Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India.

Slides:

Advertisements

Similar presentations

Malek Kemmou Technology Architect, Application Platform Microsoft Middle East and Africa Overview of ASP.NET 2.0.

Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Windows Forms 2.0 – ClickOnce Stephen Turner Software Design Engineer

Security and Policy Enforcement Mark Gibson Dave Northey

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.

Microsoft Australia Security Summit Deploying Applications with ClickOnce Andrew Coates Developer Evangelist Microsoft Australia Andrew.

Advanced Deployment Topics – MSI Enhancements Om Sharma Program Manager, Windows Installer Microsoft Corporation.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Windows Forms in Visual Studio 2005: An Overview Saurabh Pant Program Manager Microsoft Corporation.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

DB-19: OpenEdge® Authentication Without the _User Table

DB2 (Express C Edition) Installation and Using a Database

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Tutorial 10 Adding Spry Elements and Database Functionality Dreamweaver CS3 Tutorial 101.

Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Microsoft Office InfoPath 2007 Development, Deployment, And Hosting For Rich And Browser Forms Jessica Gruber Consultant Microsoft Corporation.

SEC835 Practical aspects of security implementation Part 1.

Sofia, Bulgaria | 9-10 October Developing Custom ASP.NET Providers For Membership And Role Manager Goksin Bakir Yage Ltd Microsoft Regional Director, MEA.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Project Server 2003: DC340: Security (Part 1 of 2): How to securely deploy Project Server in an enterprise environment Pradeep GanapathyRaj (PM), Karthik.

Windows Forms in Visual Studio 2005: An Overview Name: Joe Stegman Title: Lead Program Manager Session code.

X.509 Certificate Support In The .NET Framework

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Module 11: Securing a Microsoft ASP.NET Web Application.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

Windows Role-Based Access Control Longhorn Update

Role Management in.NET Shree Shalini Pusapati CS /17/20151.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Building More Reliable And Better Performing Web Applications With Visual Studio 2005 Team System Gabriel Marius TLN312 Program Manager Microsoft Corporation.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.

DEV396 Windows Forms: No Touch Deployment Tips and Tricks Jamie Cool Program Manager.NET Client Microsoft Corporation.

DEV395 No Touch Deployment for Windows Forms Jamie Cool Program Manager.NET Client Microsoft Corporation.

Microsoft Visual Studio 2005 Tools for the Office System: Building Office Solutions Using Visual Studio 2005 Tools for Office Andrew Coates Developer Evangelist.

Configuring and Deploying Web Applications Lesson 7.

A Lap Around New Enhancements for Web Developers in Visual Studio 2005 Alexander Holy Developer Evangelist, Microsoft EMEA

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.

Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group

C Copyright © 2007, Oracle. All rights reserved. Security New Features.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Vinod Unny Enterprise InfoTech Microsoft Regional Director, North India

19 Copyright © 2008, Oracle. All rights reserved. Security.

6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Jon Galloway | Tech Evangelist Christopher Harrison | Head Geek

Enterprise Library Overview

Introduction to SQL Server 2000 Security

1/14/ :03 PM Session Code: arc340

Role Management in .net Vinay Dhareshwar.

Introduction to VSTS Database Professional

Designing IIS Security (IIS – Internet Information Service)

SharePoint Server Assessment Results

Introduction to ASP.NET Parts 1 & 2

Windows Forms in Visual Studio 2005: An Overview

Mark Quirk Head of Technology Developer & Platform Group

Security - Forms Authentication

Presentation transcript:

Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India

Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

Data Protection API (DPAPI) OS Level Data Protection Service Available on Windows 2000, XP, 2003 Password based service Tied to the user login credentials DPAPI does not store protected data There was no out of the box support for DPAPI calls in Framework 1.0 and 1.1 CryptProtectData and CryptUnProtectData

Data Protection API byte[] rawData = System.Text.UTF8Encoding.UTF8.GetBytes("My test"); byte[] cipherData = ProtectedData.Protect( rawData, null, DataProtectionScope.CurrentUser); rawData = ProtectedData.Unprotect( cipherData, null, DataProtectionScope.CurrentUser); Console.WriteLine( System.Text.UTF8Encoding.UTF8.GetString(rawData));

System.Security.SecureString Managed Strings – A Bad Place to Store Secrets There is no way to erase them GC doesn’t zero out old memory. GC compaction is NOT deterministic GC might move strings around and create several instances of the secret. Used for confidential text Content is encrypted Deleted when no longer needed Class not visible to COM Based on DPAPI Supported methods Insert, Append, Remove and Clear MakeReadOnly for lockdown No methods to inspect, compare or convert content

SecureString Example // Create a SecureString SecureString ss = new SecureString(); // Add characters and lock the string ss.AppendCharacter('a');ss.AppendCharacter('b');ss.MakeReadOnly(); // Retrieve content IntPtr uniString = Marshal.SecureStringToGlobalAllocUni(ss); Marshal.SecureStringToGlobalAllocUni(ss); String s = Marshal.PtrToStringUni(uniString); Console.WriteLine("String is '{0}'", s); // Zero and free Marshal.ZeroFreeGlobalAllocUni(uniString);

Access Control Lists (ACLs) Until now required P/Invoke The framework now models Windows security descriptors ! Programmatically read and modify access control lists (ACL) Supports objects and hierarchies Take ownership of objects Supports Auditing operations

Access Control Lists (ACLs) FileSecurity sec = new AccessControlSections.All); Console.WriteLine("owner = " + sec.GetOwner(typeof(NTAccount))); foreach (FileSystemAccessRule r in sec.GetAccessRules(true, true, typeof(NTAccount))) { Console.WriteLine(r.AccessControlType); Console.WriteLine(r.IdentityReference); Console.WriteLine(r.InheritanceFlags); Console.WriteLine(r.IsInherited); Console.WriteLine(r.PropagationFlags); Console.WriteLine(r.FileSystemRights); Console.WriteLine(""); } // foreach

XML Encryption W3C Compliant Implementation Will be able to exchange data with other implementations XML Output Does not have to be XML Input Can encrypt portions of an XML document Can encrypt different portions of the same document with different keys

XML Encryption Several types of encryption Triple DES AES 128 AES 192 AES 256 RSAX509CertificateEx Driven through System.Security.Cryptography.Xml.EncryptedXml Class Integration with XML Digital Signature XmlDecryptionTransform

Configuration File Encryption Used for configuration files in ASP.NET and Winforms DPAPI for Local, RSA for web farms Decryption is automatic Console.WriteLine(ConfigurationSettin gs.AppSettings["MySecret"]);

Configuration File Encryption (app.config) AQAA...C5L+4zzo8= <add name="appSettings" provider= "DataProtectionConfigurationProvider" />

CLR Enhancements

Agenda Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

What's New in ASPNET Security Membership service Service for managing users and credentials Provider-based for flexible data storage Login controls Controls for logging in, creating new users, recovering lost passwords, and more Role Management service Combine forms authentication and role- based authorization without writing code!

Login Controls ControlDescription LoginUI for entering and validating user names and passwords LoginNameDisplays authenticated user names LoginStatusUI for logging in and logging out LoginViewDisplays different views based on login status and roles PasswordRecoveryUI for recovering forgotten passwords CreateUserWizardUI for creating new user accounts ChangePasswordUI for changing passwords

Membership Service Service for managing users and credentials Declarative access via Web Site Admin Tool Programmatic access via Membership and MembershipUser classes Membership class provides base services MembershipUser class represents users and provides additional services Provider-based for flexible data storage

Membership Schema Membership API Membership Data Access Other Data Stores Controls Login LoginStatus LoginView AccessMembershipProvider Other Membership Providers Other Membership Providers Membership Providers Membership MembershipUser SqlMembershipProvider SQL Server Other Login Controls Other Login Controls

Role Management Schema Roles API Roles Data Access Other Data Stores Controls Login LoginStatus LoginView AccessRoleProvider Other Role Providers Role Providers Roles SqlRoleProvider SQL Server Other Login Controls Other Login Controls

Login Controls

Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

Introduction To ClickOnce The Best of the Client and the Web WebClickOnce MSI Client Reach “No Touch” Deployment Low System Impact Install and Run per User Rich and Interactive Offline Access Windows Shell Integration Per-Computer and Shared Components Unrestricted Installation

Security Secure Execution Environment (Sandbox) ClickOnce applications run in a sandbox by default Permissions are based on origin Internet, Intranet, or Full Trust Internet, Intranet, or Full Trust Ensures that applications are safe to run Similar to Microsoft Internet Explorer and JavaScript Applications often need higher trust Call unmanaged code Access the file system or the registry Connect to a database Consume Web services

Security Determining Permission Requirements Security pane of Project Designer Use to manually configure permissions Permissions Calculator Calculates the least-required permissions Debug in the sandbox Debug applications with partial trust Exception Assistant Microsoft Intellisense® in the sandbox Filtered based on the security context

Click Once

Better Security Error Information Expanded SecurityException Type Now possible to tell precisely what failed and why Includes Failed Assembly information Including failed assemblies’ permission set grant Security Action that failed The permission set that was checked Deeply integrated into the VS IDE (Debug in Zones)

COOL

Further Exploring… System.Security.SecurityContextSystem.Security.PrincipleSystem.DirectoryServicesSystem.Diagnostics Code Coverage Static Analysis – PreFast and FxCop Application Verifier And More…

Your Feedback is Important! Please Fill Out the feedback form

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.