Thursday, August 20, 2009

70-536 .NET MCTS Security Section #16

Hey Now Everybody,

This is some content from the security section from the 70-536 MS .NET exam. I’ve been studing this, please take a look & feel free to comment.

Thx,

Catto

5. Improving the security of the .NET Framework by security features


  1. You are developing an internal Windows Forms-based inventory management application. One form you have created has a control named managerControl that should be visible only if users are a member of the CONTOSO\Managers group. Which of the following code segments is the most effective way to implement this?

' VB

Dim user As WindowsPrincipal = New WindowsPrincipal(WindowsIdentity.GetCurrent)

If user.IsInRole("CONTOSO\Managers") Then

managerControl.Visible = True

Else

managerControl.Visible = False

End If

Explanation: Ch 12 Lesson 3

The best way to make decisions based on group memberships is to create a WindowsPrincipal object and call WindowsPrincipal.IsInRole. In this example, you should make the managerControl visible if the user is part of the CONTOSO\Managers group.

You should use PrincipalPermission.Demand only when you want to halt processing if the user does not meet security requirements, because the method call throws an exception. Although you could catch the exception, using an If statement is better programming style.

Although this code sample correctly calls WindowsPrincipal.IsInRole, it makes the control visible if the user is NOT a member of the CONTOSO\Managers group.

You should use PrincipalPermission.Demand only when you want to halt processing if the user does not meet security requirements, because the method call throws an exception. Although you could catch the exception, using an If statement is better programming style. Additionally, it makes the control visible if the user is NOT a member of the CONTOSO\Managers group.

  1. Which of the following declarations would cause the runtime to throw an exception if the assembly lacked permission to print to the LPT1 port?

' VB

<Assembly:PrintingPermission(SecurityAction.RequestMinimum)>

Explanation: CH 11 Lesson 3

Use the PrintingPermissionAttribute to declare printing permission requirements. In this case, you should specify SecurityAction.RequestMinimum to cause the runtime to throw an exception if the assembly does not have permission to print.

The .NET Framework provides PrintingPermissionAttribute. Use FileIOPermissionAttribute when you need to declare permissions for the file system. Additionally, you cannot specify a specific port in this way.

  1. You are writing an internal application. Your IT department is responsible for defining permissions that different groups have to the configuration files your application uses. They have provided you the

following requirements:

    • * Members of the Administrators group can modify the file and its permissions.
    • * Members of the Power Users group can edit the file, but cannot change its permissions.
    • * Members of the Users group can view the file, but cannot edit it.
    • * Guests cannot read or edit the file.
    • Which of the following code samples efficiently creates a file with the proper permissions?
      • ' VB
      • Dim fs As FileSecurity = New FileSecurity
      • fs.AddAccessRule(New FileSystemAccessRule(New NTAccount("Administrators"), FileSystemRights.FullControl, AccessControlType.Allow))
      • fs.AddAccessRule(New FileSystemAccessRule(New NTAccount("Power Users"), FileSystemRights.Modify, AccessControlType.Allow))

      • fs.AddAccessRule(New FileSystemAccessRule(New NTAccount("Users"), FileSystemRights.Read, AccessControlType.Allow))
      • fs.AddAccessRule(New FileSystemAccessRule(New NTAccount("Guests"), FileSystemRights.FullControl, AccessControlType.Deny))
      • System.IO.File.Create("config.xml", 1000, FileOptions.None, fs)
    • Explanation: Ch 12 Lesson 2
    • To create a file with the specified permissions, you need to add four access rules to a FileSecurity object: Administrators with FullControl, Power Users with Modify, Users with Read, and Guests with FullControl/Deny.
    • This code sample grants the Guests group the right to Delete the file. Although they will not be able to view or edit the file, Guests will still be able to remove the file. Additionally, while you can add both an Allow and Deny permission for Power Users, this is not the most efficient way to prevent Power Users from modifying privileges. Instead, you can simply specify the Modify permission.
  1. Which of the following code samples imperatively demands that the current user is a member of the local Users group? (Choose all that apply.)

' VB

System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)

Dim myPerm As PrincipalPermission = New PrincipalPermission(Nothing, "Users", True)

myPerm.Demand()

' VB

System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)

Dim myPerm As PrincipalPermission = New PrincipalPermission(Nothing, "BUILTIN\Users", True)

myPerm.Demand()

Explanation: Ch 11 Lesson 3

To perform an imperative security demand for membership in a built-in Microsoft Windows group, you must first set the default principal policy to the Windows principal by calling

SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal). Then construct a PrincipalPermission object specifying the group name. To specify the group name, you can provide just the group name, or you can preface the group name with either "BUILTIN\" or the computer name and a backslash. Finally, call the PrincipalPermission.Demand method.

If you do not set the principal policy to the Windows principal by calling SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal), imperative security checks will fail.

  1. You are writing a method for internal use within your organization. Per instructions from your IT department, only users who are members of the domain group CONTOSO\Developers should be able to run your method. Which of the following code samples would prevent users who are not members of the Developers domain group from running your method?

' VB

Dim i As WindowsIdentity = WindowsIdentity.GetCurrent

Dim currentPrincipal As WindowsPrincipal = New WindowsPrincipal(i)

If Not currentPrincipal.IsInRole("CONTOSO\Developers") Then

Throw New SecurityException("You must be a Developer")

End If

Explanation: Ch 12 Lesson 1

To check which domain groups a user is in, create a WindowsPrincipal object based on WindowsIdentity.GetCurrent(). Then check WindowsPrincipal.IsInRole using just the domain name, a backslash, and the group name.

WindowsIdentity does not have an IsInRole method. Instead, you should create a WindowsPrincipal object. Additionally, you must prepend the domain name to the group name when using WindowsPrincipal.IsInRole to determine domain group memberships.

  1. You are writing a method for internal use within your organization. Per instructions from your IT department, only users who are members of the local Administrators group should be able to run your method. Which of the following code samples would prevent users who are not members of the local Administrators group from running your method?

' VB

Dim i As WindowsIdentity = WindowsIdentity.GetCurrent

Dim currentPrincipal As WindowsPrincipal = New WindowsPrincipal(i)

If Not currentPrincipal.IsInRole("Administrators") Then

Throw New SecurityException("You must be an Administrator")

End If

Explanation: Ch12 Lesson 1

To check which groups a user is in, create a WindowsPrincipal object based on WindowsIdentity.GetCurrent(). Then check WindowsPrincipal.IsInRole using just the group name. When testing for built-in roles, use WindowsBuiltInRole.

WindowsIdentity does not have an IsInRole method. Instead, you should create a WindowsPrincipal object. Additionally, you should not prepend LOCAL\ to the group name when using WindowsPrincipal.IsInRole.

  1. Which of the following If statements correctly identifies whether the current assembly has permission to read the C:\Boot.ini file?

' VB

If SecurityManager.IsGranted _

(New FileIOPermission(FileIOPermissionAccess.Read, "C:\Boot.ini")) Then

Explanation: Ch 11 Lesson 3

Use SecurityManager.IsGranted to imperatively determine whether the current process has a specific permission.

You must provide a Permission object to SecurityManager.IsGranted. You cannot provide a FileIOPermissionAccess enumeration.

SecurityManager.CheckExecutionRights only determines whether the process must have System.Security.Permissions.SecurityPermissionFlag.Execution to execute.

  1. You are writing an application that analyzes database information and creates an XML summary. All users in the Contoso domain should be able to view the report. Additionally, members of the Domain Admins group should be able to modify or delete the file.

Which of the following code samples creates a text file with the proper permissions?

' VB

Dim admins As NTAccount = New NTAccount("CONTOSO", "Domain Admins")

Dim users As NTAccount = New NTAccount("CONTOSO", "Domain Users")

Dim adminsRule As FileSystemAccessRule = New FileSystemAccessRule(admins, FileSystemRights.FullControl, AccessControlType.Allow)

Dim usersRule As FileSystemAccessRule = New FileSystemAccessRule(users, FileSystemRights.Read, AccessControlType.Allow)

Dim fs As FileSecurity = New FileSecurity

fs.AddAccessRule(adminsRule)

fs.AddAccessRule(usersRule)

System.IO.File.Create("summary.xml", 1000, FileOptions.None, fs)

Explanation: Ch 12 Lesson 2

First you should create an instance of NTAccount for the user or group that you need to add an access control entry for. Then create an instance of FileSystemAccessRule with the account, the file system rights, and the access control type. Next create a FileSecurity instances and add the access rule to the FileSecurity instance. Finally, create your file using one of the overloaded constructors that allows specifying file security.

You cannot add rules to an instance of FileSecurity using the FileSecurity constructor.

This code sample incorrectly grants Read access to Domain Admins, and grants Full Control access to Domain Users.

This code sample grants the Domain Users group the ReadPermissions access level, which allows them to view the permissions assigned to a file but not to open the file as the requirements demand.

  1. You need to establish a Secure Sockets Layer (SSL) session with a remote server. The security policy at our organization requires you to validate the server's SSL certificate. Which of the following code samples most efficiently validates the certificate?

' VB

Sub Main()

Dim client As TcpClient = New TcpClient("www.contoso.com", 443)

Dim sslStream As SslStream = New SslStream(client.GetStream, False, _

AddressOf ValidateServerCertificate, Nothing)

' TODO: Communicate with server

sslStream.Close()

End Sub

Public Function ValidateServerCertificate(ByVal sender As Object, ByVal _

certificate As X509Certificate, ByVal chain As X509Chain, ByVal _

sslPolicyErrors As SslPolicyErrors) As Boolean

If sslPolicyErrors = sslPolicyErrors.None Then

Return True

End If

Return False

End Function

Explanation: Ch 12 Lesson 1

To validate a certificate, use the overloaded SslStream constructor that allows you to provide a RemoteCertificateValidationCallback delegate. In the delegate, which must accept several parameters to match the delegate signature, return true if the certificate is valid or false if the certificate is not valid.

  1. Your IT department has requested your assistance. They have asked you to write a console application that analyzes the C:\Boot.ini file to determine whether it is properly configured. The IT department will deploy your tool with administrative privileges, and you want to minimize the risk that the application will be abused to perform another task. Which of the following attributes would you use to minimize the security risk by limiting the assembly's privileges so that it can only access the C:\Boot.ini file?

' VB

<Assembly: FileIOPermissionAttribute(SecurityAction.RequestOptional, Read := "C:\boot.ini")>

Explanation: Chapter 11 Lesson 3

For declarative security attributes, use SecurityAction.RequestOptional to list only CAS permissions your application should have. Additionally, you might want to use SecurityAction.RequestMinimum to cause the runtime to throw an exception if the assembly lacks the required permission.

SecurityAction.PermitOnly cannot be used in declarative attributes.

SecurityAction.RequestMinimum causes the runtime to throw an exception if the runtime lacks the listed permissions. However, it does not cause the runtime to reduce the assembly's permissions.

  1. Per instructions from your IT department, you need to configure your application's configuration file with the following security settings:

* Users must be able to read, but not modify, the configuration file.

* Administrators must be able to edit the configuration file.

* An event must be added to the event log each time an administrator modifies the file.

Which of the following code samples correctly creates a FileSecurity object to meet these requirements?

' VB

Dim a As NTAccount = New NTAccount("Administrators")

Dim u As NTAccount = New NTAccount("Users")

Dim ar1 As FileSystemAccessRule = New FileSystemAccessRule(a, FileSystemRights.FullControl, AccessControlType.Allow)

Dim ar2 As FileSystemAccessRule = New FileSystemAccessRule(u, FileSystemRights.Read, AccessControlType.Allow)

Dim ar3 As FileSystemAuditRule = New FileSystemAuditRule(a, FileSystemRights.Modify, AuditFlags.Success)

Dim fs As FileSecurity = New FileSecurity

fs.AddAccessRule(ar1)

fs.AddAccessRule(ar2)

fs.AddAuditRule(ar3)

Explanation: Ch 12 Lesson 2

You need to create two instances of FileSystemAccessRule to create the Discrectionary Access Control Lists (DACLs) for Administrators and Users, and one instance of FileSystemAuditRule to create the System Access Control List (SACL) for Administrators.

You cannot create an instance of FileSystemAccessRule to enable auditing. You must use FileSystemAuditRule.

You must call FileSecurity.AddAccessRule to add instances of type FileSystemAccessRule, and FileSecurity.AddAuditRule to add instances of type FileSystemAuditRule.

  1. You are writing an internal application. Your IT department is responsible for defining permissions that different groups have to the registry keys your application uses. IT has requested only a single change to the default registry permissions: they want the Guests local group to be explicitly denied all access.

Which of the following code samples properly sets the permissions to the HKEY_CURRENT_USER\Software\MyApp key?

' VB

Dim g As NTAccount = New NTAccount("Guests")

Dim rar As RegistryAccessRule = New RegistryAccessRule(g, RegistryRights.FullControl, AccessControlType.Deny)

Dim rs As RegistrySecurity = New RegistrySecurity()

rs.AddAccessRule(rar)

Dim rk As RegistryKey = Registry.CurrentUser.OpenSubKey("Software\MyApp", True)

rk.SetAccessControl(rs)

rk.Close()

Explanation: Ch 12 Lesson 2

To modify registry permissions, first create a RegistryAccessRule instance with the correct permissions. Then create a RegistrySecurity instance, and add the access rule. Finally, create an instance of RegistryKey and call the RegistryKey.SetAccessControl method.

Setting the hive using Registry.Users is incorrect; the requirements specify that you should use Registry.CurrentUser for the HKEY_CURRENT_USER hive.

You cannot create an instance of RegistryKey using a RegistryHive because the runtime cannot automatically perform the conversion.

You cannot create an instance of RegistryKey using a RegistryHive because the runtime cannot automatically perform the conversion. Additionally, you need to specify AccessControlType.Deny.

  • You are creating an assembly that needs to store private data to the disk. To protect the private data, you are encrypting it using asymmetric encryption. Below are the tasks you should perform to create & store a private encryption key.

1. Create a CSParameters object

2. Specify the CspParameters KeycontainerName properly

3. Create an RSACryptoServiceProvider object using the overloaded constructor the

4. Set the RSACryptoServiceProvider.PersistKeyInCsp property to true

    • Explanation Ch12 Lesson 3:
    • To store private keys persistently, you must create a CspParameters object, specify the CspParameters.KeyContainerName property, use that CspParameters object to create an RSACryptoServiceProvider object, and then set the RSACryptoServiceProvider.PersistKeyInCsp property to true.
    • You cannot use the blank RSACryptoServiceProvider constructor and then later define the CspParameters object. You must specify the CspParameters object during the RSACryptoServiceProvider construction.
    • You do not need to set the RSACryptoServiceProvider.ExportParameters property to true. chapter 5 stuff
  • You need to modify MS Windos access control security for a namesd mutex. Below are the selected tasks that you’d perform to modify Windows access control security for a named mustex:
    1. Create an instance of the Mutex class
    2. Create an instance of the MutexSecurity class using Mutex.GetAccessControl()
    3. Add access rules to the MutexSecurity class
    4. Call Mutex.SslAccessControl()
    • Explanation Ch 12 Lesson 2:
    • To modify Windows access control security for a named mutex, use the Mutex.GetAccessControl method to get the MutexSecurity object. Modify the security object by adding and removing rules, and then use the Mutex.SetAccessControl method to reattach it.
  • The following is the order the security policies are applied to your assembly:
    • Enterprise
    • Machine
    • User
    • Application Domain
    • Explanation: Ch 11 Lesson 1
      • The Enterprise level is the highest security policy level, describing security policy for an entire enterprise. Enterprise security policy can be configured by using the Active Directory directory ser
      • Machine policy, the second security policy level, applies to all code run on a particular computer. User policy is the third level, and it defines permissions on a per-user basis. The runtime evaluate
      • Enterprise, Machine, and User levels separately, and it grants an assembly the minimum set of permissions granted by any of the levels (known as the intersection of the permission sets). Finally, the runtime evaluates the Application Domain security policy.
  • Tls – Tls is the SslProtocol enumeration will you specify when you are creating a service that accepts incoming SSL connections. All valid clients will be based on the .NET Framework 2.0 You want to ensure that only the most secure communications will be allowed, however, all clients must be able to connect to your service.
    • SslProtocols.Tls is the most secure conection protocol supported by .NET Framework 2.0 & clients.
    • SslProtocols.Ssl3 & SslProtocols. Ssl2 have been superseded by SslProtocols.Tls
    • SslProtocols.Default allows both SSL 3.0 & TLS 1.0 communications . In the case it is not necessary to allow SSL 3.0 communications.
  • The internet permission set is in effect because the runtime applies the most restrictive set of permissions. The internet permission set is more restrictive than the Everything or the FullTrust permission.
  • DSACryptoServiceProvider – class is the class you can use to sign a message with a digital signature & prove that the message originated from an office.
    • DSACryptoServiceProvider provides asymmetric digital signatures, which is the best way to prove that a message is genuine.
    • MD5 & SHA256 are hashing algorithms, which you can use to generate a unique key based on the contents of a file.
    • RijndaeManaged, DES, RC2 & TripleDes are all symmetric encryption classes.
    • RSACryptoServiceProvider provides asymmetric encryption it cannot be used to sign messages.
  • RijndaeManaged symmetric cryptography class valid key lengths:
    • 256 bits
    • 128 bits
      • The RijndaeManaged class can use key lengths of 128 through 256 bits in 32-bit increments
  • You have written an app that specifies SACLs on a registry key so that events will be added to the Security event log if a user modifies a value. What else do you need to do to enable auditing?
    • 1 Open the Local Security Policy console
    • 2. Expand Local Policies & select Audit Policy
    • 3 Set Audit Object Access to Success
      • Object auditing is disabled by default because it negatively affects system performance, However, you must enable it uing the Local Security Policy or a domain Group Policy object for file oor registry auditing to occur. The requirements state that you want an event logged if a user successfully modifies a key so you should set the Audit Object Acess policy to Success.
      • Setting the Audit Object access to Failure would only log unsuccessful attemplss to modify the registry key which would not meet the requirements.
  • Caspol-machine –addfulltrust App.exe – is the command that adds the App.exe assembly to the full trust list for the machine policy.
    • use the machine & addfulltrust arguments with the Caspol.exe command-line tool to add an assembly to the full trust list for the machine policy.
    • The user argument adds the assembly to the user full trust list, not the machine full trust list
    • You cannot use the addgroup argument to add an assembly to the full trust list.
  • Caspol.exe – is the tool that you would use to examine and modify code access security policies from a batch file.
    • You can use the Code Access Security Policy tool (Caspol.exe) to examine & modify Machine User & Enterprise level code access security policies. Although the .NET Framework Configuration tool is the most convenient tool to use for manual configuration, Caspol provides similar functionality at the command line or within a batch file.
    • Use StoreAdm.exe to manage isolated storage
    • Use Sn.exe to manage strong names
    • Use GacUtil.exe to manage the global assembly cache
  • The following classes provide symmetric encryption:
    • TripleDes
    • RC2
    • RijndaeManaged
    • DES
      • RijndaeManaged, DES, RC2 & TripleDes are all semmetric encryption classes.
      • DSACryptoServiceProvider provides asymmetric digital signatures
      • RSACryptoServiceProvider provides asymmetric encryption
  • The following classes you could use to create a unique identifier for a file:
    • MD5
    • SHA256
      • MD5 & SHA256 are hashing algorithms, which you can use to generate a unique key based on the contents of a file.
      • RijndaeManaged, Des, RC2 & TripleDes are all symmetric encryption classes
      • DSACryptoServiceProvider provides asymmetric digital signatures
      • RSACryptoServiceProvider provides asymmetric encryption
  • AES – You are creating an SslStream object to transfer data encrypted access a network. You want to use the most secure encryption protocol available. Of the types available in the CipherAlgorithmType enumeration which should you choosse? AES
    • Of the options fiven, AES is the most secure encryption algorithm.
    • MD5 is a hashing algorithm and is not part of the CipherAlgorithmType enumeration
  • DES – is the System Security Cryptography class that would indicate that the dev was using weak encryption that could potentially be cracked in a short amount of time
    • The Data Encryption Standard (DES) is a symmetric encryption algorithm that uses relatively short key lengths that are vulnerable to creacking attacks. For that reason it should be avoided.
    • RijndaeManaged an implementation of Advanced Encryption Standard (AES) is a strong government encryption standard & is the only .NET Framework symmetric encryption class that is fully managed. All other encryption classes call unmanaged code. Decause of this RijndaeManaged is the preferred choice when your app will be running in a partially trusted environment.
    • RC2 is an ecryption standard designed to replace DES that uses variable key sizes. It is more secure than DES
    • Triple=DES is the .NET Framework implementation of the Triple Des (3DES) symmetric encryption algorithm it essentially applies the DES algoritym three times. It is approximately twice s strong as standard DES
  • ZoneMembershipCondition class - would be used to test whether an assembly was located on the intranet.
    • The ZoneMembershipCondition class determines whether an assembly belongs to a code group by testing its zone. To test for the intranet zone, create an instance of ZoneMembershipConditoin using the SecureZone.Intranet enumeration.
    • The GacMembershipCondition class determines whether an assembly belongs to a code group by testing its global assembly cache membership
    • The SiteMembershipCondition class determines whether an assembly belongs to a code group by testing the site from which it originated.
    • The Url MembershipConditio class determines whether an assembly =belongs to a code griop by testing its URL. While the function is very similar , use UrlMembershipcondition for assemblies rretrieved using HTTP.
  • Execution – is the permission set that provides the fewest privileges while still allowing an assembly to run.
    • The Executio permission set enables an assembly to run while granting no additional permissions.
    • The mInternet permission set grants a restricted set of permissions to an assembly. Generally you can run an assembly with this permission set with very little risk. Even malicious assemblies should not be able to cause any seriouse damage when run with this permission set. Howeever, the internet permission set does grant privileges beyond those provided by the Executios permission set.
    • Local Intranet permission set grants a generous set of permissions to assemblies, including the ability to print & access the event log.
    • The Nothing permission set grants no permission to an assembly. thie assembly will not even be allowed to run.
    • The FullTrust permission set exempts an assembly from CAS permission checks.
  • What classes or interfaces would you use to implement most efficiently the custom user management system?
    • GenericPrincipal
    • GnericIdentity
      • Using WindowsIdentity and WindowsPrincipal would require an Active Directory domain
      • You could implement Identity & IpPrincipal, but that would require writing more code than it would if you used GenericIdentity & CenericPrincipal
  • FullTrust – is the permission set that provides the best performance
    • The FullTrust permission set examples an assembly from CAS permission checks, which improves performance.
    • All other permission sets require the runtime to perform security checks, which has a performance impact.
  • CodeAccessPermissionPermitOnly – you would use to limit the permissions available to a portion of a method by declaring only the permission the code segment should have.
    • Use CodeAccessPermission.PermitOnly to imperatively reduce permissions when a section of a method requires fewer permissions than the rest of the method. This is particularly important when calling objects created by third parties.
    • SecurityActionPermitOnly declarations limit the permissions available to a method by specifying only the permissions the method should have SecurityAction.PermistOnly is similar to CodeAccessPermissions.PermitOnly, except it is declarative rather than imperative.
    • SecurityAction.Deny declarations refine the permissions available to a method by eliminating specific named permissions. It cannot be used imperatively
    • Use CodeAccesspermission.Assert when you want to allow partially trusted code to call a method that requires permission the caller might lack.
  • The following asymmetric encryption scenarios you woulud need to store a key pair:
    • Signing documents to prove authenticity
    • Storing an encrypted file for later retrieval
    • Storing encrypted data in a database
      • You must store a key pair any time a file is going to be decrypted at a later date. Without the key pair decryption cannot occur. When signing documents, you must store the key pair so that the key pair can be used to validate the signature later.
      • You do not need to store a key pair when transferring encrypted data across a network. In the circumstance, you can destroy the keys after the network communication has completed.
  • The following identifies the username of the security context in which the current assembly is running:
    • System.Environment.UserName
    • System.Environment.GetEnvironmentVariable(username”)
      • You can retrieve the current username w/ System.Environment.UserNmae or Systme.Environment.GetEnvironmentVariable(“username”). Of those two, you should choose the System.Environment.UserName whenever possible.
      • System.Environment.UserDomainName retrieves the domain name
      • WindowsIdentity.GetCurrent() retrieves both the domain & login name
      • System.Environment.GetEnvironmentVariable(userdomain) retrieves the domain name
  • ApplicationDirectoryMembershipCondition – class you would use to test whether an assembly was located in a specific folder.
    • The pplicationDirectoryMembershipCondition class determines whether an assembly belongs to a code group by testing its application directory
    • The GacMembershipCondition class determines whether an assembly belongs to a code group by testing its globacl assembly cache membershiop
    • The SiteMembershipCondition class determines whether an assembly belongs to a code group by testing the site from which it originated.
    • The UrlMembershipCondition class determines whether an assembly belongs to a code group by testing its URL> while the function is very similar use UrlMembershipCondition for assemblies retrieved using HTTP
  • IApplicationTrustManager is the interface you would implement if you need to create a custom trust manager to enable your organi9zation to use custom logic when determining whether a .NET app should be executed & which permissions should be granted to the application.
    • Trust managers musth implement the IApplicatinTrustManager interface. The host calls the DetermineApplicationTrust method in the trust manager to determine whether an app should be executed & which permissions should be granted to the app.
    • IMembershipCondition defines the teest to determine whether a code assembly is a member of a code group. wheile
  • DSACryptoServiceProvider – class provides asymmetric digital signatures.
    • DSACryptoServiceProvider provides asymmetric digital signatures
    • RSACryptoServiceProvider provides asymmetric encryption, it does not provide digital signatures
    • RijndaeManaged, DeES, RC2 & TripleDES asre all symmetric encryption classes.
  • The following permissions are available with the Internet permission set:
    • Open the File dialog box
    • Store a file in isolated storage
      • Assemblies running with the Internet permission set do have the right to open the File dialog box or store a file in isolated storage
      • Assemblies running with the Internet permission set do not have the right to examine environment variables, analyze performance counters or send requests to Web sites.
  • SslStream.IsMutuallyAuthenticated method – can be used to checkm when you need to establish a Secure Sockets Layer (SSL) session with a remote server. The security policy at your organization requires both the client & the sever to provide a valid certificate for authentication before communication begin.
    • SslStream.IsMutallyAuthenticated gets a Boolean value that indicates whether both the server & client have been authenticated.
    • SslStream.IsSigned gets a Boolean value that indicates whether the data sent using the stream is signed. It does not indicate whether both the client & server were authenticated.
    • SslStream.IsServer gets a Boolean value that indicates whether the local side of the connection used by the SslStream was authenticated as the server. It does not indicate whether both the client & server were authenticated.
    • SslStream.IsAuthenticated gets a Boolean value that indicates whether authentication was successful. It does not indicate whether both the client & server were authenticated.
    • SslStream.IsEncrypted gets a Boolean value that indicates whether the SslStream uses data encryption. It does not indicate whether both the client & server were authenticated.
  • IMembershipCondition interface is what you would want to implement when you need to override the standard logic used to determine whether an assembly is a member of a code group.
    • IMembershipCondition defines the test to determine whether a code assembly is a member of a code group.
    • Trust mangers must implement the IAppicationTrustManager interface. The host calls the DetermineApplicationTrust method in the trust manager to determine whether an app should be executed & which permissions should be granted to the app. You cannot use IApplicationTrustManager to alter the logic used to determine whether an assembly is a member of a code group.
    • IIdentifyPermissionFactory is used to provide custom identity permission logic. You cannot use IIdentityPermissionFactory to alter the logic used to determine whether an assembly is a member of a code group
    • IIDentity is an identity object that represents the user. It might be uses as evidence, however you cannot use IIdentity to alter the logic used to determine whether an assembly is a member of a code groiup.
  • RijndaeManaged symmetric cryptography class should be used when you are creating an assembly & need to encrypt data.

No comments: