Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India.

Published byMariana Bires Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India."— Presentation transcript:

1

2 Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India

3 Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

4 Data Protection API (DPAPI) OS Level Data Protection Service Available on Windows 2000, XP, 2003 Password based service Tied to the user login credentials DPAPI does not store protected data There was no out of the box support for DPAPI calls in Framework 1.0 and 1.1 CryptProtectData and CryptUnProtectData

5 Data Protection API byte[] rawData = System.Text.UTF8Encoding.UTF8.GetBytes("My test"); byte[] cipherData = ProtectedData.Protect( rawData, null, DataProtectionScope.CurrentUser); rawData = ProtectedData.Unprotect( cipherData, null, DataProtectionScope.CurrentUser); Console.WriteLine( System.Text.UTF8Encoding.UTF8.GetString(rawData));

6 System.Security.SecureString Managed Strings – A Bad Place to Store Secrets There is no way to erase them GC doesn’t zero out old memory. GC compaction is NOT deterministic GC might move strings around and create several instances of the secret. Used for confidential text Content is encrypted Deleted when no longer needed Class not visible to COM Based on DPAPI Supported methods Insert, Append, Remove and Clear MakeReadOnly for lockdown No methods to inspect, compare or convert content

7 SecureString Example // Create a SecureString SecureString ss = new SecureString(); // Add characters and lock the string ss.AppendCharacter('a');ss.AppendCharacter('b');ss.MakeReadOnly(); // Retrieve content IntPtr uniString = Marshal.SecureStringToGlobalAllocUni(ss); Marshal.SecureStringToGlobalAllocUni(ss); String s = Marshal.PtrToStringUni(uniString); Console.WriteLine("String is '{0}'", s); // Zero and free Marshal.ZeroFreeGlobalAllocUni(uniString);

8 Access Control Lists (ACLs) Until now required P/Invoke The framework now models Windows security descriptors ! Programmatically read and modify access control lists (ACL) Supports objects and hierarchies Take ownership of objects Supports Auditing operations

9 Access Control Lists (ACLs) FileSecurity sec = new FileSecurity( @"C:\AUTOEXEC.BAT", AccessControlSections.All); Console.WriteLine("owner = " + sec.GetOwner(typeof(NTAccount))); foreach (FileSystemAccessRule r in sec.GetAccessRules(true, true, typeof(NTAccount))) { Console.WriteLine(r.AccessControlType); Console.WriteLine(r.IdentityReference); Console.WriteLine(r.InheritanceFlags); Console.WriteLine(r.IsInherited); Console.WriteLine(r.PropagationFlags); Console.WriteLine(r.FileSystemRights); Console.WriteLine(""); } // foreach

10 XML Encryption W3C Compliant Implementation Will be able to exchange data with other implementations XML Output Does not have to be XML Input Can encrypt portions of an XML document Can encrypt different portions of the same document with different keys

11 XML Encryption Several types of encryption Triple DES AES 128 AES 192 AES 256 RSAX509CertificateEx Driven through System.Security.Cryptography.Xml.EncryptedXml Class Integration with XML Digital Signature XmlDecryptionTransform

12 Configuration File Encryption Used for configuration files in ASP.NET and Winforms DPAPI for Local, RSA for web farms Decryption is automatic Console.WriteLine(ConfigurationSettin gs.AppSettings["MySecret"]);

13 Configuration File Encryption (app.config) AQAA...C5L+4zzo8= <add name="appSettings" provider= "DataProtectionConfigurationProvider" />

14 CLR Enhancements

15 Agenda Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

16 What's New in ASPNET Security Membership service Service for managing users and credentials Provider-based for flexible data storage Login controls Controls for logging in, creating new users, recovering lost passwords, and more Role Management service Combine forms authentication and role- based authorization without writing code!

17 Login Controls ControlDescription LoginUI for entering and validating user names and passwords LoginNameDisplays authenticated user names LoginStatusUI for logging in and logging out LoginViewDisplays different views based on login status and roles PasswordRecoveryUI for recovering forgotten passwords CreateUserWizardUI for creating new user accounts ChangePasswordUI for changing passwords

18 Membership Service Service for managing users and credentials Declarative access via Web Site Admin Tool Programmatic access via Membership and MembershipUser classes Membership class provides base services MembershipUser class represents users and provides additional services Provider-based for flexible data storage

19 Membership Schema Membership API Membership Data Access Other Data Stores Controls Login LoginStatus LoginView AccessMembershipProvider Other Membership Providers Other Membership Providers Membership Providers Membership MembershipUser SqlMembershipProvider SQL Server Other Login Controls Other Login Controls

20 Role Management Schema Roles API Roles Data Access Other Data Stores Controls Login LoginStatus LoginView AccessRoleProvider Other Role Providers Role Providers Roles SqlRoleProvider SQL Server Other Login Controls Other Login Controls

21 Login Controls

22 Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

23 Introduction To ClickOnce The Best of the Client and the Web WebClickOnce MSI Client Reach “No Touch” Deployment Low System Impact Install and Run per User Rich and Interactive Offline Access Windows Shell Integration Per-Computer and Shared Components Unrestricted Installation

24 Security Secure Execution Environment (Sandbox) ClickOnce applications run in a sandbox by default Permissions are based on origin Internet, Intranet, or Full Trust Internet, Intranet, or Full Trust Ensures that applications are safe to run Similar to Microsoft Internet Explorer and JavaScript Applications often need higher trust Call unmanaged code Access the file system or the registry Connect to a database Consume Web services

25 Security Determining Permission Requirements Security pane of Project Designer Use to manually configure permissions Permissions Calculator Calculates the least-required permissions Debug in the sandbox Debug applications with partial trust Exception Assistant Microsoft Intellisense® in the sandbox Filtered based on the security context

26 Click Once

27 Better Security Error Information Expanded SecurityException Type Now possible to tell precisely what failed and why Includes Failed Assembly information Including failed assemblies’ permission set grant Security Action that failed The permission set that was checked Deeply integrated into the VS IDE (Debug in Zones)

28 COOL

29 Further Exploring… System.Security.SecurityContextSystem.Security.PrincipleSystem.DirectoryServicesSystem.Diagnostics Code Coverage Static Analysis – PreFast and FxCop Application Verifier And More…

30 Your Feedback is Important! Please Fill Out the feedback form

31 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India."

Similar presentations

Malek Kemmou Technology Architect, Application Platform Microsoft Middle East and Africa Overview of ASP.NET 2.0.

Malek Kemmou Technology Architect, Application Platform Microsoft Middle East and Africa Overview of ASP.NET 2.0.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Windows Forms 2.0 – ClickOnce Stephen Turner Software Design Engineer

Windows Forms 2.0 – ClickOnce Stephen Turner Software Design Engineer
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.

Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.
Microsoft Australia Security Summit Deploying Applications with ClickOnce Andrew Coates Developer Evangelist Microsoft Australia Andrew.

Microsoft Australia Security Summit Deploying Applications with ClickOnce Andrew Coates Developer Evangelist Microsoft Australia Andrew.
Advanced Deployment Topics – MSI Enhancements Om Sharma Program Manager, Windows Installer Microsoft Corporation.

Advanced Deployment Topics – MSI Enhancements Om Sharma Program Manager, Windows Installer Microsoft Corporation.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Windows Forms in Visual Studio 2005: An Overview Saurabh Pant Program Manager Microsoft Corporation.

Windows Forms in Visual Studio 2005: An Overview Saurabh Pant Program Manager Microsoft Corporation.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
DB-19: OpenEdge® Authentication Without the _User Table

DB-19: OpenEdge® Authentication Without the _User Table
DB2 (Express C Edition) Installation and Using a Database

DB2 (Express C Edition) Installation and Using a Database

Similar presentations

Ads by Google