Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA

Overview  Introduction  Code Access Security  Add-on features in.NET  Best Practices  New Microsoft Exams  Books for reading

Introduction  Security Needs  Example (poor practices)  Best Practices

Example (try it) “Select count(*) from UserTable Where Login=‘”+login+ “‘ and password=‘”+ pwd+ “‘” Login – sbad Password – 123’456

Example (compilation error) “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’456’”

Example “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’ shutdown --’”  Where is your SQL Server? It would be good if a hacker would have decided to study only one command, and namely that one of ”shutdown”...

Best Practices  Parameters using SqlCommand comm=new SqlCommand( “select count(*) from UserTable Where and conn);  Stored procedures using

Code Access Security  Least Privilege  Evidence  Permissions  Declarative Permissions  Imperative Permissions

Least Privilege How much money can they steal if you have none?

Evidence Can you lend me some bank money? I would be more than glad, by I am debarred from any access

Permissions Lend me some bank money I would be glad to, but I have asked the bank not to give me money

Declarative Permissions  Stack Walk  Demand minimal permissions [assembly:FileIOPermission(SecurityAction.RequestMinimum,  Reject redundant permissions [assembly:FileIOPermission(SecurityAction.RequestRefuse, Unrestricted=true)]  Request unnecessary permissions [assembly:FileIOPermission(SecurityAction.RequestOptional, Unrestricted=true)]  Caspol –resolveperm myassembly.exe

Imperative Permissions  Demand and Assert  Deny and PermitOnly  LinkDemand while using SuppressUnmanagedCodeSecurityAttribute

Add-on features in.NET  Form-Based Authentication  Role-Based Security  Microsoft Passport

Security? Login? Password?  Authentication You can enter, but don’t handle anything with your hands!  Authorization Ok, you can do it.

Client requests page Authorized ASP.NET Forms Authentication Not Authenticated Authenticated Logon Page (Users enter their credentials) Authenticated Authentication Cookie Authorized Not Authenticated Access Denied Requested Secure Page  IIS Username Password Someone *********** Submit Form-based authentication

Form-based authentication (How?)  Modify the config file  Create method for authenticate FormsAuthentication.Authenticate FormsAuthentication.RedirectFromLoginPage

Role-based security  Identity and Principals  Windows Identity and Principal  General Identity and Principal  Custom Identity and Principal

Identity and Principals  Check identity of the user  Check the role of the user Username = Fred Administrator Manager Role = Manager

Identity and Principals in.NET Framework  Identity Windows identity (WindowsIdentity) Generic identity (GeneralIdentity) Custom identity (IIdentity)  Principals Windows principal (WindowsPrincipal) Generic principal (GeneralPrincipal) Custom principal (IPrincipal)

Microsoft Passport  How it works  Benefits 

How Microsoft Passport Works Website.msft Client Passport.com The client requests a page from the host The site redirects the client to Passport.com The client is redirected and logs on to Passport.com Passport returns a cookie with the ticket information 66 The client accesses the host, this time with ticket information The host returns a Web Form and possibly a new cookie that it can read and write

Best Practices  Strong Names  Access Modifiers  Trace Disable  Custom Error Messages  Use Register

New Microsoft Exam  – Implementing Security for Applications with Microsoft Visual C#.NET  – Implementing Security for Applications with Microsoft Visual Basic.NET

Books for reading  Writing Secure Code by Michael Howard, David LeBlanc  Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard