Security in .NET Framework - PowerPoint PPT Presentation

About This Presentation
Title:

Security in .NET Framework

Description:

Security in .NET Framework. Sergey Baidachni. MCT, MCSD, MCDBA ... Website.msft. Client. Passport.com. The client requests a page from the host. 1. 2. 3. 4 ... – PowerPoint PPT presentation

Number of Views:162
Avg rating:3.0/5.0
Slides: 26
Provided by: ser8171
Category:
Tags: net | framework | msft | security

less

Transcript and Presenter's Notes

Title: Security in .NET Framework


1
Security in .NET Framework
  • Sergey Baidachni
  • MCT, MCSD, MCDBA

2
Overview
  • Introduction
  • Code Access Security
  • Add-on features in .NET
  • Best Practices
  • New Microsoft Exams
  • Books for reading

3
Introduction
  • Security Needs
  • Example (poor practices)
  • Best Practices

4
Example (try it)
  • Select count() from UserTable
  • Where Loginlogin and password
  • pwd

Login sbad Password 123456
5
Example (compilation error)
  • Select count() from UserTable
  • Where Loginsbad and
  • password123456

6
Example
  • Select count() from UserTable
  • Where Loginsbad and
  • password123 shutdown --
  • Where is your SQL Server? It would be good if a
    hacker would have decided to study only one
    command, and namely that one of shutdown...

7
Best Practices
  • Parameters using
  • SqlCommand commnew SqlCommand(
  • select count() from UserTable Where Login_at_par1
    and password_at_par2,
  • conn)
  • comm.Parameters.Add(_at_par1,SqlDbType.VarChar,20).
    Valuelogin
  • comm.Parameters.Add(_at_par2,SqlDbType.VarChar,20).
    Valuepwd
  • Stored procedures using

8
Code Access Security
  • Least Privilege
  • Evidence
  • Permissions
  • Declarative Permissions
  • Imperative Permissions

9
Least Privilege
  • How much money can they steal if you have none?

10
Evidence
I would be more than glad, by I am debarred from
any access
Can you lend me some bank money?
11
Permissions
Lend me some bank money
I would be glad to, but I have asked the bank not
to give me money
12
Declarative Permissions
  • Stack Walk
  • Demand minimal permissions
  • assemblyFileIOPermission(SecurityAction.RequestM
    inimum, Read_at_c\a.txt)
  • Reject redundant permissions
  • assemblyFileIOPermission(SecurityAction.RequestR
    efuse, Unrestrictedtrue)
  • Request unnecessary permissions
  • assemblyFileIOPermission(SecurityAction.RequestO
    ptional, Unrestrictedtrue)
  • Caspol resolveperm myassembly.exe

13
Imperative Permissions
  • Demand and Assert
  • Deny and PermitOnly
  • LinkDemand while using SuppressUnmanagedCodeSecuri
    tyAttribute

14
Add-on features in .NET
  • Form-Based Authentication
  • Role-Based Security
  • Microsoft Passport

15
Security? Login? Password?
  • Authentication
  • You can enter, but dont handle anything with
    your hands!
  • Authorization
  • Ok, you can do it.

16
Form-based authentication
IIS
1
2
ASP.NET Forms Authentication
Authenticated
Not Authenticated
Client requests page
Username
6
4
Authorized
Someone
Access Denied
Password
Logon Page(Users enter their credentials)

Submit
Not Authenticated
3
Authenticated
Authentication Cookie
Authorized
7
RequestedSecure Page
5
17
Form-based authentication (How?)
  • Modify the config file
  • ltsystem.webgt
  • ltauthentication mode"Forms"gt
  • ltforms name".namesuffix" loginUrl"login.aspx"
    /gt
  • lt/authenticationgt
  • lt/system.webgt
  • Create method for authenticate
  • FormsAuthentication.Authenticate
  • FormsAuthentication.RedirectFromLoginPage

18
Role-based security
  • Identity and Principals
  • Windows Identity and Principal
  • General Identity and Principal
  • Custom Identity and Principal

19
Identity and Principals
  • Check identity of the user
  • Check the role of the user

20
Identity and Principals in .NET Framework
  • Identity
  • Windows identity (WindowsIdentity)
  • Generic identity (GeneralIdentity)
  • Custom identity (IIdentity)
  • Principals
  • Windows principal (WindowsPrincipal)
  • Generic principal (GeneralPrincipal)
  • Custom principal (IPrincipal)

21
Microsoft Passport
  • How it works
  • Benefits
  • www.passport.com

22
How Microsoft Passport Works
The client requests a page from the host
1
Website.msft
2
The site redirects the client to Passport.com
3
The client is redirected and logs on to
Passport.com
4
Passport returns a cookie with the ticket
information
5
The client accesses the host, this time with
ticket information
Client
Passport.com
6
The host returns a Web Form and possibly a new
cookie that it can read and write
23
Best Practices
  • Strong Names
  • Access Modifiers
  • Trace Disable
  • Custom Error Messages
  • Use Register

24
New Microsoft Exam
  • 70-340 Implementing Security for Applications
    with Microsoft Visual C .NET
  • 70-330 Implementing Security for Applications
    with Microsoft Visual Basic .NET

25
Books for reading
  • Writing Secure Codeby Michael Howard,
    David LeBlanc
  • Designing Secure Web-Based Applications for
    Microsoft Windows 2000 by Michael Howard
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security in .NET Framework" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!