Security in .NET Framework

Sergey BaidachniMCT, MCSD, MCDBA

Overview Introduction Code Access Security Add-on features in .NET Best Practices New Microsoft Exams Books for reading

Introduction Security Needs Example (poor practices) Best Practices

Example (try it)“Select count(*) from UserTableWhere Login=‘”+login+ “‘ and password=‘”+pwd+ “‘”

Login – sbadPassword – 123’456

Example (compilation error)“Select count(*) from UserTableWhere Login=‘sbad’ and password=‘123’456’”

Example“Select count(*) from UserTableWhere Login=‘sbad’ and password=‘123’ shutdown --’”

Where is your SQL Server? It would be good if a hacker would have decided to study only one command, and namely that one of ”shutdown”...

Best Practices Parameters using

SqlCommand comm=new SqlCommand(“select count(*) from UserTable Where Login=@par1 and

password=@par2”,conn);

comm.Parameters.Add(“@par1”,SqlDbType.VarChar,20).Value=logincomm.Parameters.Add(“@par2”,SqlDbType.VarChar,20).Value=pwd

Stored procedures using

Code Access Security Least Privilege Evidence Permissions Declarative Permissions Imperative Permissions

Least Privilege

How much money can they steal if you have none?

Evidence

Can you lend me some bank

money?

I would be more than glad, by I am debarred

from any access

Permissions

Lend me some bank money

I would be glad to, but I have asked the bank not to give me

money

Declarative Permissions Stack Walk Demand minimal permissions

[assembly:FileIOPermission(SecurityAction.RequestMinimum, Read=@”c:\a.txt”)]

Reject redundant permissions [assembly:FileIOPermission(SecurityAction.RequestRefuse,

Unrestricted=true)]

Request unnecessary permissions [assembly:FileIOPermission(SecurityAction.RequestOptional,

Unrestricted=true)]

Caspol –resolveperm myassembly.exe

Imperative Permissions Demand and Assert Deny and PermitOnly LinkDemand while using

SuppressUnmanagedCodeSecurityAttribute

Add-on features in .NET Form-Based Authentication Role-Based Security Microsoft Passport

Security? Login? Password? Authentication

You can enter, but don’t handle anything with your hands!

Authorization Ok, you can do it.

Client requests page

Authorized

ASP.NET Forms Authentication

Not Authenticated

Authenticated

Logon Page(Users enter their credentials)

Authenticated

Authentication Cookie

Authorized

Not Authenticated

Access Denied

RequestedSecure Page

IIS

Username

PasswordSomeone

***********

SubmitSubmit

1111 2222

3333

44446666

55557777

Form-based authentication

Form-based authentication (How?) Modify the config file

<system.web>

<authentication mode="Forms"><forms name=".namesuffix" loginUrl="login.aspx" />

</authentication></system.web>

Create method for authenticate FormsAuthentication.Authenticate FormsAuthentication.RedirectFromLoginPage

Role-based security Identity and Principals Windows Identity and Principal General Identity and Principal Custom Identity and Principal

Identity and Principals Check identity of the user

Check the role of the user

Username = FredUsername = FredUsername = FredUsername = Fred

Administrator

Manager

Role = ManagerRole = ManagerRole = ManagerRole = Manager

Identity and Principals in .NET Framework

Identity Windows identity (WindowsIdentity) Generic identity (GeneralIdentity) Custom identity (IIdentity)

Principals Windows principal (WindowsPrincipal) Generic principal (GeneralPrincipal) Custom principal (IPrincipal)

Microsoft Passport How it works Benefits www.passport.com

How Microsoft Passport Works

Website.msftWebsite.msft

ClientClient

Passport.comPassport.com

The client requests a page from the host1111

2222

3333

4444

5555

The site redirects the client to Passport.com

The client is redirected and logs on to Passport.com

Passport returns a cookie with the ticket information

6666

The client accesses the host, this time with ticket information

The host returns a Web Form and possibly a new cookie that it can read and write

Best Practices Strong Names Access Modifiers Trace Disable Custom Error Messages Use Register

New Microsoft Exam 70-340 – Implementing Security for

Applications with Microsoft Visual C# .NET 70-330 – Implementing Security for

Applications with Microsoft Visual Basic .NET

Books for reading Writing Secure Code

by Michael Howard, David LeBlanc

Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard