Security in .NET
Framework
Sergey Baidachni
MCT, MCSD, MCDBA
Overview
Introduction
 Code Access Security
 Add-on features in .NET
 Best Practices
 New Microsoft Exams
 Books for reading

Introduction
Security Needs
 Example (poor practices)
 Best Practices

Example (try it)
“Select count(*) from UserTable
Where Login=‘”+login+ “‘ and password=‘”+
pwd+ “‘”
Login – sbad
Password – 123’456
Example (compilation error)
“Select count(*) from UserTable
Where Login=‘sbad’ and
password=‘123’456’”
Example
“Select count(*) from UserTable
Where Login=‘sbad’ and
password=‘123’ shutdown --’”

Where is your SQL Server? It would be
good if a hacker would have decided to
study only one command, and namely
that one of ”shutdown”...
Best Practices

Parameters using
SqlCommand comm=new SqlCommand(
“select count(*) from UserTable Where Login=@par1 and
password=@par2”,
conn);
comm.Parameters.Add(“@par1”,SqlDbType.VarChar,20).Value=login
comm.Parameters.Add(“@par2”,SqlDbType.VarChar,20).Value=pwd

Stored procedures using
Code Access Security
Least Privilege
 Evidence
 Permissions
 Declarative Permissions
 Imperative Permissions

Least Privilege
How much money can they
steal if you have none?
Evidence
Can you lend
me some bank
money?
I would be more
than glad, by I
am debarred
from any access
Permissions
Lend me some
bank money
I would be glad to,
but I have asked the
bank not to give me
money
Declarative Permissions
Stack Walk
 Demand minimal permissions



Reject redundant permissions


[assembly:FileIOPermission(SecurityAction.RequestRefuse,
Unrestricted=true)]
Request unnecessary permissions


[assembly:FileIOPermission(SecurityAction.RequestMinimum,
Read=@”c:\a.txt”)]
[assembly:FileIOPermission(SecurityAction.RequestOptional,
Unrestricted=true)]
Caspol –resolveperm myassembly.exe
Imperative Permissions
Demand and Assert
 Deny and PermitOnly
 LinkDemand while using
SuppressUnmanagedCodeSecurityAttribute

Add-on features in .NET
Form-Based Authentication
 Role-Based Security
 Microsoft Passport

Security? Login? Password?

Authentication


You can enter, but don’t handle anything with
your hands!
Authorization

Ok, you can do it.
Form-based authentication
1
Client requests page
Access Denied
6

Not
Authenticated
Authentication
Cookie
2
IIS
Not
Authenticated
Username
Someone
Password
***********
Submit
ASP.NET Forms
Authentication

Authenticated
Authorized
4
Logon Page
(Users enter
their credentials)
3
Authenticated
Authorized
5
7
Requested
Secure Page
Form-based authentication (How?)

Modify the config file
<system.web>
<authentication mode="Forms">
<forms name=".namesuffix" loginUrl="login.aspx" />
</authentication>
</system.web>

Create method for authenticate


FormsAuthentication.Authenticate
FormsAuthentication.RedirectFromLoginPage
Role-based security
Identity and Principals
 Windows Identity and Principal
 General Identity and Principal
 Custom Identity and Principal

Identity and Principals

Check identity of the user
Username = Fred

Check the role of the user
Role = Manager
Manager
Administrator
Identity and Principals in .NET
Framework

Identity




Windows identity (WindowsIdentity)
Generic identity (GeneralIdentity)
Custom identity (IIdentity)
Principals



Windows principal (WindowsPrincipal)
Generic principal (GeneralPrincipal)
Custom principal (IPrincipal)
Microsoft Passport
How it works
 Benefits
 www.passport.com

How Microsoft Passport Works
1 The client requests a page from the host
Website.msft
2 The site redirects the client to Passport.com
3 The client is redirected and logs on to
Passport.com
4 Passport returns a cookie
with the ticket
information
5 The client accesses the host,
this time with ticket
Client
information
6 The host returns a Web Form
and possibly a new cookie
that it can read and write
Passport.com
Best Practices
Strong Names
 Access Modifiers
 Trace Disable
 Custom Error Messages
 Use Register

New Microsoft Exam
70-340 – Implementing Security for
Applications with Microsoft Visual C# .NET
 70-330 – Implementing Security for
Applications with Microsoft Visual Basic
.NET

Books for reading

Writing Secure Code
by Michael Howard, David LeBlanc

Designing Secure Web-Based Applications
for Microsoft Windows 2000 by Michael Howard