Implementing Application Security Using the Microsoft .NET Framework

1
ImplementingApplication Security Using the
Microsoft .NET Framework

• Name
• Job Title
• Company

2
What We Will Cover

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

3
Session Prerequisites

• Development experience with Microsoft Visual
  Basic, Microsoft Visual C, or C
• Experience building Microsoft Windows or Web
  applications using the .NET Framework

Level 200
4
Agenda

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

5
.NET Managed Execution Security

• The .NET Framework security features
• Assist you in developing secure applications
• Include many components, including
• Type Checker
• Exception Manager
• Security Engine
• Complement Windows Security

6
A Type-Safe System

• Type-safe code
• Prevents buffer overruns
• Restricts access to authorized memory locations
• Allows multiple assemblies to run in the same
  process
• App Domains provide
• Increased performance
• Increased code security

7
Buffer Overrun Protection

• Type-verification prevents arbitrary memory
  overwrites
• .NET System.String objects are immutable
• The .NET System.Text.StringBuilder class checks
  buffer bounds

void CopyString (string src) stringDest
src
8
Arithmetic Error Trapping

• Arithmetic error trapping is achieved by using
• The checked keyword
• Project settings

byte b0 while (true) Console.WriteLine
(b) checked b
9
Demonstration 1 Type Safety Investigating .NET
Data-Type SafetyUsing the checked keyword
10
Strong-Named Assemblies

• Strong names are
• Unique identifiers (containing a public key)
• Used to digitally sign assemblies
• Strong-named assemblies
• Prevent tampering
• Confirm the identity of the assemblys publisher
• Allow side-by-side components

sn k MyFullKey.snk
11
Isolated Storage

• Provides a virtual file system
• Allows quotas
• Implements file system isolation based on
• Application identity
• User identity

IsolatedStorageFile isoStore
IsolatedStorageFile.GetUserStoreForAssembly()
12
Agenda

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

13
Evidence-Based Security

• Evidence
• Is assessed when an assembly is loaded
• Is used to determine the permissions for the
  assembly
• Can include the assemblys
• Strong name information
• URL
• Zone
• Authenticode signature

14
Security Policies
15
Security Check Stack Walks
1. An assembly requests access to a method in
your assembly 2. Your assembly passes the
request to a .NET Framework assembly 3. The
security system ensures that all callers in the
stack have the required permissions 4. The
security system grants access or throws an
exception
Call Stack
SomeAssembly
Grant Execute
YourAssembly
Grant ReadFile
Permission Demand
Security System
.NET Framework Assembly
Security exception Access denied
Grant access?
Grant ReadFile
16
Types of Security Checks

• Imperative security checks
• Create Permission objects
• Call Permission methods
• Declarative security checks
• Use Permission attributes
• Apply to methods or classes
• Overriding security checks
• Use the Assert method
• Prevent the stack walk

17
Permission Requests

• Used by developers to state required permissions
• Implemented by attributes
• Prevents an assembly from loading when minimum
  permissions are not available

//I will only run if I can call unmanaged
code assemblySecurityPermission
(SecurityAction.RequestMinimum,
UnmanagedCodetrue)
18
Demonstration 2 Code Access Security Using
the .NET Framework Configuration ToolPerforming
Security ChecksRequesting Permissions
19
Partial Trust Applications

• Prior to the .NET Framework 1.1, all Web
  applications ran with full trust
• .NET 1.1 provides partial trust levels
• Full
• High
• Medium
• Low
• Minimal

20
Sandboxing Privileged Code
Permissions Demanded then Asserted AllowPartiallyT
rustedCallers attribute added Assembly installed
into the global assembly cache
Resource Access
Secured Resource
Partial Trust Web Application
Wrapper Assembly
Sandboxed Code
lttrust level_Medium originUri_--/gt
21
Agenda

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

22
Authentication and Authorization

• Authentication asks"Who are you?""Am I sure
  you are who you say you are?"
• Authorization asks"Are you allowed to ?"

23
Identities and Principals

• An identity contains information about a user,
  such as the users logon name
• A principal contains role information about a
  user or computer
• The .NET Framework provides
• WindowsIdentity and WindowsPrincipal objects
• GenericIdentity and GenericPrincipal objects

24
Creating Windows Identities and Principals

• Use WindowsIdentity and WindowsPrincipal objects
  for
• Single validation
• Repeated validation

WindowsIdentity myIdent WindowsIdentity.GetCurre
nt() WindowsPrincipal myPrin new
WindowsPrincipal(myIdent)
AppDomain.CurrentDomain.SetPrincipalPolicy(Princip
alPolicy.WindowsPrincipal) WindowsPrincipal
myPrin System.Threading.Thread.CurrentPrincipal
25
Creating Generic Identities and Principals

• Create a GenericIdentity and a GenericPrincipal
• Attach the GenericPrincipal to the current thread

GenericIdentity myIdent new GenericIdentity("Use
r1") string roles "Manager",
"Teller" GenericPrincipal myPrin new
GenericPrincipal(myIdent, roles)
System.Threading.Thread.CurrentPrincipal myPrin
26
Performing Security Checks

• Use Identity and Principal members in code
• For example, using the Name property of the
  Identity object to check the users logon name
• For example, using the IsInRole method of the
  Principal object to check role membership

if (String.Compare(myPrin.Identity.Name,
"DOMAIN\\Fred", true)0) // Perform some
action
if (myPrin.IsInRole("BUILTIN\\Administrators"))
// Perform some action
27
Imperative and Declarative Security Checks

• Use permissions to make role-based security
  checks
• Imperative checks

PrincipalPermission prinPerm new
PrincipalPermission("Teller", Manager,
true) try prinPerm.Demand() //Does the
above match the active principal?

• Declarative checks

PrincipalPermission(SecurityAction.Demand,
Role"Teller", Authenticatedtrue)
28
Demonstration 3 Role-Based Security Using
Windows Role-Based Security Using Generic
Role-Based Security
29
Agenda

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

30
Cryptography Review
The .NET Framework providesclasses that
implement these operations
31
Using Symmetric Algorithms

• Choose an algorithm
• TripleDESCryptoServiceProvider
• RijndaelManaged
• Generate a secret key
• Use the same secret key to encrypt and decrypt
  data
• FileStream
• MemoryStream
• NetworkStream

32
Using Asymmetric Algorithms

• Choose an algorithm
• RSACryptoServiceProvider
• DSACryptoServiceProvider
• Generate a private and public key pair
• Encrypt or decrypt data

33
Signing Data and Verifying Signatures
34
Demonstration 4 .NET Framework Encryption
Performing Symmetric EncryptionSigning Data
35
Agenda

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

36
ASP.NET Authentication Types
37
Configuring Forms-Based Authentication

• Configure IIS to use Anonymous authentication
• Set forms-based authentication in Web.config
• Set up authorization
• Build a logon form

ltsystem.webgt ltauthentication mode"Forms"gt
ltforms loginUrl"WebForm1.aspx"/gt lt/authent
icationgt ltauthorizationgt ltdeny
users"?"/gt lt/authorizationgt lt/system.webgt
38
Forms-Based Authentication Enhancements

• Developers can require secure cookies

ltauthentication mode"Forms"gt ltforms
loginUrl"login.aspx" protection"All"
requireSSL"true" timeout"10" name"AppNam
eCookie" path"/FormsAuth" slidingExpiration
"true" lt/formsgt lt/authenticationgt

• Developer can create application-specific keys

39
Validation Controls

• Client-side validation
• Provides instant feedback
• Reduces postback cycles
• Server-side validation
• Repeats all client-side validation
• Validates against stored data, if required

40
Types of Validation Controls
41
Demonstration 5 ASP.NET Web Application
SecurityConfiguring Forms AuthenticationUsing
Validation Controls
42
Agenda

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

43
Message-Level Security
44
Web Service Enhancements (WSE)

• Includes
• Authentication with SOAP Headers
• Message encryption
• Message signing
• Supports message routing
• Supports attachments
• Implemented in Microsoft.Web.Services.dll assembly

45
Demonstration 6 Web Services EnhancementsImplem
enting Security for a Web Service
46
Session Summary

• .NET Framework Security Features
• Code Access Security
• Role-Based Security
• Cryptography
• Securing ASP.NET Web Applications
• Securing ASP.NET Web Services

47
Next Steps

• Stay informed about security
• Sign up for security bulletins
• http//www.microsoft.com/security/security_bullet
  ins/alerts2.asp
• Get the latest Microsoft security guidance
• http//www.microsoft.com/security/guidance/
• Get additional security training
• Find online and in-person training seminars
• http//www.microsoft.com/seminar/events/security.
  mspx
• Find a local CTEC for hands-on training
• http//www.microsoft.com/learning/

48
For More Information

• Microsoft Security Site (all audiences)
• http//www.microsoft.com/security
• MSDN Security Site (developers)
• http//msdn.microsoft.com/security
• TechNet Security Site (IT professionals)
• http//www.microsoft.com/technet/security

49
Questions and Answers
50
(No Transcript)