.NET Security Workshop
This is a self paced workshop designed to lead you through the benefits and features of .NET security.
This Workshop Will Teach You:
- How .NET security solves common software vulnerabilities; .NET security architecture
- Protecting assembly modules and resources
- Validation and verification
- Code access security; permission set and code groups; evaluating an assembly
- Permission enforcement with attributes and code; assert, demands and link demands
- Role based security; principals; roles
- Windows Access Control Lists
- How to use the security utilities; strong name utility; configuration tool
- Cryptography; crypto transforms and crypto streams; keys and initialization vectors; message digests; hash routines
- Data protection APIs, Encrypting configuration files, Encrypting XML
The single most important thing in any application is security. If you receive a specification that does not have a complete description for security then return it - the specification is incomplete and it indicates that the author does not understand software development. Security is vitally important because if you don't fix the security holes in your software someone will exploit them. You must be aware of all security implications and you must build security into your software from the start rather than adding security as an afterthought.
This workshop will help you understand .NET security and how to administer it. You will be lead through all security aspects with fully working examples. At the end of the tutorial you'll have a deep understanding about what .NET security is and how to use it effectively.
Example code for this workshop can be found here.
This workshop was originally written for .NET version 1.1 on Windows XP. When Microsoft released .NET 2.0 I revised the workshop adding annotations for the changes in version 2.0. Since then Microsoft have released 'version 3.0' of the .NET framework. However (with a few minor changes), this is merely version 2.0 distributed with the WinFX library. This means that in most cases .NET 2.0 and .NET 3.0 are interchangeable. In the workshop when I say version 3.0 you can assume that I also mean version 2.0. If I do not mention a version then you should assume that the text refers to all versions of .NET which means 3.0, 2.0, 1.1 and 1.0. The later sections (page 9, 14, 15, 16) are specific to .NET 3.0/2.0.
The demonstrations will use the command line tools provided by the .NET SDK and the code will be written in C#. The example code can easily be converted to other .NET languages and can easily be converted to VS.NET projects. Using the command line tools was a deliberate action because I wanted to show that there was no 'magic' being performed by Visual Studio.
The examples in this workshop will use the following tools:
|csc||CORFolder\csc.exe||The C# compiler|
|fuslogvw||SDKFolder\bin\fuslogvw.exe||The Fusion log viewer|
|gacutil||SDKFolder\bin\gacutil.exe||The GAC utility|
|ildasm||SDKFolder\bin\ildasm.exe||The IL disassembly tool|
|nmake||SDKFolder\bin\nmake.exe||Program maintenance utility|
|sn||SDKFolder\bin\sn.exe||The strong name generator|
CORFolder is the location of the .NET framework assemblies
is the location of the .NET SDK (usually it is in the Visual Studio folder). To
do the examples in the workshop you should ensure that your command line path is
set to give access to the folders in the table. The simplest way to do this is
to run the
vsvars32.bat file in the
folder in the Visual Studio .NET folder.
There is no charge for this tutorial, if this workshop was published as a book then you would pay $50 for it, if I were to give you this workshop as a training session then you would have to pay several thousand dollars, instead, you get it entirely for free. If you want to show your appreciation for the effort I have put into this workshop then please consider making a donation through Paypal.
I give training courses and conference talks, and I write white papers and books on a variety of .NET topics; I also architect systems and perform code reviews. Please contact me if you want me to provide my services for you.
3. Strong Name Validation and Assembly Hash Validation
3.1 Spoofing by Tampering an Assembly
3.2 Signing the Assembly
3.3 Multi Module Assemblies
3.4 Assembly Resource Files
3.5 Entry Point
6. Permission Enforcement
6.1 Types Of Permissions
6.2 Demanding Permissions
6.3 Imperative Demands
6.4 Assert Demands
6.5 Link Demands
6.6 Requested Permissions
6.8 Partially Trusted Code
9. Access Control
9.1 Overview of .NET Access Control
9.2 Security Descriptor Definition Language
9.3 Reading Security Information
9.4 Altering Security Information
9.5 Creating An Object With A Security Descriptor
9.6 Custom Security Descriptors
13.1 Certificates And Certificate Stores
13.2 .NET Version 1.0 Certificate Classes
13.3 .NET Version 3.0/2.0 Certificate Classes
13.4 Certificate Store
13.5 Using Certificates
13.6 The Strong Name Utility and Certificates
|I hope that you enjoy this tutorial and value the knowledge that you will gain from it. I am always pleased to hear from people who use this tutorial (contact me). If you find this tutorial useful then please also email your comments to email@example.com.|