Exploring Security in .NET: Part I




Remember Me

Forgot Password
Forgot Username
Why Register

Jump to

Technology

Website

Visual C# .NET

Visual Basic .NET

ASP.NET

Windows Longhorn

SQL Server 2005

Managed C++

Visual Studio 2005

Others

SQL

Visual C++ 6.0

COBOL .NET

Visual J#

Visual Studio .NET

XML

Pocket PC

Mobile & Embedded Development

Web Services

Sharepoint Portal Server

Design & Architecture

Enterprise Development

ASP.NET 2.0/3.5

Visual Web Developer 2005

SQL Server

HTML

SOA

Java Script

.NET 3.0

SQL Server 2008

JQuery

Active Directory

GDI+ & Graphics

Visual C#

Algorithms & AI

Assemblies

COM Interop

Compact Framework

Cryptography

Crystal Reports

Design & Architecture

DirectX

Exception Handling

Games Programming

Internet & Web

Mobile & Embedded

.NET Best Practices

Printing

Remoting

Security in .NET

Speech Programming

Arrays & Collections

ASP.NET

ASP.NET Controls

Windows Forms

Windows Controls

Windows Services

XML .NET

ADO.NET & Database

Web Services

ASP.NET 2.0/3.5

ADO.NET 2.0

Visual Studio 2010

SQL Server 2005

Tablet PC

Visual Studio .NET

C# 2.0

How do I

C# Language

Deployment

Office Interoperability

Java and .NET

Threading

ASP.NET 2.0 Controls

WebForms Controls

Web Forms

Pocket PC

Enterprise Development

Networking

Tutorials

MS Office for .NET

General

COBOL.NET

Articles

Custom Controls

Testing

AJAX

LINQ

Error Zone

Sharepoint

.NET 3.0/3.5

SQL Server 2005/2008

Reporting Services

XAML

WPF

WCF

WF

Robotics & Hardware

Project Management

String & StringBuilder

XNA

BizTalk Server

F#

Financial Applications

OOP/OOD

Silverlight

SQL

Databases & DBA

Hardware

Operating Systems

Team Foundation and VSS

ASP.NET & Web Forms

ASP.NET MVC & JQuery

Files & IO

Windows Azure

HTML, CSS, ASP

Expression Studio

Mono Touch

JQuery

.NET 4.0

Career Advice

Message Queue

VB.NET

Articles

Active Directory

ADO.NET & Database

Algorithms

COM Interop

Cryptography

Assemblies

Deployment

Design & Architecture

Crystal Reports

Exception Handling

LINQ

GDI+ and Graphics

Mobile .NET

Internet and Web

Visual Basic Language

Networking

Office and VB.NET

Pocket PC

Printing

Security

Strings & Arrays

Tablet PC

Multithreading

Windows Forms

Windows Controls

XML in VB.NET

Web Services

Language Syntaxes

Visual Basic 2005

Web Forms Controls

Web Forms

Windows Services

General

Enterprise Development

Games Programming

DirectX

Remoting in VB.NET

VB.NET Tutorials

FAQ

ASP.NET and Web

AJAX

How do I

Reporting Services

WCF

WPF

Silverlight

Speech in VB.NET

Workflow Foundation

XAML

Database & DBA

WCF

WPF

WPF Controls

Windows Vista

Windows Server 2008

How do I

XAML

XAML Reference

.NET 3.0/3.5 SDK

Deployment

Device Drivers

WWF

Expression Tools

Windows CardSpace

LINQ

Silverlight Controls

XLINQ

Silverlight

XAML Templates

WPF FAQ

WPF Documents

WPF References

.NET Heaven

C# Corner

DbTalks

Interview Corner

Longhorn Corner

Mindcracker

VB.NET Heaven

Sponsored by

Become a Sponsor

Similar ArticlesMost ReadTop RatedLatest

Introduction

Before exploring the security features of .net several questions come to mind , lets take a look at some of these questions

What evidence do we have to ensure its trustworthiness?
How can we be sure that this code is trusted?
When we request a module , how do we know if the code that is served to us is right or not?
How can we handle scenarios where we need custom methods for security?

The .net security model answers all of these questions for us. The .net framework gathers Evidence about assemblies such as where the code is originating from and groups the code into Several code groups . It later enforces a security policy based on this accumulated evidence.

Security Features in .Net.

The .net framework and common language runtime provide services and classes for securing our applications . Take a look at table 1.0 which lists security classes available as a part of .net framework.

Security Class	Description	Can be inherited	Parent Class
EnviromentPermission	This class deals with the creation/updating of System and User environment variable	No	CodeAccessPermmision
UIPermission	This Class Controls the ability to use User Interfaces and the Clipboard.	No	CodeAccessPermmision
FileIOPermission	This files deals with ability to access files and folder.	No	CodeAccessPermmision
SecurityPerssion	This class defines a collection of security permissions flags used by the .net framework security system.	No	CodeAccessPermmision
PrincipalPermission	This class allows us to perform checks against the active principal using language constructs defined for both declarative and imperative security actions	No	Object
GenericPrincipal	It is the basic Implementation of IPrincipal representing any principal . This class allows code to check role memberships of the user represented by GenericPrincipal object.	Yes	Object
GenericIdentity	An object of this class represents the user on whose behalf the code is running	Yes	Object

Table 1.0

Lets highlight the key concepts in .net Security , all below mention concepts are used some how
Depends upon the nature of scenario.

Code Access Security (CAS)
Evidence Based Security
Role Based Security
Declarative and Imperative Security
CAS (Code Access Security)
Cryptography

CAS (Code Access Security).

In today's environment code does not reside on a static , predetermined location but instead is frequently originating from unknown remote sources and may move from location to location through email or is sent across a network to be downloaded on a remote system . Because the possibilities are endless , the code today can be termed as "mobile code" or "code in transition". The .net framework offers a mechanism called Code Access Security that assists us in protecting application Systems from malicious code , granting trust levels to the code and allowing codes from unknown locations to run safely on the local system.

The two main concepts in CAS are Code Groups and Permissions , lets examine both of them.

Code Groups.

Code Groups are groups of code or assemblies that are brought together on the basis of common or similar characteristics . The information that is use is used to group the assemblies or code is called "evidence" . Evidence can be anything know about he code such as digital signatures , the URL or the zone from which the code is originated from.

The point of consideration is that the evidence carried out by the assemblies severs as the entry requirement into the code groups. This is called the "Membership Condition", every assembly must match the group's membership condition in order to belong to that code group. Please note that only one membership condition exists for every code group.

Some of the group membership conditions are listed below.

Zone : A zone is a region from which the code originated , it can take any value from the following

My Computer
Intranet
Trusted
Untrusted

Site: A Site is the web site from which the code is originated.
Publisher : The Publisher of the code.
URL : The specified location from where the code is originated.
Hash Value: The Hash Value (a value represented as a binary string computed by the cryptographic algorithm )
All Code : No specific condition , all the codes belong to this category.
Custom : a condition specified by the user.

Code groups are arranged in the hierarchical manner . the code group situated at top of the hierarchy is called "All Code" and contains all code groups. The hierarchy is used in deciding the code groups to which as assembly belongs. Determining the code group to which an assembly belongs is dome by matching the evidence provided by the assembly with that of the existing code groups in the tree.

Permissions.

Permissions are the actions each code group is allowed to perform such as accessing any local resource or user interfaces . The system administrator usually manages permissions. The primary uses of permissions are as follows .

Code can request the permission it either needs or could use. The .net framework security system will grant these requests depending upon the evidence of the code.
It is possible through CAS to make the code insists its callers to have specific permissions.

There are three kinds of permissions as listed below.

Permissions under the Code Access Permissions category provide access to protected resources and facilitate the performance of restricted operations. Code Access permissions are derived from CodeAccessPermission class which itself is derived from Object class . For instance the EnviromentPermission build-in class allows us to read or write environment variable.
Permissions specifying that the code has authorization that supports a particular kind of identity fall into the category of the Identity permissions .one instance of an Identity Permission class is URLIdentityPermision class , which is used to identify the URL from where the code originated.
Permissions providing a mechanism for discovering whether a user has a particular Identity or is a member of a specified role are called Role based security permissions.

The .net framework provides a set of code access permission classes that are designed to protect a specific set of resources and operations.

Custom Code Access permissions

Typically , for most environments , build in code access permissions are more than sufficient .How ever , in some situations , we may need to define our own code access permission classes . If we wish to define a component or class library that access a resource not covered by the build in permission class but needs to protected from unauthorized code , we need to create a custom code access permissions.

If you wonder what that situation may like consider a scenario in which you had an application that uses students performance records where each student record is stored in a specified file . In such a case , read and write access must be controlled indecently on different types of student data . Since the class FileIOPermission only controls access to the file as a whole custom code access is needed . Custom code access permissions are also appropriate when a build in permission exists but is not defined to protect resource in a way that we want .

Code Access Security controls the access , as code has to protect the resources and operations.

Evidence Based Security

Evidence is information gathered about code or assemblies based on the questions raised by
the security policy . once this information is accumulated , the security policy can grant permissions to a code.

Thus evidence can be anything known about the code such as digital signatures , the URL , the zone that the code is originating from and so forth . The CLR and the host of the application domain gather the evidence . Three kinds of hosts are provided by default namely

Microsoft Internet explorer
ASP.NET
Shell Host (e.g CMD Console )

Once the host and the CLR have gathered all the evidence , it is submitted to the security policy as a set objects encapsulated in a single collection object of type Evidence .

Figure 1.0 shows how evidence is gathered.

A simple example of an evidence can be a URL for an ASP.NET application.

Evidence based security works in tandem with windows logon security . If we attempt to run a
.net desktop application it must be granted the relevant .net code access security permissions . However we as the logged-in user must also be running under a Windows account that has the relevant permission to execute the code. Most application code does not need evidence based security explicitly since it is usually handled my the standard .net libraries .One thing that application can do to use evidence -based security is to include a permission request , this will ensure that the code will only run and that the code gets only those permissions it expects to have. Other situations that can make use of evidence based security are listed below.

Limited access public API : for instance to make public API that only other code from our site can call or only the code signed with a certain key can use.
Resource protecting: when we define a class library that exposes resources need protection we can define permissions and the security policy system to restrict access.

Managing Security Policies

A Security policy as we already know is a set of rules and regulations set by an organization that determines the type of internal and external information resources users can access , the kind of programs they may install on their own computers as well as authority for reserving network resources.

By the way default .net security policy does not include custom permissions , to update the security policy so that it knows about custom permissions , we need to do three things.

We must make the policy aware of the custom permissions.
We must add the assembly to which we want to grant the custom permissions to the list of trusted assemblies.
We then must inform the security policy about the code that should be granted the custom permissions .

Conclusion.

In the next part we will examining role based security , imperative and declarative security , and ASP.NET web based security . Moreover we will explore the command line tools namely capol.exe and permview.exe that works with code groups and permissions at various security policy levels.

NOTE: THIS ARTICLE IS CONVERTED FROM C# TO VB.NET USING A CONVERSION TOOL. ORIGINAL ARTICLE CAN BE FOUND ON C# CORNER (WWW.C-SHARPCORNER.COM).

About the author

Razi Rais
Razi bin Rais is a Software Engineer holds a degree in Computer Science, currently working in Kalsoft Pvt Ltd (a Microsoft gold Partner). His major expertise is in Microsoft.net , and have working experience on ASP.Net , Winforms, Microsoft SharePoint Portal Server 2003 , Microsoft Content Manager Server 2002 . He is a vivid fan of sitcom F.R.I.E.N.D.S , and wishes to get a job in C.S.I squad.

Looking for C# Consulting?

C# Consulting is founded in 2002 by the founders of C# Corner. Unlike a traditional consulting company, our consultants are well-known experts in .NET and many of them are MVPs, authors, and trainers. We specialize in Microsoft .NET development and utilize Agile Development and Extreme Programming practices to provide fast pace quick turnaround results. Our software development model is a mix of Agile Development, traditional SDLC, and Waterfall models.

Click here to learn more about C# Consulting.

Introducing MaxV - one click. infinite control. Hyper-V Hosting from MaximumASP.
Finally – a virtual platform that delivers next-generation Windows Server 2008 Hyper-V virtualization technology from a managed hosting partner you can truly depend on. Visit www.maximumasp.com/max for a FREE 30 day trial. Hurry offer ends soon. Climb aboard the MaxV platform and take advantage of High Availability, Intelligent Monitoring, Recurrent Backups, and Scalability – with no hassle or hidden fees. As a managed hosting partner focused solely on Microsoft technologies since 2000, MaximumASP is uniquely qualified to provide the superior support that our business is built on. Unparalleled expertise with Microsoft technologies lead to working directly with Microsoft as first to offer IIS 7 and SQL 2008 betas in a hosted environment; partnering in the Go Live Program for Hyper-V; and product co-launches built on WS 2008 with Hyper-V technology.

Dynamic PDF
ceTE software specializes in components for dynamic PDF generation and manipulation. The DynamicPDF™ product line allows you to dynamically generate PDF documents, merge PDF documents and new content to existing PDF documents from within your applications.

SQL and .NET performance profiling in one place
Investigate SQL and .NET code side-by-side with ANTS Performance Profiler 6, so you can see which is causing the problem without switching tools.

Go.NET
Build custom interactive diagrams, network, workflow editors, flowcharts, or software design tools. Includes many predefined kinds of nodes, links, and basic shapes. Supports layers, scrolling, zooming, selection, drag-and-drop, clipboard, in-place editing, tooltips, grids, printing, overview window, palette. 100% implemented in C# as a managed .NET Control. Document/View/Tool architecture with many properties&events. Optional automatic layout.

Dundas Software
Dundas Chart for .NET is the most advanced .NET charting package available today. With an extremely complete feature set, elegant architecture and easy implementation, Dundas Chart can quickly add advanced Charting functionality to enhance and transform ASP.NET and Windows Forms applications. Whether you are implementing charting into internal projects, or building applications for clients, Dundas Chart offers advanced technology and advanced results to get the most out of data.

60 FREE UI Controls from DevExpress
Register for your FREE copy on over 60 free presentation controls from DevExpress - Absolutely Free-of-Charge without any royalties or distribution costs. Visit Devexpress.com/60 today. Free controls include advanced lists box, dropdown calendar, rich text edit, spin edit, tab control and so much more!

DevExpress engineers feature rich presentation controls and reporting tools for WinForms, ASP.NET, WPF, and Silverlight. Our technologies help you build your best, see complex software with greater clarity and deliver compelling business solutions for Windows and the web in the shortest possible time.

Clickatell's SMS Gateway
Clickatell's Developer Solutions allow you to SMS enable any website or application via a range of API's. Learn More about our API connections.

Free access to .NET Memory Management video
Everything you need to know about Garbage Collection, Temporary Objects, Fragmentation, Finalization and common causes of memory leaks in .NET. Watch the video here.

Microsoft Visual Studio 2010
Visualize your workspace with new multiple monitor support, powerful Web development, new SharePoint support with tons of templates and Web parts, and more accurate targeting of any version of the .NET Framework. Get set to unleash your creativity.

Nevron Chart for .NET 2010.1 Now Available
The leading .NET charting control now features PDF, Flash and Silverlight export, visualization of large datasets and more. Deliver true charting functionality to your BI, Scorecard, Presentation or Scientific apps. Download evaluation now.

Developer-Ready ASP.NET 2.0 Web Hosting with 3 MONTHS FREE
Now supporting .NET 3.0 Framework with Windows Workflow Foundation, Windows Communication Foundation (WCF), Windows Presentation Foundation (WPF), windows CardSpace (WCS)! Providing more flexibility for Developers with Web Services Support and a User/Permission Manger. Also supporting MS SQL 2005/2000 with Real-Time Backups, FREE Automated Attach .MDF Tool, FREE SQL Restore and Shrink SQL DB Tools, and SQL

Read the Top 10 Books for Microsoft Developers, 15 Days FREE
Read the Top 10 Books for Microsoft Developers, 15 Days FREE

Try Safari Books Online - 15 Days FREE + 15% Off for 1 Year
Try Safari Books Online - 15 Days FREE + 15% Off for 1 Year

Post a Feedback, Comment, or Question about this article


Subject:
Comment: