Please feel free to check out my MCTS 70-536 reference page on Chris Catto.com. It’s a page with a summary of all of my posts.
This post is on section 1. Developing Application that use system types & collections. Here are a few important concepts from the 1st section. As I study for this test I thought this would be good to post on to learn the content & others would be able to view & comment on it.
This content below is a summary from Chapter 11 Application Security.
Thx,
Catto
-------------------------------------------------------
Chapter 11 Application Security
Lesson 1
Under Code Access Security CAS
CAS is a security system that authorizes managed assemblies to access sys resources
CAS implemented by 4 components:
1 Evidence – which identifies an assembly
2. Permissions – describe which resources an assembly can access
3. Permission Sets – collect multiple permissions
4. Code Groups – assign permissions to an assembly based on evidence
Security Policy is a logical grouping of code groups & permission sets. You can use multiple levels of security policy to simplify CAS admin. Assemblies have the most restrictive set of permissions assigned by each of the policy levels
CAS permissions can never override the users OS permissions
.NET Framework Configuration Tool is a graphical tool to configure any aspect of CAS. It can be launched by the administrative tools group
CAS Policy tool, Caspol, is a command line tool which is a large number options controlling CAS
Lesson 2
Using Declarative Security to Protect Assemblies
Use CAS assembly declarations because the enable admins to:
View permission required by your app
Prevent your app from running without permissions
Restrict permissions that are granted to the app
Enable you to isolate your app to verify compatibility with partial trusted zones
.NET has more than 10 classes for CAS permissions describing file system, registry & printers
3 types of CAS assembly declarations:
RequestMinimum
RequestOptional
RequestRefuse
To create assembly declarations, add assembly attributes by using permission classes
Use RequestMinimum declarations when your app doesn’t handle permissions appropriately
Use RequestOptional to list every permission required by your app
Use RequestRefuse to further restrict your RequestOptional persmissions.
Lesson 3
Using Declarative & Imperative Security to Protect Methods
Use 6 different methods to control permissions to an assembly:
Assert
Demand
Deny
InheritanceDemand
LinkDemand
PermitOnly
Use PermitOnly & Deny to reduce the security risks from attacks
Use Demand & LinkDemand only when you accessing unmanaged code or custom resources
Use Demand or LinkDemand to protect methods declaratively or imperatively
Use Inheritance Demand declaratively to restrict which new assemblies can derive new classes
Use PermitOnly & Deny both declaratively & imperatively to restrict permissions assigned to a method.
To bypass CAS demands enable underpriviledged assemblies to call privileged methods, use Assert
Permisson sets have the same capabilities as individual permissions, but apply a single action to multiple permissions simultaneously. To create a permission set use the System.Security.Permissions.PermissionSets class then use the AddPermission method to specify the permissions that define the permission set. Then you can call any standard permission set Assert, Deny, Demand & Permit Only.
Chapter Summary
CAS Controls managed code’s access similarly to use way that uses OS security restricts users permissions. CAS can be configured by Caspol command line tool or the .NET Framework Configuration Tool.
Assembly Permission requests enable admins to view permission requirements of an assembly.
You can control CAS permissions within an assembly either imperatively or declaratively allowing more control to increase security.
No comments:
Post a Comment