New security featurs in .NET Framework 2.0

New security featurs in .NET Framework 2.0

Security Enhancements in .NET Framework 2.0 Rajiv Sodhi Microsoft India Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security

ClickOnce Security Summary Data Protection API (DPAPI) OS Level Data Protection Service Available on Windows 2000, XP, 2003 Password based service Tied to the user login credentials DPAPI does not store protected data There was no out of the box support for DPAPI calls in Framework 1.0 and 1.1 CryptProtectData and CryptUnProtectData

Data Protection API byte[] rawData = System.Text.UTF8Encoding.UTF8.GetBytes("My test"); byte[] cipherData = ProtectedData.Protect( rawData, null, DataProtectionScope.CurrentUser); rawData = ProtectedData.Unprotect( cipherData, null, DataProtectionScope.CurrentUser); Console.WriteLine( System.Text.UTF8Encoding.UTF8.GetString(rawData));

System.Security.SecureString Managed Strings A Bad Place to Store Secrets There is no way to erase them GC doesnt zero out old memory. GC compaction is NOT deterministic GC might move strings around and create several instances of the secret. Used for confidential text Content is encrypted Deleted when no longer needed Class not visible to COM Based on DPAPI Supported methods

Insert, Append, Remove and Clear MakeReadOnly for lockdown No methods to inspect, compare or convert content SecureString Example // Create a SecureString SecureString ss = new SecureString(); // Add characters and lock the string ss.AppendCharacter('a'); ss.AppendCharacter('b'); ss.MakeReadOnly(); // Retrieve content IntPtr uniString = Marshal.SecureStringToGlobalAllocUni(ss); String s = Marshal.PtrToStringUni(uniString);

Console.WriteLine("String is '{0}'", s); // Zero and free Marshal.ZeroFreeGlobalAllocUni(uniString); Access Control Lists (ACLs) Until now required P/Invoke The framework now models Windows security descriptors ! Programmatically read and modify access control lists (ACL) Supports objects and hierarchies Take ownership of objects Supports Auditing operations Access Control Lists (ACLs)

FileSecurity sec = new FileSecurity( @"C:\AUTOEXEC.BAT", AccessControlSections.All); Console.WriteLine("owner = " + sec.GetOwner(typeof(NTAccount))); foreach (FileSystemAccessRule r in sec.GetAccessRules(true, true, typeof(NTAccount))) { Console.WriteLine(r.AccessControlType); Console.WriteLine(r.IdentityReference); Console.WriteLine(r.InheritanceFlags); Console.WriteLine(r.IsInherited); Console.WriteLine(r.PropagationFlags); Console.WriteLine(r.FileSystemRights); Console.WriteLine("");

} // foreach XML Encryption W3C Compliant Implementation Will be able to exchange data with other implementations XML Output Does not have to be XML Input Can encrypt portions of an XML document Can encrypt different portions of the same document with different keys XML Encryption Several types of encryption

Triple DES AES 128 AES 192 AES 256 RSA X509CertificateEx Driven through System.Security.Cryptography.Xml.EncryptedXml Class Integration with XML Digital Signature XmlDecryptionTransform Configuration File Encryption Used for configuration files in ASP.NET

and Winforms DPAPI for Local, RSA for web farms Decryption is automatic Console.WriteLine(ConfigurationSettin gs.AppSettings["MySecret"]); Configuration File Encryption (app.config) AQAA...C5L+4zzo8=

CLR Enhancements Agenda CLR Enhancements

Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary What's New in ASPNET Security Membership service Service for managing users and credentials Provider-based for flexible data storage

Login controls Controls for logging in, creating new users, recovering lost passwords, and more Role Management service Combine forms authentication and rolebased authorization without writing code! Login Controls Control ChangePassword Description UI for changing passwords

CreateUserWizard UI for creating new user accounts Login UI for entering and validating user names and passwords LoginName Displays authenticated user names LoginStatus UI for logging in and logging out LoginView

Displays different views based on login status and roles PasswordRecoveryUI for recovering forgotten passwords Membership Service Service for managing users and credentials Declarative access via Web Site Admin Tool Programmatic access via Membership and MembershipUser classes Membership class provides base services

MembershipUser class represents users and provides additional services Provider-based for flexible data storage Membership Schema Control s Login Login LoginStatus LoginStatus Other

OtherLogin Login Controls Controls LoginView LoginView Membership API Membership Membership MembershipUser MembershipUser

Membership Providers Other OtherMembership Membership AccessMembershipProvider SqlMembershipProvider AccessMembershipProviderSqlMembershipProvider Providers Providers Membership Data Access

SQL Server Other Data Stores Role Management Schema Control s Login Login Roles API

LoginStatus LoginStatus LoginView LoginView Other OtherLogin Login Controls Controls Roles Roles

Role Providers AccessRoleProvider AccessRoleProvider SqlRoleProvider SqlRoleProvider Other OtherRole RoleProviders Providers Roles Data Access

SQL Server Other Data Stores Login Controls Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption

ASP.NET Security ClickOnce Security Summary Introduction To ClickOnce The Best of the Client and the Web Web ClickOnce Reach

No Touch Deployment Low System Impact Install and Run per User

MSI Client Rich and Interactive Offline Access

Windows Shell Integration Per-Computer and Shared Components Unrestricted Installation

Security Secure Execution Environment (Sandbox) ClickOnce applications run in a sandbox by default Permissions are based on origin Internet, Intranet, or Full Trust Ensures that applications are safe to run Similar to Microsoft Internet Explorer and JavaScript

Applications often need higher trust Call unmanaged code Access the file system or the registry Connect to a database Consume Web services Security Determining Permission Requirements Security pane of Project Designer Use to manually configure permissions Permissions Calculator Calculates the least-required permissions

Debug in the sandbox Debug applications with partial trust Exception Assistant Microsoft Intellisense in the sandbox Filtered based on the security context Click Once Better Security Error Information Expanded SecurityException Type Now possible to tell precisely what failed and why

Includes Failed Assembly information Including failed assemblies permission set grant Security Action that failed The permission set that was checked Deeply integrated into the VS IDE (Debug in Zones) COOL Further Exploring System.Security.SecurityContext System.Security.Principle System.DirectoryServices

System.Diagnostics Code Coverage Static Analysis PreFast and FxCop Application Verifier And More Your Feedback is Important! Please Fill Out the feedback form 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Recently Viewed Presentations

  • Rabies Surveillance in the United States During 2011

    Rabies Surveillance in the United States During 2011

    Raccoon rabies virus variant is present in the eastern United States, Skunk rabies in the Central United States and California, Fox rabies in Texas, Arizona, and Alaska, and Mongoose rabies in Puerto Rico. *Potential Host Shift Events * Graph of...
  • Causes of Civil Wars Political and Economic Factors

    Causes of Civil Wars Political and Economic Factors

    Causes of Civil Wars Political and Economic Factors in contemporary civil wars Johan M.G. van der Dennen
  • Match the thinker with the work or quote.

    Match the thinker with the work or quote.

    I wrote such smash hits as the 1st and 2nd Treatise of Government. 3.) ... (I was also the subject of a book called Mad Marge) 11.) I was one of the few who believed that there was room for...
  • A Brief Overview of the DCEO / ComEd Energy Efficiency and ...

    A Brief Overview of the DCEO / ComEd Energy Efficiency and ...

    NowmayberequiredbyIECC,dependingonairflowand&OA. Samplecodeenergyrecoveryrequirements(ASHRAE90.1-2010):GrandRapids(Zone5A) HRrequired ifAHU>5,500cfm and30%<OA≤40%
  • Operator/Registrar Meeting

    Operator/Registrar Meeting

    PowerSchool Queue . The prospective Operators/Registrars will receive the pre-registered in the queue and the student number will be assigned . Once the online form in the pre-registration is completed the CTE department will also see the queue
  • 2018 MACRA Final Rule and Top Health IT Priorities

    2018 MACRA Final Rule and Top Health IT Priorities

    To Establish Advanced APM Status for 2019 QP Performance Period. Source: CMS; Advisory Board research and analysis. The deadlines are different between payer types. CMS also allows an EC-initiated process (that includes requests from APM entities), and submission periods occur...
  • Harvard Referencing

    Harvard Referencing

    Harvard Referencing. Top tips for references. Make a list as you go along. Note the author, title, date and publisher. For articles, note the title and the journal title. For chapters, note the title and the book title. For websites,...
  • Insecure Hyperconnection in the NHS

    Insecure Hyperconnection in the NHS

    Dr. Christopher John Richardson BEng EngD CEng MIISP QTSHead of BU Cyber Security Unit and Senior LecturerPG12 Poole HouseFaculty of Science and TechnologyBournemouth University, Talbot CampusFern Barrow, Poole BH12 5BB, UK+44 (0)1202 966670 (telephone)+44 (0) 7706 619426 (mobile)+44 (0)1202 965314...