.NET Framework Security 9780672321849, 067232184X
.NET Framework Security provides the ultimate high-end comprehensive reference to all of the new security features avail
769 68 4MB
English Pages 793 Year 2002
Table of contents :
Content: (NOTE: Each chapter concludes with a Summary.)= Introduction. I. INTRODUCTION TO THE .NET DEVELOPER PLATFORM SECURITY. 1. Common Security Problems on the Internet. Problems with Securing Mobile Code.Downloaded Executables.Source Code.Scripts.Java Applets.ActiveX Controls.Writing Secure Applications.Insecure Default Configurations.Buffer Overflows.Canonicalization Errors.Information Leaks.Denial-of-Service Vulnerabilities.2. Introduction to the Microsoft .NET Developer Platform. Tight Language Interoperability.Metadata.JIT Compilation.Garbage Collection.Object-Oriented Programming.Code Access Security.Base Class Library.Native Code Interoperability.3. .NET Developer Platform Security Solutions. Fundamental Security Benefits from the .NET Framework.Managing Code Execution.Additional Security Enforcement.Mobile Code Solutions with the .NET Framework.Direct Execution.Browser-Hosted Controls.Networked Computing with the .NET Framework.Insecure Default Configurations.Buffer Overflows.Canonicalization Errors.Information Leaks.Denial-of-Service Vulnerabilities.II. CODE ACCESS SECURITY FUNDAMENTALS. 4. User- and Code-Identity-Based Security: Two Complementary Security Paradigms. A Little Anatomy of Computer Security Systems.A Review of User-Identity-Based Security.Entering a New Paradigm: Code-Identity-Based Security.How User- and Code-Identity-Based Security Systems Complement Each Other.5. Evidence: Knowing Where Code Comes From. Evidence Explained.Evidence Applies to Executing Code.Evidence Is Applied to Assemblies and App Domains.Different Sources of Evidence.Host-Provided Evidence.Assembly-Provided Evidence.Evidence and the Base Class Library.6. Permissions: The Workhorse of Code Access Security. Permissions Explained.Code Access Permissions.Identity Permissions.Other Permissions.How Permissions Are Used.Permissions and Security Policy.Permission Demands.Other Security Actions.Declarative and Imperative Security.Built-in Permissions.Permission Sets.7. Walking the Stack. A Review of Stacks and Their Uses.The Security Stack Walk.Modifying a Stack Walk.The Interaction of App Domains with Stack Walks.8. Membership Conditions, Code Groups, and Policy Levels: The Brick and Mortar of Security Policy. Membership Conditions.Membership Conditions and Evidence.Membership Conditions Provided by the .NET Framework.Writing Custom Membership Conditions.Code Groups.Code Group Construction.Code Group Hierarchies.Code Groups Provided by the .NET Framework.Code Group Extensibility.Policy Levels.Policy Level Contents.The Four Policy Levels.Working with Policy Levels.Default Security Policy.Enterprise and User Policy.Machine Policy.9. Understanding the Concepts of Strong Naming Assemblies. Assemblies and Identity.Public/Private Key Pairs.Signing and Verifying Assemblies.Delay Signing Assemblies.Comparison with Authenticode Signatures.10. Hosting Managed Code. What Does Hosting Mean?Containing Assemblies Through the Use of Appdomains.Controlling Trust Within the Hosted Environment.Dealing with Assembly-Sharing Issues.Using Appdomains to Secure Unmanaged Clients.11. Verification and Validation: The Backbone of .NET Framework Security. Review of the Anatomy of an Assembly.PE File Format and Metadata Validation.PE File Format Validation.Metadata Validation.IL Validation and Verification.IL Validation.Verifiability and Type Safety.Repercussions of Writing Unverifiable Code.Code Access Security's Dependence on Validation and Verification.12. Security through the Lifetime of a Managed Process: Fitting It All Together. Development-Time Security Considerations.Deployment-Time Security Issues.Execution-Time Security Issues.Loading an Assembly.Resolving Policy for an Assembly.Loading Classes from an Assembly.Just-In-Time Verification and Compilation of Methods.Execution-Time Permission Enforcement.III. ASP.NET AND WEB SERVICES SECURITY FUNDAMENTALS. 13. Introduction to ASP.NET Security. New Security Features in ASP.NET-And How to Use Them.Forms Authentication.Using Impersonation in ASP.NET.Passport Authentication.Authentication for Web Services.Code Access Security and ASP.NET.14. Authentication: Know Who Is Accessing Your Site. ASP.NET Authentication and IIS Authentication.Overview of IIS Authentication.ASP.NET Authentication Settings.Default IIS Settings.Using CLR Role-Based Security in Windows.Using ASP.NET Forms Authentication.Using Impersonation and Delegation in ASP.NET.15. Authorization: Control Who Is Accessing Your Site. File and Directory Access Control Lists (ACLs).Using URL Authorization to Allow or Limit Access.Using Programmatic Authorization to Determine Who Is Attempting to Access Your Site.16. Data Transport Integrity: Keeping Data Uncorrupted. Implementing SSL Encryption and HTTPS.More About Certificates-Options and Installing.Considerations for Web Services.Encryption of Individual Data Elements-An Overview.Remoting and Encryption via Sinks-An Overview.IV. .NET FRAMEWORK SECURITY ADMINISTRATION. 17. Introduction: .NET Framework Security and Operating System Security. A Roadmap for Administering the Security Context of Managed Code.The Code Access Security Policy System.Windows Security.Internet Explorer Security Settings.ASP.NET Security Settings.Database Server Security Mechanisms.A Different Angle: Security Systems Involved in Common Managed Code Execution Scenarios..NET Framework Security and Operating System Security Settings.Windows Access Control Protections and .NET Framework Security.Windows Software Restriction Policies and .NET Framework Security.18. Administering Security Policy Using the .NET Framework Configuration Tool. Before Making Any Security Policy Change: Administration Strategies.Do You Have to Change Policy at All?.Think of the Worst Case Scenario.Make the Policy Change with the Least Possible Impact.Pre-Plan the Policy Structure of Your System.Consider the Interaction with Operating System Settings.Document Your Changes.Introduction to the .NET Framework Configuration Tool.Availability of the Tool.Starting the Tool.Overview of the Main Security Administrative Options.Overview of the Policy Tree Manipulation Options.Exiting the Tool.Increasing Trust for an Assembly or Software Publisher Using the Trust.Assembly Wizard.The Start Page-Choosing to Make Changes to User or Machine Policy.Selecting the Assembly or Software Publisher to Increase Trust.Increasing Trust Just for a Selected Assembly or for All Assemblies.Signed by the Same Software Publisher.Choosing a Level of Trust.Finishing the Wizard.Changing Trust for a Zone Using the Adjust Security Wizard.Choosing to Make Changes to the Machine or User Policy.Choosing a Level of Trust for a Zone.Manipulating the Security Policy Tree Directly-Basic Techniques.Policy Level Features.Code Group Hierarchy.Administrating Permission Sets.Policy Assemblies.Undoing a Change in the Policy Tree.Testing Security Policy Using the Evaluate Assembly Wizard.Modeling Policy Changes Using Open and New.Creating a New Policy Level.Opening a Policy Level Configuration File.Deploying Security Policy.Creating Security Policy Deployment Packages.Deployment Methods.Resetting Security Policy.The .NET Framework Configuration Tool's Self Protection Mechanism.Administrative Tactics: Scenarios, Solutions, Hints, and Tricks.Granting Enterprise-Wide Full Trust to an Assembly.Granting Full Trust to All Assemblies of a Software Publisher Across an Enterprise.Preventing an Assembly from Running Across an Enterprise.Preventing All Assemblies of a Specific Software Publisher from Running Across an Enterprise.Reducing the Level of Trust for All Assemblies from the Intranet for a Specific Machine.Granting All Assemblies from a Specific Intranet Share or Mounted Drive Full Trust on a Machine.Disallowing All Assemblies from a Specific Internet Site to Run on a Machine."Sandboxing" a Directory on the Local Hard Drive.Giving All Assemblies of a Specific Software Publisher Running from the Internet File Read Rights to a Specific Directory.Changing One's User Level Policy to Disallow Intranet Assemblies to Do Anything But Execute.19. Administering .NET Framework Security Policy Using Scripts and Security APIs. Using Batch Scripts for Security Policy Administration.Finding and Starting the Caspol Tool.Basic Caspol Techniques.Caspol in Action-Scripts, Hints, and Tricks.Changing Security Policy by Programming Directly to the Security APIs.Overview of the Security Classes Used for Policy Changes.Examples of Using the Security Classes for Accessing and Changing Policy.20. Administering an IIS Machine Using ASP.NET. XML-Based Configuration Files.Hierarchy of .NET Configuration Files.Attributes and Settings.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The Element.The ElementUsing Custom Attributes and Settings.IIS Security Settings-A Refresher.21. Administering Clients for .NET Framework Mobile Code. Default Security Policy and Mobile Code.Default Security Policy's Impact on Mobile Code.How to Expand Mobile Code Scenarios.Limitations on Calling Strong Named Components.Running Mobile Code in Internet Explorer.ActiveX Controls and Managed Controls.Different Ways to Run Managed Code in Internet Explorer.22. Administering Isolated Storage and Cryptography Settings in the .NET Framework. Administering Isolated Storage.Using Storeadm.exe to Administer Isolated Storage.Using the Isolated Storage APIs to Administer Isolated Storage.Using the IsolatedStoragePermission to Govern Code Access to Isolated Storage.Administering Cryptography Settings.Overview of the Cryptography Configuration Settings.Default Mappings.Modifying Cryptography Configuration.V. .NET FRAMEWORK SECURITY FOR DEVELOPERS. 23. Creating Secure Code: What All .NET Framework Developers Need to Know. Security and the Developer.Structure of the .NET Framework Security System.Limitations of the .NET Framework Security System.24. Architecting a Secure Assembly. Thinking Like a Security Expert: How to Improve the Security of Your Designs from Day One.Paranoia: Designing Defensively for the Worst-Case Scenario.Conservatism: Limiting the Scope of Your Design to Reduce the Likelihood of Security Flaws.If All Else Fails.Don't Throw It All Away.25. Implementing a Secure Assembly. Using Existing Security Mechanisms.Using Imperative Security.Using Declarative Security.Allowing Untrusted Callers.Identity Demands and Their Uses.Implementing Your Own Permissions.Implementing a Security Custom Attribute.Working with Strong Names.Strong Name Key Pair Generation.Building Strong Names into Your Assemblies.Coping with Signature Invalidation During the Build Process.Using Delay Signed Assemblies.26. Testing a Secured Assembly. Determining What Is Being Protected.Conceptual Resources.Access Points in a Secured Assembly to a Resource.Determining How Resource Protection Is Implemented.Testing Any Applied Custom Permissions.Testing the Key Methods of a Custom Permission That Interface with the Security System.Testing Imperative Use of a Custom Permission.Testing Declarative Use of a Custom Permission.Other Miscellaneous Issues with Custom Permissions.Testing the Methods and Properties That Should Be Protected.Checking Minimal Protection on Methods and Properties.Testing If Undocumented Protection Exists on Methods and Properties.27. Writing a Secure Web Site Using ASP.NET. Designing a Secure Web Site.Authentication Choices.Authorization Choices.Channel Options.Possible Attack Scenarios.Implementing a Secure Web Site.Protected Modules.Using Application Logs to Uncover Security Breaches.28. Writing a Secure Web Application in the .NET Development Platform. ASP.NET with Remoting Versus Web Services.The Case for Using ASP.NET with Remoting.The Case for Using Web Services.Authentication and Authorization Without IIS.Using a SQL Server Database for Authentication.29. Writing a Semi-Trusted Application. Restrictions on Libraries That Can Be Called.Assemblies with APTCA.Libraries with Known Permission Requirements.Making Permission Requests.Protecting Data.Data Persisted to Disk.Data Stored in Memory.Data Sent on the Network.Being Careful About What Code Gets Executed.LinkDemands and Inheritance.Virtual, Internal Methods.Delegates and Stack Walks.Loading Assemblies.Exceptions and Filters.Race Conditions.Being Aware of Permissions at Runtime.Using SecurityManager.IsGranted.Dealing with SecurityExceptions.30. Using Cryptography with the .NET Framework: The Basics. Setting the Stage: Key Definitions and Scenarios in Cryptography.Ensuring Confidentiality with Symmetric Algorithms.Ensuring Confidentiality with Asymmetric Algorithms.Using Cryptographic Hash Functions for Message Integrity and.Authentication.Keyed Hash Functions.Digital Signatures: Authentication and Integrity Using Asymmetric Algorithms.The Cryptographic Object Model of the .NET Framework.Operating on Streams: CryptoStreams and ICryptoTransforms.Using Symmetric Algorithms.The SymmetricAlgorithm Base Class.Creating Instances of SymmetricAlgorithm Classes.Encrypting and Decrypting with ICryptoTransforms Created from a.SymmetricAlgorithm.Using Cryptographic Hash Functions.Creating HashAlgorithm Objects.Computing Hash Values Using the ComputeHash() Methods.Computing Hash Values of Streaming Data Using a CryptoStream.Using Keyed Hash Functions.Random Number Generation and Key Derivation.Generating Pseudo-Random Numbers.Deriving Keys from User Input.Using Asymmetric Algorithms.31. Using Cryptography with the .NET Framework: Advanced Topics. Working with CryptoAPI 1.0.The CryptoAPI Provider Model: Cryptographic Service Providers and Key Containers.Accessing Specific Providers and Key Containers from the .NET Framework Using the CspParameters Structure.Calling CryptoAPI 1.0 Functions Directly Using Platform Invoke.Cleaning Up: Deleting Keys and Key Containers.Working with CryptoAPI 2.0.Finalization Versus Explicit Destruction via IDisposable.Extending the .NET Framework's Cryptography Classes and the Cryptographic Configuration System.32. Using Cryptography with the .NET Framework: Creating and Verifying XML Digital Signatures. XMLDSIG Design Principles and Modes of Use.The Structure of an XMLDSIG Signature.The ds:Signature Element.The ds:SignatureValue Element.The ds:SignedInfo Element.The ds:Reference Element.The ds:KeyInfo Element.Creating XMLDSIG-Compliant Signatures Using the .NET Framework.Verifying an XMLDSIG Signature.Extending System.Security.Cryptography.Xml for Custom Processing.Index
![.NET Framework Essentials [3 ed.]
9780596005054](https://dokumen.pub/img/200x200/net-framework-essentials-3nbsped-9780596005054.jpg)
![.NET Framework Essentials [1 ed.]
9780596001650, 0596001657](https://dokumen.pub/img/200x200/net-framework-essentials-1nbsped-9780596001650-0596001657.jpg)
![C# 6.0 and the .NET 4.6 Framework [Seventh Edition]
9781484213339](https://dokumen.pub/img/200x200/c-60-and-the-net-46-framework-seventh-edition-9781484213339.jpg)
