You are previewing .NET Framework Security.
O'Reilly logo
.NET Framework Security

Book Description

In 1997, Microsoft embarked on a "bet the company" strategy that was to reinvent the way the company did business. Even before its release, .NET made major strides in reinventing the way that software developers viewed the software they wrote.

Now that it is released, .NET and the .NET Framework will change the software development process for good.

.NET Framework Security provides the ultimate high-end comprehensive reference to all of the new security features available in .NET. Through extensive code samples and step-by-step walkthroughs of configuration techniques, the reader is taken deep into the world of secure applications. Demonstrations of creating custom procedures and a full explanation of each aspect separate this book from many other "lecture books." Many of the concepts expressed in this book are not only viable in .NET, but on the Internet in general. These factors combined make this the one reference that every developer and system administrator should have.

.NET Framework Security provides

  • An extensive introduction to explanation of Code Access Security, the powerful new security system shipping in the .NET Framework

  • Information on how to write and test safe applications using the .NET Framework

  • Extensive coverage on how to effectively administer .NET Framework security

  • In-depth introduction to the cryptography library shipping in the .NET Framework, including an introduction to XML digital signatures

  • An overview of all of the new security features available in .NET

  • Code samples that can be used to implement security on your own Web site or application

  • Step-by-step guidelines for modifying the various configuration files associated with .NET, and an explanation of the elements involved

  • Instructions for all of the aspects of security in the CLR and what it means

  • How to use ASP.NET to create a secure application

  • Explanations for using the CryptoAPI libraries to create your own custom functionality

  • Guidelines on how to create secure network applications as well as applications that exist on the Internet

  • Detailed examples of how to establish security parameters in IIS that relate to ASP.NET

  • Instructions for administering .NET applications hosted in IE

  • 067232184XB04232002

    Table of Contents

    1. Copyright
    2. About the Authors
    3. Acknowledgments
    4. Introduction
    5. Introduction to the .NET Developer Platform Security
      1. Common Security Problems on the Internet
        1. Problems with Securing Mobile Code
        2. Writing Secure Applications
        3. Summary
      2. Introduction to the Microsoft .NET Developer Platform
        1. Tight Language Interoperability
        2. Metadata
        3. JIT Compilation
        4. Garbage Collection
        5. Object-Oriented Programming
        6. Code Access Security
        7. Base Class Library
        8. Native Code Interoperability
        9. Summary
      3. .NET Developer Platform Security Solutions
        1. Fundamental Security Benefits from the .NET Framework
        2. Mobile Code Solutions with the .NET Framework
        3. Networked Computing with the .NET Framework
        4. Summary
    6. Code Access Security Fundamentals
      1. User- and Code-Identity–Based Security: Two Complementary Security Paradigms
        1. A Little Anatomy of Computer Security Systems
        2. A Review of User-Identity–Based Security
        3. Entering a New Paradigm: Code-Identity–Based Security
        4. How User- and Code-Identity–Based Security Systems Complement Each Other
        5. Summary
      2. Evidence: Knowing Where Code Comes From
        1. Evidence Explained
        2. Different Sources of Evidence
        3. Evidence and the Base Class Library
        4. Summary
      3. Permissions: The Workhorse of Code Access Security
        1. Permissions Explained
        2. How Permissions Are Used
        3. Declarative and Imperative Security
        4. Built-in Permissions
        5. Permission Sets
        6. Summary
      4. Walking the Stack
        1. A Review of Stacks and Their Uses
        2. The Security Stack Walk
        3. Modifying a Stack Walk
        4. The Interaction of App Domains with Stack Walks
        5. Summary
      5. Membership Conditions, Code Groups, and Policy Levels: The Brick and Mortar of Security Policy
        1. Membership Conditions
        2. Code Groups
        3. Policy Levels
        4. Default Security Policy
        5. Summary
      6. Understanding the Concepts of Strong Naming Assemblies
        1. Assemblies and Identity
        2. Public/Private Key Pairs
        3. Signing and Verifying Assemblies
        4. Delay Signing Assemblies
        5. Comparison with Authenticode Signatures
        6. Summary
      7. Hosting Managed Code
        1. What Does Hosting Mean?
        2. Containing Assemblies Through the Use of Appdomains
        3. Controlling Trust Within the Hosted Environment
        4. Dealing with Assembly-Sharing Issues
        5. Using Appdomains to Secure Unmanaged Clients
        6. Summary
      8. Verification and Validation: The Backbone of .NET Framework Security
        1. Review of the Anatomy of an Assembly
        2. PE File Format and Metadata Validation
        3. IL Validation and Verification
        4. Code Access Security's Dependence on Validation and Verification
        5. Summary
      9. Security Through the Lifetime of a Managed Process: Fitting It All Together
        1. Development-Time Security Considerations
        2. Deployment-Time Security Issues
        3. Execution-Time Security Issues
        4. Summary
    7. ASP.NET and Web Services Security Fundamentals
      1. Introduction to ASP.NET Security
        1. New Security Features in ASP.NET—And How to Use Them
        2. Authentication for Web Services
        3. Code Access Security and ASP.NET
        4. Summary
      2. Authentication: Know Who Is Accessing Your Site
        1. ASP.NET Authentication and IIS Authentication
        2. Default IIS Settings
        3. Using CLR Role-Based Security in Windows
        4. Using ASP.NET Forms Authentication
        5. Using Impersonation and Delegation in ASP.NET
        6. Summary
      3. Authorization: Control Who Is Accessing Your Site
        1. File and Directory Access Control Lists (ACLs)
        2. Using URL Authorization to Allow or Limit Access
        3. Using Programmatic Authorization to Determine Who Is Attempting to Access Your Site
        4. Summary
      4. Data Transport Integrity: Keeping Data Uncorrupted
        1. Implementing SSL Encryption and HTTPS
        2. Encryption of Individual Data Elements—An Overview
        3. Remoting and Encryption via Sinks—An Overview
        4. Summary
    8. .NET Framework Security Administration
      1. Introduction: .NET Framework Security and Operating System Security
        1. A Roadmap for Administering the Security Context of Managed Code
        2. .NET Framework Security and Operating System Security Settings
        3. Summary
      2. Administering Security Policy Using the .NET Framework Configuration Tool
        1. Before Making Any Security Policy Change: Administration Strategies
        2. Introduction to the .NET Framework Configuration Tool
        3. Increasing Trust for an Assembly or Software Publisher Using the Trust Assembly Wizard
        4. Changing Trust for a Zone Using the Adjust Security Wizard
        5. Manipulating the Security Policy Tree Directly—Basic Techniques
        6. Testing Security Policy Using the Evaluate Assembly Wizard
        7. Modeling Policy Changes Using Open and New
        8. Deploying Security Policy
        9. Resetting Security Policy
        10. The .NET Framework Configuration Tool's Self Protection Mechanism
        11. Administrative Tactics: Scenarios, Solutions, Hints, and Tricks
        12. Summary
      3. Administering .NET Framework Security Policy Using Scripts and Security APIs
        1. Using Batch Scripts for Security Policy Administration
        2. Changing Security Policy by Programming Directly to the Security APIs
        3. Summary
      4. Administering an IIS Machine Using ASP.NET
        1. XML-Based Configuration Files
        2. Hierarchy of .NET Configuration Files
        3. Attributes and Settings
        4. IIS Security Settings—A Refresher
        5. Summary
      5. Administering Clients for .NET Framework Mobile Code
        1. Default Security Policy and Mobile Code
        2. Limitations on Calling Strong Named Components
        3. Running Mobile Code in Internet Explorer
        4. Summary
      6. Administering Isolated Storage and Cryptography Settings in the .NET Framework
        1. Administering Isolated Storage
        2. Administering Cryptography Settings
        3. Summary
    9. .NET Framework Security for Developers
      1. Creating Secure Code: What All .NET Framework Developers Need to Know
        1. Security and the Developer
        2. Structure of the .NET Framework Security System
        3. Limitations of the .NET Framework Security System
        4. Summary
      2. Architecting a Secure Assembly
        1. Thinking Like a Security Expert: How to Improve the Security of Your Designs from Day One
        2. If All Else Fails
        3. Don't Throw It All Away
        4. Summary
      3. Implementing a Secure Assembly
        1. Using Existing Security Mechanisms
        2. Implementing Your Own Permissions
        3. Working with Strong Names
        4. Summary
      4. Testing a Secured Assembly
        1. Determining What Is Being Protected
        2. Determining How Resource Protection Is Implemented
        3. Testing Any Applied Custom Permissions
        4. Testing the Methods and Properties That Should Be Protected
        5. Summary
      5. Writing a Secure Web Site Using ASP.NET
        1. Designing a Secure Web Site
        2. Implementing a Secure Web Site
        3. Summary
      6. Writing a Secure Web Application in the .NET Development Platform
        1. ASP.NET with Remoting Versus Web Services
        2. Authentication and Authorization Without IIS
        3. Summary
      7. Writing a Semi-Trusted Application
        1. Restrictions on Libraries That Can Be Called
        2. Making Permission Requests
        3. Protecting Data
        4. Being Careful About What Code Gets Executed
        5. Being Aware of Permissions at Runtime
        6. Summary
      8. Using Cryptography with the .NET Framework: The Basics
        1. Setting the Stage: Key Definitions and Scenarios in Cryptography
        2. The Cryptographic Object Model of the .NET Framework
        3. Operating on Streams: CryptoStreams and ICryptoTransforms
        4. Using Symmetric Algorithms
        5. Using Cryptographic Hash Functions
        6. Using Keyed Hash Functions
        7. Random Number Generation and Key Derivation
        8. Using Asymmetric Algorithms
        9. Summary
      9. Using Cryptography with the .NET Framework: Advanced Topics
        1. Working with CryptoAPI 1.0
        2. Working with CryptoAPI 2.0
        3. Finalization Versus Explicit Destruction via IDisposable
        4. Extending the .NET Framework's Cryptography Classes and the Cryptographic Configuration System
        5. Summary
      10. Using Cryptography with the .NET Framework: Creating and Verifying XML Digital Signatures
        1. XMLDSIG Design Principles and Modes of Use
        2. The Structure of an XMLDSIG Signature
        3. Creating XMLDSIG-Compliant Signatures Using the .NET Framework
        4. Verifying an XMLDSIG Signature
        5. Extending System.Security.Cryptography.Xml for Custom Processing
        6. Summary
    10. Index