Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Published byAmanda Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code."— Presentation transcript:

1 SECURITY ISSUES

2 Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code access security and role-based security –Applies to Web services, Windows apps, Windows services, remoting applications The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code access security and role-based security –Applies to Web services, Windows apps, Windows services, remoting applications

3 Configuring Security Broadly speaking,.NET security is divided into two separate areas: –Code access security – manages the security of the code itself –Role-based security – manages the user rather than the code Broadly speaking,.NET security is divided into two separate areas: –Code access security – manages the security of the code itself –Role-based security – manages the user rather than the code

4 Understanding Code Access Security Controls what the code can do on your computer, regardless of where it comes from Centers on permissions to use resources Controls what the code can do on your computer, regardless of where it comes from Centers on permissions to use resources

5 Concepts Involved in Code Access Security Permissions Code groups Permission sets Permissions Code groups Permission sets

6 Understanding Permissions Based on specific permissions granted by the CLR E.g. code that wishes to write to the Windows Registry requires RegistryPermission permission Based on specific permissions granted by the CLR E.g. code that wishes to write to the Windows Registry requires RegistryPermission permission

7 Types of Permission Requests Code can make permission requests: –Minimum permissions that it requires to run –Optional permissions –Refuse permissions – ensures it does not have access to particular resources –Demand permissions of the CLR Code can make permission requests: –Minimum permissions that it requires to run –Optional permissions –Refuse permissions – ensures it does not have access to particular resources –Demand permissions of the CLR

8 Granting Permissions The CLR decides whether a particular permission should be granted If a module is unable to obtain the minimum permissions it needs, the code does not execute The computer’s security settings determine the maximum permissions to be granted The CLR decides whether a particular permission should be granted If a module is unable to obtain the minimum permissions it needs, the code does not execute The computer’s security settings determine the maximum permissions to be granted

9 Types of Permissions Code access permissions – access to protected resources Identity permissions – based on credentials that are part of the code itself Role-based permissions – based on the user who will run the code Code access permissions – access to protected resources Identity permissions – based on credentials that are part of the code itself Role-based permissions – based on the user who will run the code

10 Code Access Permissions in the.NET Framework DirectoryServicePermission DnsPermission EnvironmentPermission EventLogPermission FileDialogPermission DirectoryServicePermission DnsPermission EnvironmentPermission EventLogPermission FileDialogPermission

11 Code Access Permissions in the.NET Framework (cont’d) FileIOPermission IsolatedStorageFilePermission IsolatedFilePermission MessageQueuePermission OleDBPermission FileIOPermission IsolatedStorageFilePermission IsolatedFilePermission MessageQueuePermission OleDBPermission

12 Code Access Permissions in the.NET Framework (cont’d) PerformanceCounterPermission PrintingPermission ReflectionPermission RegistryPermission SecurityPermission PerformanceCounterPermission PrintingPermission ReflectionPermission RegistryPermission SecurityPermission

13 Code Access Permissions in the.NET Framework (cont’d) ServiceControllerPermission SocketPermission SqlClientPermission UIPermission WebPermission ServiceControllerPermission SocketPermission SqlClientPermission UIPermission WebPermission

14 Code Groups A code group is a set of assemblies that share a security context You define a code group by specifying the membership condition for the group The.NET Framework supports seven different membership conditions for code groups A code group is a set of assemblies that share a security context You define a code group by specifying the membership condition for the group The.NET Framework supports seven different membership conditions for code groups

15 Membership Conditions Application directory –Selects all code in the installation directory of the running application Cryptographic hash –Selects all code that matches a specific cryptographic hash. Effectively limits code group to a single assembly Application directory –Selects all code in the installation directory of the running application Cryptographic hash –Selects all code that matches a specific cryptographic hash. Effectively limits code group to a single assembly

16 Membership Conditions (cont’d) Software publisher –Selects all code from a specified publisher, verified by Authenticode signing Site –Selects all code from a particular Internet domain Software publisher –Selects all code from a specified publisher, verified by Authenticode signing Site –Selects all code from a particular Internet domain

17 Membership Conditions (cont’d) Strong name –Selects all code with a specific strong name URL –Selects all code from a specific URL Strong name –Selects all code with a specific strong name URL –Selects all code from a specific URL

18 Membership Conditions (cont’d) Zone –Selects all code from a specified security zone: InternetLocal intranet Trusted sitesMy Computer Untrusted sites Zone –Selects all code from a specified security zone: InternetLocal intranet Trusted sitesMy Computer Untrusted sites

19 Permission Sets A set of one or more code access permissions that are granted as a unit To grant a single permission, create a permission set with only 1 permission The.NET Framework supplies seven built-in permission sets A set of one or more code access permissions that are granted as a unit To grant a single permission, create a permission set with only 1 permission The.NET Framework supplies seven built-in permission sets

20 Built-in Permission Sets Nothing –grants no permissions Execution –Can run, but no access to protected resources Nothing –grants no permissions Execution –Can run, but no access to protected resources

21 Built-in Permission Sets (cont’d) Internet –Grants limited permissions for code of unknown origin LocalIntranet –Grants high permissions designed for code within the enterprise Internet –Grants limited permissions for code of unknown origin LocalIntranet –Grants high permissions designed for code within the enterprise

22 Built-in Permission Sets (cont’d) Everything –Grants all permissions except for permission to skip verification SkipVerification –Grants permission to skip security checks Everything –Grants all permissions except for permission to skip verification SkipVerification –Grants permission to skip security checks

23 Built-in Permission Sets (cont’d) FullTrust –Grants full access to all resources –Includes all permissions FullTrust –Grants full access to all resources –Includes all permissions

24 Granting Permissions The easiest way to grant or deny permissions is to work with the.NET Framework Configuration tool Located at: –Control Panel -> Administrative Tools -> Microsoft.NET Framework 2.0 Configuration -> My Computer -> Runtime Security Policy -> User -> Permissions Sets The easiest way to grant or deny permissions is to work with the.NET Framework Configuration tool Located at: –Control Panel -> Administrative Tools -> Microsoft.NET Framework 2.0 Configuration -> My Computer -> Runtime Security Policy -> User -> Permissions Sets

25 Imperative Security Requesting permissions via attributes is known as declarative security With imperative security, you create objects to represent the permissions your code requires Requesting permissions via attributes is known as declarative security With imperative security, you create objects to represent the permissions your code requires

26 Impersonation Allows ASP.NET to take on the identity of an authenticated user Applies only to applications that use ASP.NET to communicate with server ASP.NET impersonation is controlled by entries in the appicable web.config file;Ex: – Allows ASP.NET to take on the identity of an authenticated user Applies only to applications that use ASP.NET to communicate with server ASP.NET impersonation is controlled by entries in the appicable web.config file;Ex: –

27 Impersonation (cont’d) By default, ASP.NET runs as an unprivileged account named ASPNET When impersonation is disabled, all requests will run in the context of the account running ASP.NET By default, ASP.NET runs as an unprivileged account named ASPNET When impersonation is disabled, all requests will run in the context of the account running ASP.NET

28 Impersonation (cont’d) If enabled, ASP.NET takes on the identity passed to it by IIS If you are not allowing anonymous access, ASP.NET will take on the credentials of the authenticated user and make requests for resources as if it were actually that user If enabled, ASP.NET takes on the identity passed to it by IIS If you are not allowing anonymous access, ASP.NET will take on the credentials of the authenticated user and make requests for resources as if it were actually that user

29 Role-Based Security User is a member of a group Authorization is handled by role-based security Implemented through two objects: –WindowsIdentity –WindowsPrincipal User is a member of a group Authorization is handled by role-based security Implemented through two objects: –WindowsIdentity –WindowsPrincipal

30 The WindowsIdentity Object Represents the Windows user who is running the current code Properties of this object allow you to retrieve information about the user; e.g: –Username –Authentication method Represents the Windows user who is running the current code Properties of this object allow you to retrieve information about the user; e.g: –Username –Authentication method

31 The WindowsPrincipal Object Adds functionality to the WindowsIdentity object Represents the entire security context of the user When the CLR determines which role- based permissions to assign to your code, it inspects the WindowsPrincipal object Adds functionality to the WindowsIdentity object Represents the entire security context of the user When the CLR determines which role- based permissions to assign to your code, it inspects the WindowsPrincipal object

32 Verifying Role Membership Use the IsInRole() method of the WindowsPrincipal object Results of using this method can be used to modify application’s user interface Use the IsInRole() method of the WindowsPrincipal object Results of using this method can be used to modify application’s user interface

33 IsInRole() Method Three available overloads for this method: –IsInRole(WindowsBuiltInRole) –IsInRole(String)name of user –IsInRole(Integer)role identifier (RID) Three available overloads for this method: –IsInRole(WindowsBuiltInRole) –IsInRole(String)name of user –IsInRole(Integer)role identifier (RID)

34 Configuring Web Services Security The chief challenge is to decide how to authenticate users After a user has been authenticated, a Web service is a Windows application You can use the same declarative and imperative security tools that you use with other applications The chief challenge is to decide how to authenticate users After a user has been authenticated, a Web service is a Windows application You can use the same declarative and imperative security tools that you use with other applications

35 Authenticating Users for Web Services If you need to authorize access to resources based on the caller’s identity, use impersonation If all users need to access same resources, Web server performs authentication without impersonation On production servers, you should disable HTTP- GET and HTTP-POST, limiting them to SOAP access If you need to authorize access to resources based on the caller’s identity, use impersonation If all users need to access same resources, Web server performs authentication without impersonation On production servers, you should disable HTTP- GET and HTTP-POST, limiting them to SOAP access

Download ppt "SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code."

Similar presentations

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
.NET Framework Application Security Overview

.NET Framework Application Security Overview
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.

Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.

Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
.NET Code security including 4.0 & Tools Jon C. Arce

.NET Code security including 4.0 & Tools Jon C. Arce
Module 15 Configuring and Deploying Windows Client Applications.

Module 15 Configuring and Deploying Windows Client Applications.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google