Friday, August 21, 2009

70-536 MCTS .NET App Security #18

Please feel free to check out my MCTS 70-536 reference page on Chris Catto.com. It’s a page with a summary of all of my posts.
This post is on section 1. Developing Application that use system types & collections. Here are a few important concepts from the 1st section. As I study for this test I thought this would be good to post on to learn the content & others would be able to view & comment on it.

This content below is a summary from Chapter 11 Application Security.

Thx,

Catto

-------------------------------------------------------

Chapter 11 Application Security

Lesson 1

Under Code Access Security CAS

CAS is a security system that authorizes managed assemblies to access sys resources

CAS implemented by 4 components:

1 Evidence – which identifies an assembly

2. Permissions – describe which resources an assembly can access

3. Permission Sets – collect multiple permissions

4. Code Groups – assign permissions to an assembly based on evidence

Security Policy is a logical grouping of code groups & permission sets. You can use multiple levels of security policy to simplify CAS admin. Assemblies have the most restrictive set of permissions assigned by each of the policy levels

CAS permissions can never override the users OS permissions

.NET Framework Configuration Tool is a graphical tool to configure any aspect of CAS. It can be launched by the administrative tools group

CAS Policy tool, Caspol, is a command line tool which is a large number options controlling CAS

Lesson 2

Using Declarative Security to Protect Assemblies

Use CAS assembly declarations because the enable admins to:

View permission required by your app

Prevent your app from running without permissions

Restrict permissions that are granted to the app

Enable you to isolate your app to verify compatibility with partial trusted zones

.NET has more than 10 classes for CAS permissions describing file system, registry & printers

3 types of CAS assembly declarations:

RequestMinimum

RequestOptional

RequestRefuse

To create assembly declarations, add assembly attributes by using permission classes

Use RequestMinimum declarations when your app doesn’t handle permissions appropriately

Use RequestOptional to list every permission required by your app

Use RequestRefuse to further restrict your RequestOptional persmissions.

Lesson 3

Using Declarative & Imperative Security to Protect Methods

Use 6 different methods to control permissions to an assembly:

Assert

Demand

Deny

InheritanceDemand

LinkDemand

PermitOnly

Use PermitOnly & Deny to reduce the security risks from attacks

Use Demand & LinkDemand only when you accessing unmanaged code or custom resources

Use Demand or LinkDemand to protect methods declaratively or imperatively

Use Inheritance Demand declaratively to restrict which new assemblies can derive new classes

Use PermitOnly & Deny both declaratively & imperatively to restrict permissions assigned to a method.

To bypass CAS demands enable underpriviledged assemblies to call privileged methods, use Assert

Permisson sets have the same capabilities as individual permissions, but apply a single action to multiple permissions simultaneously. To create a permission set use the System.Security.Permissions.PermissionSets class then use the AddPermission method to specify the permissions that define the permission set. Then you can call any standard permission set Assert, Deny, Demand & Permit Only.

Chapter Summary

CAS Controls managed code’s access similarly to use way that uses OS security restricts users permissions. CAS can be configured by Caspol command line tool or the .NET Framework Configuration Tool.

Assembly Permission requests enable admins to view permission requirements of an assembly.

You can control CAS permissions within an assembly either imperatively or declaratively allowing more control to increase security.

No comments: