Security in .NET
Framework
Sergey Baidachni
MCT, MCSD, MCDBA
Overview
Introduction
Code Access Security
Add-on features in .NET
Best Practices
New Microsoft Exams
Books for reading
Introduction
Security Needs
Example (poor practices)
Best Practices
Example (try it)
“Select count(*) from UserTable
Where Login=‘”+login+ “‘ and password=‘”+
pwd+ “‘”
Login – sbad
Password – 123’456
Example (compilation error)
“Select count(*) from UserTable
Where Login=‘sbad’ and
password=‘123’456’”
Example
“Select count(*) from UserTable
Where Login=‘sbad’ and
password=‘123’ shutdown --’”
Where is your SQL Server? It would be
good if a hacker would have decided to
study only one command, and namely
that one of ”shutdown”...
Best Practices
Parameters using
SqlCommand comm=new SqlCommand(
“select count(*) from UserTable Where Login=@par1 and
password=@par2”,
conn);
comm.Parameters.Add(“@par1”,SqlDbType.VarChar,20).Value=login
comm.Parameters.Add(“@par2”,SqlDbType.VarChar,20).Value=pwd
Stored procedures using
Code Access Security
Least Privilege
Evidence
Permissions
Declarative Permissions
Imperative Permissions
Least Privilege
How much money can they
steal if you have none?
Evidence
Can you lend
me some bank
money?
I would be more
than glad, by I
am debarred
from any access
Permissions
Lend me some
bank money
I would be glad to,
but I have asked the
bank not to give me
money
Declarative Permissions
Stack Walk
Demand minimal permissions
Reject redundant permissions
[assembly:FileIOPermission(SecurityAction.RequestRefuse,
Unrestricted=true)]
Request unnecessary permissions
[assembly:FileIOPermission(SecurityAction.RequestMinimum,
Read=@”c:\a.txt”)]
[assembly:FileIOPermission(SecurityAction.RequestOptional,
Unrestricted=true)]
Caspol –resolveperm myassembly.exe
Imperative Permissions
Demand and Assert
Deny and PermitOnly
LinkDemand while using
SuppressUnmanagedCodeSecurityAttribute
Add-on features in .NET
Form-Based Authentication
Role-Based Security
Microsoft Passport
Security? Login? Password?
Authentication
You can enter, but don’t handle anything with
your hands!
Authorization
Ok, you can do it.
Form-based authentication
1
Client requests page
Access Denied
6
Not
Authenticated
Authentication
Cookie
2
IIS
Not
Authenticated
Username
Someone
Password
***********
Submit
ASP.NET Forms
Authentication
Authenticated
Authorized
4
Logon Page
(Users enter
their credentials)
3
Authenticated
Authorized
5
7
Requested
Secure Page
Form-based authentication (How?)
Modify the config file
<system.web>
<authentication mode="Forms">
<forms name=".namesuffix" loginUrl="login.aspx" />
</authentication>
</system.web>
Create method for authenticate
FormsAuthentication.Authenticate
FormsAuthentication.RedirectFromLoginPage
Role-based security
Identity and Principals
Windows Identity and Principal
General Identity and Principal
Custom Identity and Principal
Identity and Principals
Check identity of the user
Username = Fred
Check the role of the user
Role = Manager
Manager
Administrator
Identity and Principals in .NET
Framework
Identity
Windows identity (WindowsIdentity)
Generic identity (GeneralIdentity)
Custom identity (IIdentity)
Principals
Windows principal (WindowsPrincipal)
Generic principal (GeneralPrincipal)
Custom principal (IPrincipal)
Microsoft Passport
How it works
Benefits
www.passport.com
How Microsoft Passport Works
1 The client requests a page from the host
Website.msft
2 The site redirects the client to Passport.com
3 The client is redirected and logs on to
Passport.com
4 Passport returns a cookie
with the ticket
information
5 The client accesses the host,
this time with ticket
Client
information
6 The host returns a Web Form
and possibly a new cookie
that it can read and write
Passport.com
Best Practices
Strong Names
Access Modifiers
Trace Disable
Custom Error Messages
Use Register
New Microsoft Exam
70-340 – Implementing Security for
Applications with Microsoft Visual C# .NET
70-330 – Implementing Security for
Applications with Microsoft Visual Basic
.NET
Books for reading
Writing Secure Code
by Michael Howard, David LeBlanc
Designing Secure Web-Based Applications
for Microsoft Windows 2000 by Michael Howard
0
