading • Writing Secure Codeby Michael Howard, David LeBlanc • Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard