Creating Reliable And Robust Applications With Visual Studio 2005 And SQL Server 2005 Andrew Coates Developer Evangelist Microsoft Australia http://blogs.msdn.com/acoat

Agenda Introduction Enhancements for secure application development with Visual Studio 2005 Security enhancements in SQL Server 2005

Introduction

Enhancements for secure application development with Visual Studio 2005

Security enhancements in SQL Server 2005

Introduction: Security Today More mission-critical systems More IT assets exposed via the Internet More ways to connect (more threat paths) Everything is becoming connected Increased complexity and functionality lead to increased vulnerabilities Software must do more to protect on the security front Major effort to enhance security capability and features in Visual Studio 2005 and SQL Server 2005

More mission-critical systems

More IT assets exposed via the Internet

More ways to connect (more threat paths)

Everything is becoming connected

Increased complexity and functionality lead to increased vulnerabilities

Software must do more to protect on the security front

Major effort to enhance security capability and features in Visual Studio 2005 and SQL Server 2005

Visual Studio 2005 and .NET 2.0 Enhancements

Managed Code Designed to run under less privileged accounts Improved Code Access Security Permissions Calculator Debug in Zone IntelliSense in Zone (Visual Basic .NET) FxCop

Designed to run under less privileged accounts

Improved Code Access Security

Permissions Calculator

Debug in Zone

IntelliSense in Zone (Visual Basic .NET)

FxCop

Develop Under Less Privileged Account Developing under Least Privileged account is a good practice User will not run your application as an administrator When developing as admin you may be unaware that non-admin accounts don’t have access to resources that you may access Visual Studio 2005 runs much better under non administrative account than previous versions

Developing under Least Privileged account is a good practice

User will not run your application as an administrator

When developing as admin you may be unaware that non-admin accounts don’t have access to resources that you may access

Visual Studio 2005 runs much better under non administrative account than previous versions

Security Principles to Live By Practical Least Privilege Elevate as necessary RunAs MakeMeAdmin (http://blogs.msdn.com/aaron_margosis) Fast User Switching Terminal Services / Remote Desktop Vista/Longhorn LUA http ://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp Add Granular Permissions SQL Server 2005 Granular permissions Security execution context DDL Triggers Code Access Security easier with VS 2005 Permission Calculator Code Access Security - IntelliSense in Zone, Debugging in Zone

Elevate as necessary

RunAs

MakeMeAdmin (http://blogs.msdn.com/aaron_margosis)

Fast User Switching

Terminal Services / Remote Desktop

Vista/Longhorn LUA

http ://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp

Add Granular Permissions

SQL Server 2005

Granular permissions

Security execution context

DDL Triggers

Code Access Security easier with VS 2005

Permission Calculator

Code Access Security - IntelliSense in Zone, Debugging in Zone

Code Access Security Applies security to Assembly Identity Allows restriction on the actions an assembly can perform Predefined permission sets are available to sandbox low trust code Visual Studio 2005 allows the developer to select a target permission set

Applies security to Assembly Identity

Allows restriction on the actions an assembly can perform

Predefined permission sets are available to sandbox low trust code

Visual Studio 2005 allows the developer to select a target permission set

Code Access Security (CAS) Code access security is a mechanism that helps limit the access code has to protected resources and operations; Has following functions Defines permissions and permission sets that represent the right to access various system resources Enables administrators to configure security policy Enables code to request the permissions it requires in order to run, and specifies which permissions the code must never have Grants permissions to each assembly that is loaded, based on the permissions requested and on the operations permitted by security policy Enables code to demand that its callers have specific permissions Enables code to demand that its callers possess a digital signature, thus allowing only callers from a particular organization or site to call the protected code Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the permissions that callers must have

Code access security is a mechanism that helps limit the access code has to protected resources and operations; Has following functions

Defines permissions and permission sets that represent the right to access various system resources

Enables administrators to configure security policy

Enables code to request the permissions it requires in order to run, and specifies which permissions the code must never have

Grants permissions to each assembly that is loaded, based on the permissions requested and on the operations permitted by security policy

Enables code to demand that its callers have specific permissions

Enables code to demand that its callers possess a digital signature, thus allowing only callers from a particular organization or site to call the protected code

Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the permissions that callers must have

Code Access Security Evidence Policy + Permissions

Stack Walk Essential part of the security system To protect unauthorized access to protected resources Before allowing an assembly access the protected resource may demand a stack walk to verify that all functions in the call chain have permission to access the system resource Functions can choose to modify the stack walk, and there are a few mechanisms to do this LinkDemands Assert Deny PermitOnly

Essential part of the security system

To protect unauthorized access to protected resources

Before allowing an assembly access the protected resource may demand a stack walk to verify that all functions in the call chain have permission to access the system resource

Functions can choose to modify the stack walk, and there are a few mechanisms to do this

LinkDemands

Assert

Deny

PermitOnly

Stack Walk

Stack Walk P .Demand() Stack walk for permission p Stack walk example Assembly A Assembly B Assembly C Assembly D PermissionSet PermissionSet PermissionSet PermissionSet

Sandboxing Application Domains can be created to sandbox assemblies Process for creating a sandbox has been simplified under the 2.0 framework API is exposed as a new overload of AppDomain.CreateDomain AppDomain.CreateDomain( string friendlyName, Evidence securityInfo, AppDomainSetup info, PermissionSet grantSet, params StrongName[] fullTrustAssemblies );

Application Domains can be created to sandbox assemblies

Process for creating a sandbox has been simplified under the 2.0 framework

API is exposed as a new overload of AppDomain.CreateDomain

Application Domain Creation

Security Transparent Code Transparent code makes no asserts or demands On a stack walk transparent code will have the lesser of its assigned permission set and the permission set of the caller FxCop includes rules to ensure transparency is being correctly used

Transparent code makes no asserts or demands

On a stack walk transparent code will have the lesser of its assigned permission set and the permission set of the caller

FxCop includes rules to ensure transparency is being correctly used

Global Assembly Cache (GAC) Is Full-Trust .NET 2.0 assemblies in the GAC get FullTrust no matter what the security policy says The new GacMembershipCondition Class determines whether an assembly belongs to a code group by testing its global assembly cache membership Rather than having to know about both the full-trust list and the GAC, a framework developer only has to install their framework in the GAC now.

.NET 2.0 assemblies in the GAC get FullTrust no matter what the security policy says

The new GacMembershipCondition Class determines whether an assembly belongs to a code group by testing its global assembly cache membership

Rather than having to know about both the full-trust list and the GAC, a framework developer only has to install their framework in the GAC now.

Increased Strong Name (SN) Key Size SN to generate keys of different sizes; The -k flag takes a key size option as its first parameter If the key size is not specified, it defaults to 1024 bits, the same as the v1.0 and v1.1 versions of SN produce; Not all key sizes are valid, for an RSA key Will result in sn -k 2708 invalidKey.snk sn -k 2048 largekey.snk Failed to generate a strong name key pair -- Invalid flags specified

SN to generate keys of different sizes; The -k flag takes a key size option as its first parameter

If the key size is not specified, it defaults to 1024 bits, the same as the v1.0 and v1.1 versions of SN produce; Not all key sizes are valid, for an RSA key

Will result in

Permissions Calculator PermCalc replaces the PermView utility Looks into assemblies on which target has dependencies Available as both a command line tool and integrated into Visual Studio

PermCalc replaces the PermView utility

Looks into assemblies on which target has dependencies

Available as both a command line tool and integrated into Visual Studio

PermCalc

Debugging Enhancements Debug in Zone – Visual Studio can create environment to match permissions for restricted environments IntelliSense in Zone (Visual Basic)

Debug in Zone – Visual Studio can create environment to match permissions for restricted environments

IntelliSense in Zone (Visual Basic)

Debug In Zone

Debug and IntelliSense In Zone

FxCop Integrated into Visual Studio Identifies Design Issues and supplies information on how to fix them Enforces Microsoft .Net Design Guidelines Can be used as a part of the code check-in policy

Integrated into Visual Studio

Identifies Design Issues and supplies information on how to fix them

Enforces Microsoft .Net Design Guidelines

Can be used as a part of the code check-in policy

FxCop

Other Managed Code Security Enhancements Security cannot be turned of permanently New classes SecureString Contents are kept encrypted Modified until set to ReadOnly Deleted from memory on demand ProtectedMemory Used to Encrypt data in Memory Uses Data Protection API available in Windows XP and Later

Security cannot be turned of permanently

New classes

SecureString

Contents are kept encrypted

Modified until set to ReadOnly

Deleted from memory on demand

ProtectedMemory

Used to Encrypt data in Memory

Uses Data Protection API available in Windows XP and Later

What Else Is New In .NET 2.0 Security Enhanced SecurityException Increased SN Key Size Transparent Code Managed ACLs PKCS7 support FIPS enforcement RFC 2898 PBKDF 2 Test key signing Enhanced X509 support (via X509Certificate2) XML Encryption AppDomainManager/HostSecurityManager

Enhanced SecurityException

Increased SN Key Size

Transparent Code

Managed ACLs

PKCS7 support

FIPS enforcement

RFC 2898 PBKDF 2

Test key signing

Enhanced X509 support (via X509Certificate2)

XML Encryption

AppDomainManager/HostSecurityManager

Team Foundation Server Check In Policies Code Analysis Testing Peer Review

Code Analysis

Testing

Peer Review

TFS Check In Policies

Unmanaged Code Application Verifier Integrated Code Analysis Tools Buffer Check Switch Safe C Runtime Library

Application Verifier

Integrated Code Analysis Tools

Buffer Check Switch

Safe C Runtime Library

SQL Server 2005 Enhancements

SQL Server 2005 Enhancements Secure by Default Password Policy Strengthened Authentication User-Schema Separation Granular Permissions Execution Context Encryption Catalog Security

Secure by Default

Password Policy

Strengthened Authentication

User-Schema Separation

Granular Permissions

Execution Context

Encryption

Catalog Security

Secure By Default If SQL Server 2005 is installed and no options are changed, it is installed in a secure state Access to many resources must now be explicitly granted or enabled before being used Surface Area Configuration Tool

If SQL Server 2005 is installed and no options are changed, it is installed in a secure state

Access to many resources must now be explicitly granted or enabled before being used

Surface Area Configuration Tool

Surface Area Configuration Tool

Password Policy And Authentication SQL Server 2005 can inherit the Password Policy when hosted on Windows 2003 Can be enabled or disabled on a per login basis Logins can be enabled and disabled Login protocol uses stronger channel Uses SQL Server generated certificate No SSL certificate loading is required

SQL Server 2005 can inherit the Password Policy when hosted on Windows 2003

Can be enabled or disabled on a per login basis

Logins can be enabled and disabled

Login protocol uses stronger channel

Uses SQL Server generated certificate

No SSL certificate loading is required

User-Schema Separation Objects are associated with a schema instead of a user Object naming scheme and resolution have been changed server.database.schema.object Users can be assigned a default schema

Objects are associated with a schema instead of a user

Object naming scheme and resolution have been changed

server.database.schema.object

Users can be assigned a default schema

User-Schema Separation

Granular Permissions Permissions can be applied to three scopes: Server, database, and schema Permissions can have one of three states: Granted, revoked, and denied New Permissions Added Securable – entities to be secured (tables, views, assemblies, servers, and others) Grantee – Server level permission Catalog Security

Permissions can be applied to three scopes: Server, database, and schema

Permissions can have one of three states: Granted, revoked, and denied

New Permissions Added

Securable – entities to be secured (tables, views, assemblies, servers, and others)

Grantee – Server level permission

Catalog Security

Execution Context EXECUTE AS CALLER (default) EXECUTE AS ‘USER’ EXECUTE AS SELF EXECUTE AS OWNER

EXECUTE AS CALLER (default)

EXECUTE AS ‘USER’

EXECUTE AS SELF

EXECUTE AS OWNER

Execute AS

Endpoint Security An Endpoint is a point of entry into SQL Server Endpoint Transports Include Shared Memory Named Pipes TCP Virtual Interface Adapter HTTP (Windows 2003 and XP SP2 Only) HTTP Transport is not created by default HTTP Endpoints support 4 authentication types for web methods Anonymous access is not allowed Communications can be secured with SSL

An Endpoint is a point of entry into SQL Server

Endpoint Transports Include

Shared Memory

Named Pipes

TCP

Virtual Interface Adapter

HTTP (Windows 2003 and XP SP2 Only)

HTTP Transport is not created by default

HTTP Endpoints support 4 authentication types for web methods

Anonymous access is not allowed

Communications can be secured with SSL

Encryption SQL Server now has built in support for encryption and decryption Keys can be secured within or external to SQL Server Supports Symmetric encryption, Asymmetric encryption, Encryption by paraphrase and certificates

SQL Server now has built in support for encryption and decryption

Keys can be secured within or external to SQL Server

Supports Symmetric encryption, Asymmetric encryption, Encryption by paraphrase and certificates

Encryption

Other Stuff (Canberra) Event DVDs will be mailed to you in the next week or so. Go to Code Camp www.codecampoz.com

Event DVDs will be mailed to you in the next week or so.

Go to Code Camp www.codecampoz.com

Some More Microsoft Resources Security eForum site http://www.microsoft.com/ australia/eforum MSDN Security Development Centre http:// msdn.microsoft.com /security/ Security Development Centre – Writing Secure Code http:// msdn.microsoft.com/security/securecode/default.aspx Patterns and Practices: Security Guidelines http://msdn.microsoft.com/library/en-us/dnpag2/html/pagguidelines0003.asp What’s new in Security for v2.0 http://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspx What’s new with Code Access Security in the .Net Framework 2.0 http://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/default.aspx Security Enhancements in Visual Studio 2005 http://msdn.microsoft.com/library/en-us/dnvs05/html/vs05security.asp Repel Attacks on Your Code with Visual Studio 2005 Safe C and C++ Libraries http://msdn.microsoft.com/msdnmag/issues/05/05/SafeCandC/ SQL Server 2005 Security http://msdn.microsoft.com/sql/learning/security/default.aspx Visual Studio 2005 and SQL Server 2005 Webcast http://www.microsoft.com/events

Security eForum site

http://www.microsoft.com/ australia/eforum

MSDN Security Development Centre

http:// msdn.microsoft.com /security/

Security Development Centre – Writing Secure Code

http:// msdn.microsoft.com/security/securecode/default.aspx

Patterns and Practices: Security Guidelines

http://msdn.microsoft.com/library/en-us/dnpag2/html/pagguidelines0003.asp

What’s new in Security for v2.0

http://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspx

What’s new with Code Access Security in the .Net Framework 2.0

http://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/default.aspx

Security Enhancements in Visual Studio 2005

http://msdn.microsoft.com/library/en-us/dnvs05/html/vs05security.asp

Repel Attacks on Your Code with Visual Studio 2005 Safe C and C++ Libraries

http://msdn.microsoft.com/msdnmag/issues/05/05/SafeCandC/

SQL Server 2005 Security

http://msdn.microsoft.com/sql/learning/security/default.aspx

Visual Studio 2005 and SQL Server 2005 Webcast

http://www.microsoft.com/events

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.