Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implementing application security using the .net framework

4,797 views

Published on

I am not the author of this file but wanted to collect it for study purpose.

Published in: Technology
  • Be the first to comment

Implementing application security using the .net framework

  1. 1. Implementing Application Security Using the Microsoft .NET Framework Name Job Title Company
  2. 2. What We Will Cover <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  3. 3. Session Prerequisites <ul><li>Development experience with Microsoft Visual Basic®, Microsoft Visual C++®, or C# </li></ul><ul><li>Experience building Microsoft Windows® or Web applications using the .NET Framework </li></ul>Level 200
  4. 4. Agenda <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  5. 5. .NET Managed Execution Security <ul><li>The .NET Framework security features </li></ul><ul><ul><li>Assist you in developing secure applications </li></ul></ul><ul><ul><li>Include many components, including: </li></ul></ul><ul><ul><ul><li>Type Checker </li></ul></ul></ul><ul><ul><ul><li>Exception Manager </li></ul></ul></ul><ul><ul><ul><li>Security Engine </li></ul></ul></ul><ul><ul><li>Complement Windows Security </li></ul></ul>
  6. 6. A Type-Safe System <ul><li>Type-safe code: </li></ul><ul><ul><li>Prevents buffer overruns </li></ul></ul><ul><ul><li>Restricts access to authorized memory locations </li></ul></ul><ul><ul><li>Allows multiple assemblies to run in the same process </li></ul></ul><ul><li>App Domains provide: </li></ul><ul><ul><li>Increased performance </li></ul></ul><ul><ul><li>Increased code security </li></ul></ul>
  7. 7. Buffer Overrun Protection <ul><li>Type-verification prevents arbitrary memory overwrites </li></ul><ul><li>.NET System.String objects are immutable </li></ul><ul><li>The .NET System.Text.StringBuilder class checks buffer bounds </li></ul><ul><ul><li>void CopyString (string src) </li></ul></ul><ul><ul><li>{ </li></ul></ul><ul><ul><li>stringDest = src; </li></ul></ul><ul><ul><li>} </li></ul></ul>
  8. 8. Arithmetic Error Trapping <ul><li>Arithmetic error trapping is achieved by using: </li></ul><ul><ul><li>The checked keyword </li></ul></ul><ul><ul><li>Project settings </li></ul></ul><ul><ul><li>byte b=0; </li></ul></ul><ul><ul><li>while (true) </li></ul></ul><ul><ul><li>{ </li></ul></ul><ul><ul><li>Console.WriteLine (b); </li></ul></ul><ul><ul><li>checked </li></ul></ul><ul><ul><li>{ </li></ul></ul><ul><ul><li>b++; } </li></ul></ul><ul><ul><li>} </li></ul></ul>
  9. 9. Demonstration 1 Type Safety Investigating .NET Data-Type Safety Using the checked keyword
  10. 10. Strong-Named Assemblies <ul><li>Strong names are </li></ul><ul><ul><li>Unique identifiers (containing a public key) </li></ul></ul><ul><ul><li>Used to digitally sign assemblies </li></ul></ul><ul><li>Strong-named assemblies </li></ul><ul><ul><li>Prevent tampering </li></ul></ul><ul><ul><li>Confirm the identity of the assembly’s publisher </li></ul></ul><ul><ul><li>Allow side-by-side components </li></ul></ul><ul><ul><li>sn –k MyFullKey.snk </li></ul></ul>
  11. 11. Isolated Storage <ul><li>Provides a virtual file system </li></ul><ul><li>Allows quotas </li></ul><ul><li>Implements file system isolation based on: </li></ul><ul><ul><li>Application identity </li></ul></ul><ul><ul><li>User identity </li></ul></ul><ul><ul><li>IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly(); </li></ul></ul>
  12. 12. Agenda <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  13. 13. Evidence-Based Security <ul><li>Evidence </li></ul><ul><ul><li>Is assessed when an assembly is loaded </li></ul></ul><ul><ul><li>Is used to determine the permissions for the assembly </li></ul></ul><ul><ul><li>Can include the assembly’s: </li></ul></ul><ul><ul><ul><li>Strong name information </li></ul></ul></ul><ul><ul><ul><li>URL </li></ul></ul></ul><ul><ul><ul><li>Zone </li></ul></ul></ul><ul><ul><ul><li>Authenticode signature </li></ul></ul></ul>
  14. 14. Security Policies Security Entity Description Policy <ul><li>Is set by administrators </li></ul><ul><li>Is enforced at runtime </li></ul><ul><li>Simplifies administration </li></ul><ul><li>Contains permissions </li></ul><ul><li>Contains code groups </li></ul>Code Group <ul><li>Associates similar components </li></ul><ul><li>Is evidence based </li></ul><ul><li>Is linked to permission set(s) </li></ul>Permission Set <ul><li>Is a set of granted permissions </li></ul>
  15. 15. Security Check Stack Walks Call Stack Security System YourAssembly SomeAssembly .NET Framework Assembly Grant: Execute 1. An assembly requests access to a method in your assembly 2. Your assembly passes the request to a .NET Framework assembly 3. The security system ensures that all callers in the stack have the required permissions 4. The security system grants access or throws an exception Grant: ReadFile Grant: ReadFile Permission Demand Security exception Access denied Grant access? Call to ReadFile Call to ReadFile
  16. 16. Types of Security Checks <ul><li>Imperative security checks </li></ul><ul><ul><li>Create Permission objects </li></ul></ul><ul><ul><li>Call Permission methods </li></ul></ul><ul><li>Declarative security checks </li></ul><ul><ul><li>Use Permission attributes </li></ul></ul><ul><ul><li>Apply to methods or classes </li></ul></ul><ul><li>Overriding security checks </li></ul><ul><ul><li>Use the Assert method </li></ul></ul><ul><ul><li>Prevent the stack walk </li></ul></ul>
  17. 17. Permission Requests <ul><li>Used by developers to state required permissions </li></ul><ul><li>Implemented by attributes </li></ul><ul><li>Prevents an assembly from loading when minimum permissions are not available </li></ul>//I will only run if I can call unmanaged code [assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]
  18. 18. Demonstration 2 Code Access Security Using the .NET Framework Configuration Tool Performing Security Checks Requesting Permissions
  19. 19. Partial Trust Applications <ul><li>Prior to the .NET Framework 1.1, all Web applications ran with full trust </li></ul><ul><li>.NET 1.1 provides partial trust levels: </li></ul><ul><ul><li>Full </li></ul></ul><ul><ul><li>High </li></ul></ul><ul><ul><li>Medium </li></ul></ul><ul><ul><li>Low </li></ul></ul><ul><ul><li>Minimal </li></ul></ul>
  20. 20. Sandboxing Privileged Code Partial Trust Web Application Wrapper Assembly Secured Resource Sandboxed Code <trust level_”Medium” originUri_--/> Permissions Demanded then Asserted AllowPartiallyTrustedCallers attribute added Assembly installed into the global assembly cache Resource Access
  21. 21. Agenda <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  22. 22. Authentication and Authorization <ul><li>Authentication asks: &quot;Who are you?&quot; &quot;Am I sure you are who you say you are?&quot; </li></ul><ul><li>Authorization asks: &quot;Are you allowed to … ?&quot; </li></ul>
  23. 23. Identities and Principals <ul><li>An identity contains information about a user, such as the user’s logon name </li></ul><ul><li>A principal contains role information about a user or computer </li></ul><ul><li>The .NET Framework provides: </li></ul><ul><ul><li>WindowsIdentity and WindowsPrincipal objects </li></ul></ul><ul><ul><li>GenericIdentity and GenericPrincipal objects </li></ul></ul>
  24. 24. Creating Windows Identities and Principals <ul><li>Use WindowsIdentity and WindowsPrincipal objects for: </li></ul><ul><ul><li>Single validation </li></ul></ul><ul><ul><li>Repeated validation </li></ul></ul>WindowsIdentity myIdent = WindowsIdentity.GetCurrent(); WindowsPrincipal myPrin = new WindowsPrincipal(myIdent); AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); WindowsPrincipal myPrin = System.Threading.Thread.CurrentPrincipal;
  25. 25. Creating Generic Identities and Principals <ul><li>Create a GenericIdentity and a GenericPrincipal </li></ul><ul><li>Attach the GenericPrincipal to the current thread </li></ul>GenericIdentity myIdent = new GenericIdentity(&quot;User1&quot;); string[] roles = {&quot;Manager&quot;, &quot;Teller&quot;}; GenericPrincipal myPrin = new GenericPrincipal(myIdent, roles); System.Threading.Thread.CurrentPrincipal = myPrin;
  26. 26. Performing Security Checks <ul><li>Use Identity and Principal members in code </li></ul><ul><ul><li>For example, using the Name property of the Identity object to check the user’s logon name </li></ul></ul><ul><ul><li>For example, using the IsInRole method of the Principal object to check role membership </li></ul></ul>if (String.Compare(myPrin.Identity.Name, &quot;DOMAINFred&quot;, true)==0) { // Perform some action } if (myPrin.IsInRole(&quot;BUILTINAdministrators&quot;)) { // Perform some action }
  27. 27. Imperative and Declarative Security Checks <ul><li>Use permissions to make role-based security checks </li></ul><ul><ul><li>Imperative checks </li></ul></ul>PrincipalPermission prinPerm = new PrincipalPermission(&quot;Teller&quot;, “Manager”, true); try { prinPerm.Demand(); //Does the above match the active principal? } [PrincipalPermission(SecurityAction.Demand, Role=&quot;Teller&quot;, Authenticated=true)] <ul><ul><li>Declarative checks </li></ul></ul>
  28. 28. Demonstration 3 Role-Based Security Using Windows Role-Based Security Using Generic Role-Based Security
  29. 29. Agenda <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  30. 30. Cryptography Review The .NET Framework provides classes that implement these operations Cryptography Term Description Symmetric Encryption Encrypting and decrypting data with a secret key Asymmetric Encryption Encrypting and decrypting data with a public/private key pair Hashing Mapping a long string of data to a short, fixed-size string of data Digital Signing Hashing data and encrypting the hash value with a private key
  31. 31. Using Symmetric Algorithms <ul><li>Choose an algorithm </li></ul><ul><ul><li>TripleDESCryptoServiceProvider </li></ul></ul><ul><ul><li>RijndaelManaged </li></ul></ul><ul><li>Generate a secret key </li></ul><ul><li>Use the same secret key to encrypt and decrypt data: </li></ul><ul><ul><li>FileStream </li></ul></ul><ul><ul><li>MemoryStream </li></ul></ul><ul><ul><li>NetworkStream </li></ul></ul>
  32. 32. Using Asymmetric Algorithms <ul><li>Choose an algorithm </li></ul><ul><ul><li>RSACryptoServiceProvider </li></ul></ul><ul><ul><li>DSACryptoServiceProvider </li></ul></ul><ul><li>Generate a private and public key pair </li></ul><ul><li>Encrypt or decrypt data </li></ul>
  33. 33. Signing Data and Verifying Signatures Action Steps Signing Data <ul><li>Hash the data </li></ul><ul><li>Encrypt the hash value with a private key </li></ul>Verifying Signatures <ul><li>Decrypt the signature by using sender’s public key </li></ul><ul><li>Hash the data </li></ul><ul><li>Compare the decrypted signature to the hash value </li></ul>
  34. 34. Demonstration 4 .NET Framework Encryption Performing Symmetric Encryption Signing Data
  35. 35. Agenda <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  36. 36. ASP.NET Authentication Types Authentication Type Advantages Disadvantages Windows <ul><li>Uses existing Windows infrastructure </li></ul><ul><li>Controls access to sensitive information </li></ul><ul><li>Does not support all client types </li></ul>Forms <ul><li>Supports all client types </li></ul><ul><li>Relies on cookies </li></ul>Microsoft Passport <ul><li>Supports single sign-on for many Internet Web sites </li></ul><ul><li>Allows developers to customize the appearance of the registration page </li></ul><ul><li>Relies on cookies </li></ul><ul><li>Involves fees </li></ul>
  37. 37. Configuring Forms-Based Authentication <ul><li>Configure IIS to use Anonymous authentication </li></ul><ul><li>Set forms-based authentication in Web.config </li></ul><ul><li>Set up authorization </li></ul><ul><li>Build a logon form </li></ul><system.web> <authentication mode=&quot;Forms&quot;> <forms loginUrl=&quot;WebForm1.aspx&quot;/> </authentication> <authorization> <deny users=&quot;?&quot;/> </authorization> </system.web>
  38. 38. Forms-Based Authentication Enhancements <ul><li>Developers can require secure cookies </li></ul><authentication mode=&quot;Forms&quot;> <forms loginUrl=&quot;login.aspx&quot; protection=&quot;All&quot; requireSSL=&quot;true&quot; timeout=&quot;10&quot; name=&quot;AppNameCookie&quot; path=&quot;/FormsAuth&quot; slidingExpiration=&quot;true&quot; </forms> </authentication> <ul><li>Developer can create application-specific keys </li></ul>
  39. 39. Validation Controls <ul><li>Client-side validation </li></ul><ul><ul><li>Provides instant feedback </li></ul></ul><ul><ul><li>Reduces postback cycles </li></ul></ul><ul><li>Server-side validation </li></ul><ul><ul><li>Repeats all client-side validation </li></ul></ul><ul><ul><li>Validates against stored data, if required </li></ul></ul>Error Message Client Server User Enters Data Valid? Web Application Processed Yes No Valid? Yes No
  40. 40. Types of Validation Controls
  41. 41. Demonstration 5 ASP.NET Web Application Security Configuring Forms Authentication Using Validation Controls
  42. 42. Agenda <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  43. 43. Message-Level Security XML messages convey security information Credentials Digital signatures Messages can be encrypted Client Transport Service Transport Any Transport XML XML XML XML Security is independent from transport protocol
  44. 44. Web Service Enhancements (WSE) <ul><li>Includes: </li></ul><ul><ul><li>Authentication with SOAP Headers </li></ul></ul><ul><ul><li>Message encryption </li></ul></ul><ul><ul><li>Message signing </li></ul></ul><ul><li>Supports message routing </li></ul><ul><li>Supports attachments </li></ul><ul><li>Implemented in Microsoft.Web.Services.dll assembly </li></ul>
  45. 45. Demonstration 6 Web Services Enhancements Implementing Security for a Web Service
  46. 46. Session Summary <ul><li>.NET Framework Security Features </li></ul><ul><li>Code Access Security </li></ul><ul><li>Role-Based Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Securing ASP.NET Web Applications </li></ul><ul><li>Securing ASP.NET Web Services </li></ul>
  47. 47. Next Steps <ul><li>Stay informed about security </li></ul><ul><ul><li>Sign up for security bulletins: </li></ul></ul><ul><ul><li>http://www.microsoft.com/security/security_bulletins/alerts2.asp </li></ul></ul><ul><ul><li>Get the latest Microsoft security guidance: </li></ul></ul><ul><ul><li>http://www.microsoft.com/security/guidance/ </li></ul></ul><ul><li>Get additional security training </li></ul><ul><ul><li>Find online and in-person training seminars: </li></ul></ul><ul><ul><li>http://www.microsoft.com/seminar/events/security.mspx </li></ul></ul><ul><ul><li>Find a local CTEC for hands-on training: </li></ul></ul><ul><ul><li>http://www.microsoft.com/learning/ </li></ul></ul>
  48. 48. For More Information <ul><li>Microsoft Security Site (all audiences) </li></ul><ul><ul><li>http://www.microsoft.com/security </li></ul></ul><ul><li>MSDN Security Site (developers) </li></ul><ul><ul><li>http://msdn.microsoft.com/security </li></ul></ul><ul><li>TechNet Security Site (IT professionals) </li></ul><ul><ul><li>http://www.microsoft.com/technet/security </li></ul></ul>
  49. 49. Questions and Answers

×