.NET Framework Security

In 1997, Microsoft embarked on a "bet the company" strategy that was to reinvent the way the company did business. Even before its release, .NET made major strides in reinventing the way that software developers viewed the software they wrote. Now that it is released, .NET and the .NET Framework will change the software development process for good..NET Framework Security provides the ultimate high-end comprehensive reference to all of the new security features available in .NET. Through extensive code samples and step-by-step walkthroughs of configuration techniques, the reader is taken deep into the world of secure applications. Demonstrations of creating custom procedures and a full explanation of each aspect separate this book from many other "lecture books." Many of the concepts expressed in this book are not only viable in .NET, but on the Internet in general. These factors combined make this the one reference that every developer and system administrator should have..NET Framework Security providesAn extensive introduction to explanation of Code Access Security, the powerful new security system shipping in the .N ET FrameworkInformation on how to write and test safe applications using the .NET FrameworkExtensive coverage on how to effectively administer .NET Framework securityIn-depth introduction to the cryptography library shipping in the .NET Framework, including an introduction to XML digital signaturesAn overview of all of the new security features available in .NETCode samples that can be used to implement security on your own Web site or applicationStep-by-step guidelines for modifying the various configuration files associated with .NET, and an explanation of the elements involvedInstructions for all of the aspects of security in the CLR and what it meansHow to use ASP.NET to create a secure applicationExplanations for using the CryptoAPI libraries to create your own custom functionalityGuidelines on how to create secure network applications as well as applications that exist on the InternetDetailed examples of how to establish security parameters in IIS that relate to ASP.NETInstructions for administering .NET applications hosted in IE 067232184XB04232002

Table of Contents:
(NOTE: Each chapter concludes with a Summary.) = Introduction. I. INTRODUCTION TO THE .NET DEVELOPER PLATFORM SECURITY. 1. Common Security Problems on the Internet. Problems with Securing Mobile Code. Downloaded Executables. Source Code. Scripts. Java Applets. ActiveX Controls. Writing Secure Applications. Insecure Default Configurations. Buffer Overflows. Canonicalization Errors. Information Leaks. Denial-of-Service Vulnerabilities. 2. Introduction to the Microsoft .NET Developer Platform. Tight Language Interoperability. Metadata. JIT Compilation. Garbage Collection. Object-Oriented Programming. Code Access Security. Base Class Library. Native Code Interoperability. 3. .NET Developer Platform Security Solutions. Fundamental Security Benefits from the .NET Framework. Managing Code Execution. Additional Security Enforcement. Mobile Code Solutions with the .NET Framework. Direct Execution. Browser-Hosted Controls. Networked Computing with the .NET Framework. Insecure Default Configurations. Buffer Overflows. Canonicalization Errors. Information Leaks. Denial-of-Service Vulnerabilities. II. CODE ACCESS SECURITY FUNDAMENTALS. 4. User- and Code-Identity-Based Security: Two Complementary Security Paradigms. A Little Anatomy of Computer Security Systems. A Review of User-Identity-Based Security. Entering a New Paradigm: Code-Identity-Based Security. How User- and Code-Identity-Based Security Systems Complement Each Other. 5. Evidence: Knowing Where Code Comes From. Evidence Explained. Evidence Applies to Executing Code. Evidence Is Applied to Assemblies and App Domains. Different Sources of Evidence. Host-Provided Evidence. Assembly-Provided Evidence. Evidence and the Base Class Library. 6. Permissions: The Workhorse of Code Access Security. Permissions Explained. Code Access Permissions. Identity Permissions. Other Permissions. How Permissions Are Used. Permissions and Security Policy. Permission Demands. Other Security Actions. Declarative and Imperative Security. Built-in Permissions. Permission Sets. 7. Walking the Stack. A Review of Stacks and Their Uses. The Security Stack Walk. Modifying a Stack Walk. The Interaction of App Domains with Stack Walks. 8. Membership Conditions, Code Groups, and Policy Levels: The Brick and Mortar of Security Policy. Membership Conditions. Membership Conditions and Evidence. Membership Conditions Provided by the .NET Framework. Writing Custom Membership Conditions. Code Groups. Code Group Construction. Code Group Hierarchies. Code Groups Provided by the .NET Framework. Code Group Extensibility. Policy Levels. Policy Level Contents. The Four Policy Levels. Working with Policy Levels. Default Security Policy. Enterprise and User Policy. Machine Policy. 9. Understanding the Concepts of Strong Naming Assemblies. Assemblies and Identity. Public/Private Key Pairs. Signing and Verifying Assemblies. Delay Signing Assemblies. Comparison with Authenticode Signatures. 10. Hosting Managed Code. What Does Hosting Mean? Containing Assemblies Through the Use of Appdomains. Controlling Trust Within the Hosted Environment. Dealing with Assembly-Sharing Issues. Using Appdomains to Secure Unmanaged Clients. 11. Verification and Validation: The Backbone of .NET Framework Security. Review of the Anatomy of an Assembly. PE File Format and Metadata Validation. PE File Format Validation. Metadata Validation. IL Validation and Verification. IL Validation. Verifiability and Type Safety. Repercussions of Writing Unverifiable Code. Code Access Security's Dependence on Validation and Verification. 12. Security through the Lifetime of a Managed Process: Fitting It All Together. Development-Time Security Considerations. Deployment-Time Security Issues. Execution-Time Security Issues. Loading an Assembly. Resolving Policy for an Assembly. Loading Classes from an Assembly. Just-In-Time Verification and Compilation of Methods. Execution-Time Permission Enforcement. III. ASP.NET AND WEB SERVICES SECURITY FUNDAMENTALS. 13. Introduction to ASP.NET Security. New Security Features in ASP.NET—And How to Use Them. Forms Authentication. Using Impersonation in ASP.NET. Passport Authentication. Authentication for Web Services. Code Access Security and ASP.NET. 14. Authentication: Know Who Is Accessing Your Site. ASP.NET Authentication and IIS Authentication. Overview of IIS Authentication. ASP.NET Authentication Settings. Default IIS Settings. Using CLR Role-Based Security in Windows. Using ASP.NET Forms Authentication. Using Impersonation and Delegation in ASP.NET. 15. Authorization: Control Who Is Accessing Your Site. File and Directory Access Control Lists (ACLs). Using URL Authorization to Allow or Limit Access. Using Programmatic Authorization to Determine Who Is Attempting to Access Your Site. 16. Data Transport Integrity: Keeping Data Uncorrupted. Implementing SSL Encryption and HTTPS. More About Certificates—Options and Installing. Considerations for Web Services. Encryption of Individual Data Elements—An Overview. Remoting and Encryption via Sinks—An Overview. IV. .NET FRAMEWORK SECURITY ADMINISTRATION. 17. Introduction: .NET Framework Security and Operating System Security. A Roadmap for Administering the Security Context of Managed Code. The Code Access Security Policy System. Windows Security. Internet Explorer Security Settings. ASP.NET Security Settings. Database Server Security Mechanisms. A Different Angle: Security Systems Involved in Common Managed Code Execution Scenarios. .NET Framework Security and Operating System Security Settings. Windows Access Control Protections and .NET Framework Security. Windows Software Restriction Policies and .NET Framework Security. 18. Administering Security Policy Using the .NET Framework Configuration Tool. Before Making Any Security Policy Change: Administration Strategies. Do You Have to Change Policy at All?. Think of the Worst Case Scenario. Make the Policy Change with the Least Possible Impact. Pre-Plan the Policy Structure of Your System. Consider the Interaction with Operating System Settings. Document Your Changes. Introduction to the .NET Framework Configuration Tool. Availability of the Tool. Starting the Tool. Overview of the Main Security Administrative Options. Overview of the Policy Tree Manipulation Options. Exiting the Tool. Increasing Trust for an Assembly or Software Publisher Using the Trust. Assembly Wizard. The Start Page—Choosing to Make Changes to User or Machine Policy. Selecting the Assembly or Software Publisher to Increase Trust. Increasing Trust Just for a Selected Assembly or for All Assemblies. Signed by the Same Software Publisher. Choosing a Level of Trust. Finishing the Wizard. Changing Trust for a Zone Using the Adjust Security Wizard. Choosing to Make Changes to the Machine or User Policy. Choosing a Level of Trust for a Zone. Manipulating the Security Policy Tree Directly—Basic Techniques. Policy Level Features. Code Group Hierarchy. Administrating Permission Sets. Policy Assemblies. Undoing a Change in the Policy Tree. Testing Security Policy Using the Evaluate Assembly Wizard. Modeling Policy Changes Using Open and New. Creating a New Policy Level. Opening a Policy Level Configuration File. Deploying Security Policy. Creating Security Policy Deployment Packages. Deployment Methods. Resetting Security Policy. The .NET Framework Configuration Tool's Self Protection Mechanism. Administrative Tactics: Scenarios, Solutions, Hints, and Tricks. Granting Enterprise-Wide Full Trust to an Assembly. Granting Full Trust to All Assemblies of a Software Publisher Across an Enterprise. Preventing an Assembly from Running Across an Enterprise. Preventing All Assemblies of a Specific Software Publisher from Running Across an Enterprise. Reducing the Level of Trust for All Assemblies from the Intranet for a Specific Machine. Granting All Assemblies from a Specific Intranet Share or Mounted Drive Full Trust on a Machine. Disallowing All Assemblies from a Specific Internet Site to Run on a Machine. “Sandboxing” a Directory on the Local Hard Drive. Giving All Assemblies of a Specific Software Publisher Running from the Internet File Read Rights to a Specific Directory. Changing One's User Level Policy to Disallow Intranet Assemblies to Do Anything But Execute. 19. Administering .NET Framework Security Policy Using Scripts and Security APIs. Using Batch Scripts for Security Policy Administration. Finding and Starting the Caspol Tool. Basic Caspol Techniques. Caspol in Action—Scripts, Hints, and Tricks. Changing Security Policy by Programming Directly to the Security APIs. Overview of the Security Classes Used for Policy Changes. Examples of Using the Security Classes for Accessing and Changing Policy. 20. Administering an IIS Machine Using ASP.NET. XML-Based Configuration Files. Hierarchy of .NET Configuration Files. Attributes and Settings. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element. The Element Using Custom Attributes and Settings. IIS Security Settings—A Refresher. 21. Administering Clients for .NET Framework Mobile Code. Default Security Policy and Mobile Code. Default Security Policy's Impact on Mobile Code. How to Expand Mobile Code Scenarios. Limitations on Calling Strong Named Components. Running Mobile Code in Internet Explorer. ActiveX Controls and Managed Controls. Different Ways to Run Managed Code in Internet Explorer. 22. Administering Isolated Storage and Cryptography Settings in the .NET Framework. Administering Isolated Storage. Using Storeadm.exe to Administer Isolated Storage. Using the Isolated Storage APIs to Administer Isolated Storage. Using the IsolatedStoragePermission to Govern Code Access to Isolated Storage. Administering Cryptography Settings. Overview of the Cryptography Configuration Settings. Default Mappings. Modifying Cryptography Configuration. V. .NET FRAMEWORK SECURITY FOR DEVELOPERS. 23. Creating Secure Code: What All .NET Framework Developers Need to Know. Security and the Developer. Structure of the .NET Framework Security System. Limitations of the .NET Framework Security System. 24. Architecting a Secure Assembly. Thinking Like a Security Expert: How to Improve the Security of Your Designs from Day One. Paranoia: Designing Defensively for the Worst-Case Scenario. Conservatism: Limiting the Scope of Your Design to Reduce the Likelihood of Security Flaws. If All Else Fails. Don't Throw It All Away. 25. Implementing a Secure Assembly. Using Existing Security Mechanisms. Using Imperative Security. Using Declarative Security. Allowing Untrusted Callers. Identity Demands and Their Uses. Implementing Your Own Permissions. Implementing a Security Custom Attribute. Working with Strong Names. Strong Name Key Pair Generation. Building Strong Names into Your Assemblies. Coping with Signature Invalidation During the Build Process. Using Delay Signed Assemblies. 26. Testing a Secured Assembly. Determining What Is Being Protected. Conceptual Resources. Access Points in a Secured Assembly to a Resource. Determining How Resource Protection Is Implemented. Testing Any Applied Custom Permissions. Testing the Key Methods of a Custom Permission That Interface with the Security System. Testing Imperative Use of a Custom Permission. Testing Declarative Use of a Custom Permission. Other Miscellaneous Issues with Custom Permissions. Testing the Methods and Properties That Should Be Protected. Checking Minimal Protection on Methods and Properties. Testing If Undocumented Protection Exists on Methods and Properties. 27. Writing a Secure Web Site Using ASP.NET. Designing a Secure Web Site. Authentication Choices. Authorization Choices. Channel Options. Possible Attack Scenarios. Implementing a Secure Web Site. Protected Modules. Using Application Logs to Uncover Security Breaches. 28. Writing a Secure Web Application in the .NET Development Platform. ASP.NET with Remoting Versus Web Services. The Case for Using ASP.NET with Remoting. The Case for Using Web Services. Authentication and Authorization Without IIS. Using a SQL Server Database for Authentication. 29. Writing a Semi-Trusted Application. Restrictions on Libraries That Can Be Called. Assemblies with APTCA. Libraries with Known Permission Requirements. Making Permission Requests. Protecting Data. Data Persisted to Disk. Data Stored in Memory. Data Sent on the Network. Being Careful About What Code Gets Executed. LinkDemands and Inheritance. Virtual, Internal Methods. Delegates and Stack Walks. Loading Assemblies. Exceptions and Filters. Race Conditions. Being Aware of Permissions at Runtime. Using SecurityManager.IsGranted. Dealing with SecurityExceptions. 30. Using Cryptography with the .NET Framework: The Basics. Setting the Stage: Key Definitions and Scenarios in Cryptography. Ensuring Confidentiality with Symmetric Algorithms. Ensuring Confidentiality with Asymmetric Algorithms. Using Cryptographic Hash Functions for Message Integrity and. Authentication. Keyed Hash Functions. Digital Signatures: Authentication and Integrity Using Asymmetric Algorithms. The Cryptographic Object Model of the .NET Framework. Operating on Streams: CryptoStreams and ICryptoTransforms. Using Symmetric Algorithms. The SymmetricAlgorithm Base Class. Creating Instances of SymmetricAlgorithm Classes. Encrypting and Decrypting with ICryptoTransforms Created from a. SymmetricAlgorithm. Using Cryptographic Hash Functions. Creating HashAlgorithm Objects. Computing Hash Values Using the ComputeHash() Methods. Computing Hash Values of Streaming Data Using a CryptoStream. Using Keyed Hash Functions. Random Number Generation and Key Derivation. Generating Pseudo-Random Numbers. Deriving Keys from User Input. Using Asymmetric Algorithms. 31. Using Cryptography with the .NET Framework: Advanced Topics. Working with CryptoAPI 1.0. The CryptoAPI Provider Model: Cryptographic Service Providers and Key Containers. Accessing Specific Providers and Key Containers from the .NET Framework Using the CspParameters Structure. Calling CryptoAPI 1.0 Functions Directly Using Platform Invoke. Cleaning Up: Deleting Keys and Key Containers. Working with CryptoAPI 2.0. Finalization Versus Explicit Destruction via IDisposable. Extending the .NET Framework's Cryptography Classes and the Cryptographic Configuration System. 32. Using Cryptography with the .NET Framework: Creating and Verifying XML Digital Signatures. XMLDSIG Design Principles and Modes of Use. The Structure of an XMLDSIG Signature. The ds:Signature Element. The ds:SignatureValue Element. The ds:SignedInfo Element. The ds:Reference Element. The ds:KeyInfo Element. Creating XMLDSIG-Compliant Signatures Using the .NET Framework. Verifying an XMLDSIG Signature. Extending System.Security.Cryptography.Xml for Custom Processing. Index

About the Author :
Brian A. LaMacchia is the Development Lead for .NET Framework Security at Microsoft Corporation in Redmond, WA, a position he has held since April 1999. Previously, Dr. LaMacchia was the Program Manager for core cryptography in Windows 2000 and, prior to joining Microsoft in 1997, he was a Senior Member of Technical Staff in the Public Policy Research Group at AT&T LabsÑResearch in Florham Park, NJ. He received S.B., S.M., and Ph.D. degrees in Electrical Engineering and Computer Science from MIT in 1990, 1991, and 1996, respectively. Sebastian Lange has been working at Microsoft as Program Manager on the .NET Framework Common Language Runtime security team for over two years. He focuses on security configuration, administration, type safety verification, and secure hosting of the CLR. Prior to his work on security, Sebastian has done research and design in artificial intelligence, both in industry as well as in university. He holds a B.A. in Computer Science and a B.A. in Philosophy from Macalester College. In his spare time, Sebastian practices a variety of musical instruments, and can be seen playing the electric viola for his band Elysian up and down the west coast. Matthew Lyons is the QA lead for security features of the Common Language Runtime at Microsoft Corporation. He has been testing and developing against the internal workings of .NET Framework security for over two years. Before that, he spent two years testing public key cryptography and the certificate services in Windows 2000. Matt received a B.S. in Applied Physics from Purdue University in 1997 and is currently working on an M.S. in Computer Science at the University of Washington. Rudi Martin graduated from Glasgow University (Scotland, U.K.) in 1991 with a B.S.C. in Computing Science. He spent seven years working for Digital Equipment Corporation in the operating systems group, covering areas such as file systems, interprocess communications, and transaction processing. Rudi joined the NDP group at Microsoft in 1999, where he worked in the core execution engine and the security subsystem. He worked on the OpenVMS platform, transitioned to Windows NT, and has been very busy with the Common Language Runtime security group. Kevin T. Price has been a software architect for over seven years specializing in Web-based applications. He is presently a Senior Software Architect for CMS Information Services in Vienna, VA. Kevin has edited books on .NET as well as authored chapters in BizTalk Unleashed. The material and code samples found in his chapters reflect real-world experience. Focusing on the securing of information and platform scalability. Mr. Price has both architecture and hands-on experience using technologies including ASP, Crypto API, JSP, Java, COM/DCOM, VB, C++, .NET, and numerous other technologies related to the Internet and/or the Microsoft-based toolset.