Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA."— Presentation transcript:

1 Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA

2 Overview  Introduction  Code Access Security  Add-on features in.NET  Best Practices  New Microsoft Exams  Books for reading

3 Introduction  Security Needs  Example (poor practices)  Best Practices

4 Example (try it) “Select count(*) from UserTable Where Login=‘”+login+ “‘ and password=‘”+ pwd+ “‘” Login – sbad Password – 123’456

5 Example (compilation error) “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’456’”

6 Example “Select count(*) from UserTable Where Login=‘sbad’ and password=‘123’ shutdown --’”  Where is your SQL Server? It would be good if a hacker would have decided to study only one command, and namely that one of ”shutdown”...

7 Best Practices  Parameters using SqlCommand comm=new SqlCommand( “select count(*) from UserTable Where Login=@par1 and password=@par2”, conn); comm.Parameters.Add(“@par1”,SqlDbType.VarChar,20).Value=login comm.Parameters.Add(“@par2”,SqlDbType.VarChar,20).Value=pwd  Stored procedures using

8 Code Access Security  Least Privilege  Evidence  Permissions  Declarative Permissions  Imperative Permissions

9 Least Privilege How much money can they steal if you have none?

10 Evidence Can you lend me some bank money? I would be more than glad, by I am debarred from any access

11 Permissions Lend me some bank money I would be glad to, but I have asked the bank not to give me money

12 Declarative Permissions  Stack Walk  Demand minimal permissions [assembly:FileIOPermission(SecurityAction.RequestMinimum, Read=@”c:\a.txt”)]  Reject redundant permissions [assembly:FileIOPermission(SecurityAction.RequestRefuse, Unrestricted=true)]  Request unnecessary permissions [assembly:FileIOPermission(SecurityAction.RequestOptional, Unrestricted=true)]  Caspol –resolveperm myassembly.exe

13 Imperative Permissions  Demand and Assert  Deny and PermitOnly  LinkDemand while using SuppressUnmanagedCodeSecurityAttribute

14 Add-on features in.NET  Form-Based Authentication  Role-Based Security  Microsoft Passport

15 Security? Login? Password?  Authentication You can enter, but don’t handle anything with your hands!  Authorization Ok, you can do it.

16 Client requests page Authorized ASP.NET Forms Authentication Not Authenticated Authenticated Logon Page (Users enter their credentials) Authenticated Authentication Cookie Authorized Not Authenticated Access Denied Requested Secure Page  IIS Username Password Someone *********** Submit 1122 33 44 66 55 77 Form-based authentication

17 Form-based authentication (How?)  Modify the config file  Create method for authenticate FormsAuthentication.Authenticate FormsAuthentication.RedirectFromLoginPage

18 Role-based security  Identity and Principals  Windows Identity and Principal  General Identity and Principal  Custom Identity and Principal

19 Identity and Principals  Check identity of the user  Check the role of the user Username = Fred Administrator Manager Role = Manager

20 Identity and Principals in.NET Framework  Identity Windows identity (WindowsIdentity) Generic identity (GeneralIdentity) Custom identity (IIdentity)  Principals Windows principal (WindowsPrincipal) Generic principal (GeneralPrincipal) Custom principal (IPrincipal)

21 Microsoft Passport  How it works  Benefits  www.passport.com

22 How Microsoft Passport Works Website.msft Client Passport.com The client requests a page from the host11 22 33 44 55 The site redirects the client to Passport.com The client is redirected and logs on to Passport.com Passport returns a cookie with the ticket information 66 The client accesses the host, this time with ticket information The host returns a Web Form and possibly a new cookie that it can read and write

23 Best Practices  Strong Names  Access Modifiers  Trace Disable  Custom Error Messages  Use Register

24 New Microsoft Exam  70-340 – Implementing Security for Applications with Microsoft Visual C#.NET  70-330 – Implementing Security for Applications with Microsoft Visual Basic.NET

25 Books for reading  Writing Secure Code by Michael Howard, David LeBlanc  Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard

Download ppt "Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
.NET Framework Application Security Overview

.NET Framework Application Security Overview
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
ASP.NET and AJAX. Agenda What is ASP.NET? ASP.NET Versions Difference Between ASP and ASP.NET ASP.NET Architecture Overview ASP.NET IIS life cycle Overview.

ASP.NET and AJAX. Agenda What is ASP.NET? ASP.NET Versions Difference Between ASP and ASP.NET ASP.NET Architecture Overview ASP.NET IIS life cycle Overview.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
DotNet Market Web Site “EMarket” Milena Natanov Project Supervisor: Victor Kulikov Lab Chief Engineer: Dr. Ilana David Semester spring, 2006 044167 – Project.

DotNet Market Web Site “EMarket” Milena Natanov Project Supervisor: Victor Kulikov Lab Chief Engineer: Dr. Ilana David Semester spring, – Project.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.

Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
1 1. SQL SERVER OVERVIEW zWhat Is SQL Server? zInterfaces To Use SQL Server zSQL Server Services zTypes Of Databases zSQL Server Security.

1 1. SQL SERVER OVERVIEW zWhat Is SQL Server? zInterfaces To Use SQL Server zSQL Server Services zTypes Of Databases zSQL Server Security.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Similar presentations

Ads by Google