Microsoft .NET security for newcomers

Let other users know how useful this tip is by rating it below. Got a tip or code of your own you'd like to share? Submit it here!

.NET security crosses 'process boundaries' and even 'machine boundaries' to prevent access to sensitive data or resources in a distributed application environment. This tip is with reference to Inside C# by Tom Archer.

The following are some of the basic elements of the .NET security system:

1. Evidence-based security is a new concept in .NET Framework. An assembly contains several important pieces of information that may be applied to decide what level of access to grant the component. Some of the information used includes what site the component was downloaded from, what zone that site was in (Internet, intranet, local machine, and so on), and the strong name of the assembly. The strong name implies to an encrypted identifier that uniquely defines the assembly and confirms that it has not been tampered with.

2. The .NET Common Language Runtime (CLR) provides security using policy-driven trust model using code evidence. It sounds worse than it really is. Essentially, this is a system of security policies that can be set by an administrator to allow certain levels of access based on the component's assembly information. The policies are set at three levels: the enterprise, the individual machine and the user.

3. Calling the .NET Framework methods from the Base Class Library allows the benefits of the built-in security. That is, the developer doesn't have to make explicit security calls to access system resources. However, if your components expose interfaces to protected resources, you will be expected to take the appropriate security measures.

4. Role-based security plays a part in the .NET security scheme. Many applications need to restrict access to certain functions or resources based on the user, and .NET introduces the concepts of identities and principals to incorporate these functions.

5. Now authentication and authorization functions are accessed through a single API. These can easily be extended to incorporate application-specific logic as required. Authentication methods include basic operating system user identification, basic HTTP, ASP.NET forms, Digest and Kerberos, as well as the new .NET service, Microsoft .NET Passport.

6. Yes! Isolated storage is a special area on disk, assigned to a specific assembly by the security system. No access to other files or data is allowed, and each assembly using isolated storage is separated from the others. Isolated storage may be applied for a saving a components state, or saving settings, and may be applied by components that do not have access to read and write files on the system.

7. A robust set of cryptographic functions that support encryption, digital signatures, hashing and random-number generation are included in the .NET Framework. These are implemented using algorithms, such as RSA, DSA, Triple DES, DES and RC2, as well as the MD5, SHA1 and SHA-512 hash algorithms. Moreover, the XML Digital Signature specification, under development by the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), is also available. The .NET Framework uses these cryptographic functions to support various internal services.