Post on 21-Dec-2015
Security in .NET Framework
Sergey BaidachniMCT, MCSD, MCDBA
Overview Introduction Code Access Security Add-on features in .NET Best Practices New Microsoft Exams Books for reading
Introduction Security Needs Example (poor practices) Best Practices
Example (try it)“Select count(*) from UserTableWhere Login=‘”+login+ “‘ and password=‘”+pwd+ “‘”
Login – sbadPassword – 123’456
Example (compilation error)“Select count(*) from UserTableWhere Login=‘sbad’ and password=‘123’456’”
Example“Select count(*) from UserTableWhere Login=‘sbad’ and password=‘123’ shutdown --’”
Where is your SQL Server? It would be good if a hacker would have decided to study only one command, and namely that one of ”shutdown”...
Best Practices Parameters using
SqlCommand comm=new SqlCommand(“select count(*) from UserTable Where Login=@par1 and
password=@par2”,conn);
comm.Parameters.Add(“@par1”,SqlDbType.VarChar,20).Value=logincomm.Parameters.Add(“@par2”,SqlDbType.VarChar,20).Value=pwd
Stored procedures using
Code Access Security Least Privilege Evidence Permissions Declarative Permissions Imperative Permissions
Least Privilege
How much money can they steal if you have none?
Evidence
Can you lend me some bank
money?
I would be more than glad, by I am debarred
from any access
Permissions
Lend me some bank money
I would be glad to, but I have asked the bank not to give me
money
Declarative Permissions Stack Walk Demand minimal permissions
[assembly:FileIOPermission(SecurityAction.RequestMinimum, Read=@”c:\a.txt”)]
Reject redundant permissions [assembly:FileIOPermission(SecurityAction.RequestRefuse,
Unrestricted=true)]
Request unnecessary permissions [assembly:FileIOPermission(SecurityAction.RequestOptional,
Unrestricted=true)]
Caspol –resolveperm myassembly.exe
Imperative Permissions Demand and Assert Deny and PermitOnly LinkDemand while using
SuppressUnmanagedCodeSecurityAttribute
Add-on features in .NET Form-Based Authentication Role-Based Security Microsoft Passport
Security? Login? Password? Authentication
You can enter, but don’t handle anything with your hands!
Authorization Ok, you can do it.
Client requests page
Authorized
ASP.NET Forms Authentication
Not Authenticated
Authenticated
Logon Page(Users enter their credentials)
Authenticated
Authentication Cookie
Authorized
Not Authenticated
Access Denied
RequestedSecure Page
IIS
Username
PasswordSomeone
***********
SubmitSubmit
1111 2222
3333
44446666
55557777
Form-based authentication
Form-based authentication (How?) Modify the config file
<system.web>
<authentication mode="Forms"><forms name=".namesuffix" loginUrl="login.aspx" />
</authentication></system.web>
Create method for authenticate FormsAuthentication.Authenticate FormsAuthentication.RedirectFromLoginPage
Role-based security Identity and Principals Windows Identity and Principal General Identity and Principal Custom Identity and Principal
Identity and Principals Check identity of the user
Check the role of the user
Username = FredUsername = FredUsername = FredUsername = Fred
Administrator
Manager
Role = ManagerRole = ManagerRole = ManagerRole = Manager
Identity and Principals in .NET Framework
Identity Windows identity (WindowsIdentity) Generic identity (GeneralIdentity) Custom identity (IIdentity)
Principals Windows principal (WindowsPrincipal) Generic principal (GeneralPrincipal) Custom principal (IPrincipal)
Microsoft Passport How it works Benefits www.passport.com
How Microsoft Passport Works
Website.msftWebsite.msft
ClientClient
Passport.comPassport.com
The client requests a page from the host1111
2222
3333
4444
5555
The site redirects the client to Passport.com
The client is redirected and logs on to Passport.com
Passport returns a cookie with the ticket information
6666
The client accesses the host, this time with ticket information
The host returns a Web Form and possibly a new cookie that it can read and write
Best Practices Strong Names Access Modifiers Trace Disable Custom Error Messages Use Register
New Microsoft Exam 70-340 – Implementing Security for
Applications with Microsoft Visual C# .NET 70-330 – Implementing Security for
Applications with Microsoft Visual Basic .NET
Books for reading Writing Secure Code
by Michael Howard, David LeBlanc
Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard