.NET Development Foundation/Security

From Wikibooks, open books for an open world
Jump to navigation Jump to search


Security[edit | edit source]

Exam objective: Improving the security of the .NET Framework applications by using the .NET Framework 2.0 security features

Topics[edit | edit source]

Code access security[edit | edit source]

Code access security, CAS, allows the control of various permissions granted to specific managed applications. MSDN

Permissions allow access to system resources. A permission set is a collection of permissions. A code group relates exactly one permission set to exactly one evidence type. Evidence is used to identify an assembly. Evidence types can include the application directory, cryptographic hash of the assembly, publisher's digital signature, site from which the assembly was downloaded, cryptographic strong name of the assembly, URL from which the assembly was downloaded, and the security zone in which the assembly is running. Security zones include the computer zone, local Intranet zone, Internet zone, trusted site, and untrusted sites. See the Internet options security tab in Internet Explorer to view various security zones. An assembly can be associated with multiple code groups. Permission sets can be associated with multiple code groups.

A security policy is a logical grouping of code groups and permission sets. An untrusted managed assembly must pass through four security policies: The Enterprise security policy, machine security policy, user security policy, and application domain security policy. Any one of these security policies can deny an untrusted managed assembly permissions.

Classes, interfaces, and tools[edit | edit source]

Implement code access security[edit | edit source]

Exam objective: Implement code access security to improve the security of a .NET Framework application.

(Refer System.Security namespace)

SecurityManager class - MSDN

CodeAccessPermission class - MSDN

Modify the Code Access security policy at the machine, user, and enterprise policy level by using the Code Access Security Policy tool (Caspol.exe) - MSDN

PermissionSet class, NamedPermissionSet class, and PermissionSetCollection class

PermissionSet class - MSDN
NamedPermissionSet class - MSDN
PermissionSetCollection class
There does not seem to be such a thing, to be investigated...

Standard Security interfaces

IEvidenceFactory interface - MSDN
IPermission interface - MSDN

Implement access control[edit | edit source]

Exam objective: Implement access control by using the System.Security.AccessControl classes.

DirectorySecurity class, FileSecurity class, FileSystemSecurity class, and RegistrySecurity class

DirectorySecurity class - MSDN
FileSecurity class - MSDN
FileSystemSecurity class - MSDN
RegistrySecurity class - MSDN

AccessRule class - MSDN

AuthorizationRule class and AuthorizationRuleCollection class

AuthorizationRule class - MSDN
AuthorizationRuleCollection class - MSDN

CommonAce class, CommonAcl class, CompoundAce class, GenericAce class, and GenericAcl class

CommonAce class - MSDN
CommonAcl class - MSDN
CompoundAce class - MSDN
GenericAce class - MSDN
GenericAcl class - MSDN

AuditRule class - MSDN

MutexSecurity class, ObjectSecurity class, and SemaphoreSecurity class

MutexSecurity class - MSDN
ObjectSecurity class - MSDN
SemaphoreSecurity class - MSDN

Implement custom authentication scheme[edit | edit source]

Exam objective: Implement a custom authentication scheme by using the System.Security.Authentication classes.

(Refer System.Security.Authentication namespace - MSDN)

For a reference on custom authentification schemes see MSDN

Encrypt, decrypt and hash data[edit | edit source]

Exam objective: Encrypt, decrypt, and hash data by using the System.Security.Cryptography classes.

(Refer System.Security.Cryptography namespace)

DES class and DESCryptoServiceProvider class

DES class - MSDN
DESCryptoServiceProvider class - MSDN

HashAlgorithm class - MSDN

DSA class and DSACryptoServiceProvider class

DSA class - MSDN
DSACryptoServiceProvider class - MSDN

SHA1 class and SHA1CryptoServiceProvider class

SHA1 class - MSDN
SHA1CryptoServiceProvider class - MSDN

TripleDES and TripleDESCryptoServiceProvider class

TripleDES - MSDN
TripleDESCryptoServiceProvider class - MSDN

MD5 class and MD5CryptoServiceProvider class

MD5 class - MSDN
MD5CryptoServiceProvider class - MSDN

RSA class and RSACryptoServiceProvider class

RSA class - MSDN
RSACryptoServiceProvider class - MSDN

RandomNumberGenerator class - MSDN

CryptoStream class - MSDN

CryptoConfig class - MSDN

RC2 class and RC2CryptoServiceProvider class

RC2 class - MSDN
RC2CryptoServiceProvider class - MSDN

AssymetricAlgorithm class MSDN

ProtectedData class and ProtectedMemory class

ProtectedData class - MSDN
ProtectedMemory class - MSDN

RijndaelManaged class and RijndaelManagedTransform class

RijndaelManaged class - MSDN
RijndaelManagedTransform class - MSDN

CspParameters class - MSDN

CryptoAPITransform class - MSDN

Hash-based Message Authentication Code (HMAC) - MSDN

HMACMD5 class - MSDN
HMACSHA256 class - MSDN
HMACSHA384 class - MSDN
HMACSHA512 class - MSDN

Control permissions[edit | edit source]

Exam objective: Control permissions for resources by using the System.Security.Permission classes.

(Refer System.Security.Permission namespace)

SecurityPermission class - MSDN

PrincipalPermission class - MSDN

FileIOPermission class - MSDN

You can also set the FileIoPermisson attribute at assembly level or class level. Be then aware about the SecurityAction enumerations:
  • SecurityAction.RequestRefuse: specifies the operations that should not be granted.
  • SecurityAction.RequestMinumum: request for a minimum set of permissions. If not given, the app will not execute.

StrongNameIdentityPermission class - MSDN

UIPermission class - MSDN

UrlIdentityPermission class - MSDN

PublisherIdentityPermission class - MSDN

GacIdentityPermission class - MSDN

FileDialogPermission class - MSDN

DataProtectionPermission class - MSDN

EnvironmentPermission class - MSDN

IUnrestrictedPermission interface - MSDN

RegistryPermission class - MSDN

IsolatedStorageFilePermission class - MSDN

KeyContainerPermission class - MSDN

ReflectionPermission class - MSDN

StorePermission class - MSDN

SiteIdentityPermission class - MSDN

ZoneIdentityPermission class - MSDN

Control code privileges[edit | edit source]

Exam objective: Control code privileges by using System.Security.Policy classes.

(Refer System.Security.Policy namespace)

ApplicationSecurityInfo class and ApplicationSecurityManager class

ApplicationSecurityInfo class - MSDN
ApplicationSecurityManager class - MSDN

ApplicationTrust class and ApplicationTrustCollection class

ApplicationTrust class - MSDN
ApplicationTrustCollection class - MSDN

Evidence class and PermissionRequestEvidence class

Evidence class - MSDN
PermissionRequestEvidence class - MSDN

CodeGroup class, FileCodeGroup class, FirstMatchCodeGroup class, NetCodeGroup class, and UnionCodeGroup class

CodeGroup class - MSDN
FileCodeGroup class - MSDN
FirstMatchCodeGroup class - MSDN
NetCodeGroup class - MSDN
UnionCodeGroup class - MSDN

Condition classes

AllMembershipCondition class - MSDN
ApplicationDirectory class and ApplicationDirectoryMembershipCondition class
ApplicationDirectory class - MSDN
ApplicationDirectoryMembershipCondition class - MSDN
GacMembership class and GacMembershipCondition class
GacMembership class
No search results on MSDN!? a little investigation required here.
GacMembershipCondition class - MSDN
Hash class and HashMembershipCondition class
Hash class - MSDN
HashMembershipCondition class - MSDN
Publisher class and PublisherMembershipCondition class
Publisher class - MSDN
PublisherMembershipCondition class - MSDN
Site class and SiteMembershipCondition class
Site class - MSDN
SiteMembershipCondition class - MSDN
StrongName class and StrongNameMembershipCondition class
StrongName class - MSDN
StrongNameMembershipCondition class - MSDN
Url class and UrlMembershipConditon class
Url class - MSDN
UrlMembershipConditon class - MSDN
Zone class and ZoneMembershipCondition class
Zone class - MSDN
ZoneMembershipCondition class - MSDN

PolicyLevel class and PolicyStatement class

PolicyLevel class - MSDN
PolicyStatement class - MSDN

IApplicationTrustManager interface, IMembershipCondition interface, and IIdentityPermissionFactory interface

IApplicationTrustManager interface - MSDN
IMembershipCondition interface - MSDN
IIdentityPermissionFactory interface - MSDN

Access and modify identity information[edit | edit source]

Exam objective: Access and modify identity information by using the System.Security.Principal classes.

(Refer System.Security.Principal namespace)

GenericIdentity class and GenericPrincipal class

GenericIdentity class - MSDN
GenericPrincipal class - MSDN

WindowsIdentity class and WindowsPrincipal class

WindowsIdentity class - MSDN
WindowsPrincipal class - MSDN

NTAccount class and SecurityIdentifier class

NTAccount class - MSDN
SecurityIdentifier class - MSDN

IIdentity interface and IPrincipal interface

IIdentity interface - MSDN
IPrincipal interface - MSDN

WindowsImpersonationContext class - MSDN

IdentityReference class and IdentityReferenceCollection class

IdentityReference class - MSDN
IdentityReferenceCollection class - MSDN

Previous / Next