• Chapter 1. Common Security Problems on the Internet
  • Problems with Securing Mobile Code
  • Writing Secure Applications
  • Summary
  • Chapter 2. Introduction to the Microsoft .NET Developer Platform
  • Tight Language Interoperability
  • Metadata
  • JIT Compilation
  • Garbage Collection
  • Object-Oriented Programming
  • Code Access Security
  • Base Class Library
  • Native Code Interoperability
  • Summary
  • Chapter 3. .NET Developer Platform Security Solutions
  • Fundamental Security Benefits from the .NET Framework
  • Mobile Code Solutions with the .NET Framework
  • Networked Computing with the .NET Framework
  • Summary
  • Chapter 4. User- and Code-IdentityBased Security: Two Complementary Security Paradigms
  • A Little Anatomy of Computer Security Systems
  • A Review of User-IdentityBased Security
  • Entering a New Paradigm: Code-IdentityBased Security
  • How User- and Code-IdentityBased Security Systems Complement Each Other
  • Summary
  • Chapter 5. Evidence: Knowing Where Code Comes From
  • Evidence Explained
  • Different Sources of Evidence
  • Evidence and the Base Class Library
  • Summary
  • Chapter 6. Permissions: The Workhorse of Code Access Security
  • Permissions Explained
  • How Permissions Are Used
  • Declarative and Imperative Security
  • Built-in Permissions
  • Permission Sets
  • Summary
  • Chapter 7. Walking the Stack
  • A Review of Stacks and Their Uses
  • The Security Stack Walk
  • Modifying a Stack Walk
  • The Interaction of App Domains with Stack Walks
  • Summary
  • Chapter 8. Membership Conditions, Code Groups, and Policy Levels: The Brick and Mortar of Security Policy
  • Membership Conditions
  • Code Groups
  • Policy Levels
  • Default Security Policy
  • Summary
  • Chapter 9. Understanding the Concepts of Strong Naming Assemblies
  • Assemblies and Identity
  • Public/Private Key Pairs
  • Signing and Verifying Assemblies
  • Delay Signing Assemblies
  • Comparison with Authenticode Signatures
  • Summary
  • Chapter 10. Hosting Managed Code
  • What Does Hosting Mean?
  • Containing Assemblies Through the Use of Appdomains
  • Controlling Trust Within the Hosted Environment
  • Dealing with Assembly-Sharing Issues
  • Using Appdomains to Secure Unmanaged Clients
  • Summary
  • Chapter 11. Verification and Validation: The Backbone of .NET Framework Security
  • Review of the Anatomy of an Assembly
  • PE File Format and Metadata Validation
  • IL Validation and Verification
  • Code Access Security's Dependence on Validation and Verification
  • Summary
  • Chapter 12. Security Through the Lifetime of a Managed Process: Fitting It All Together
  • Development-Time Security Considerations
  • Deployment-Time Security Issues
  • Execution-Time Security Issues
  • Summary
  • Chapter 13. Introduction to ASP.NET Security
  • New Security Features in ASP.NETAnd How to Use Them
  • Authentication for Web Services
  • Code Access Security and ASP.NET
  • Summary
  • Chapter 14. Authentication: Know Who Is Accessing Your Site
  • ASP.NET Authentication and IIS Authentication
  • Default IIS Settings
  • Using CLR Role-Based Security in Windows
  • Using ASP.NET Forms Authentication
  • Using Impersonation and Delegation in ASP.NET
  • Summary
  • Chapter 15. Authorization: Control Who Is Accessing Your Site
  • File and Directory Access Control Lists (ACLs)
  • Using URL Authorization to Allow or Limit Access
  • Using Programmatic Authorization to Determine Who Is Attempting to Access Your Site
  • Summary
  • Chapter 16. Data Transport Integrity: Keeping Data Uncorrupted
  • Implementing SSL Encryption and HTTPS
  • Encryption of Individual Data ElementsAn Overview
  • Remoting and Encryption via SinksAn Overview
  • Summary
  • Chapter 17. Introduction: .NET Framework Security and Operating System Security
  • A Roadmap for Administering the Security Context of Managed Code
  • .NET Framework Security and Operating System Security Settings
  • Summary
  • Chapter 18. Administering Security Policy Using the .NET Framework Configuration Tool
  • Before Making Any Security Policy Change: Administration Strategies
  • The .NET Framework Configuration Tool's Self Protection Mechanism
  • Administrative Tactics: Scenarios, Solutions, Hints, and Tricks
  • Summary
  • Introduction to the .NET Framework Configuration Tool
  • Increasing Trust for an Assembly or Software Publisher Using the Trust Assembly Wizard
  • Changing Trust for a Zone Using the Adjust Security Wizard
  • Manipulating the Security Policy Tree DirectlyBasic Techniques
  • Testing Security Policy Using the Evaluate Assembly Wizard
  • Modeling Policy Changes Using Open and New
  • Deploying Security Policy
  • Resetting Security Policy
  • Chapter 19. Administering .NET Framework Security Policy Using Scripts and Security APIs
  • Using Batch Scripts for Security Policy Administration
  • Changing Security Policy by Programming Directly to the Security APIs
  • Summary
  • Chapter 20. Administering an IIS Machine Using ASP.NET
  • XML-Based Configuration Files
  • Hierarchy of .NET Configuration Files
  • Attributes and Settings
  • IIS Security SettingsA Refresher
  • Summary
  • Chapter 21. Administering Clients for .NET Framework Mobile Code
  • Default Security Policy and Mobile Code
  • Limitations on Calling Strong Named Components
  • Running Mobile Code in Internet Explorer
  • Summary
  • Chapter 22. Administering Isolated Storage and Cryptography Settings in the .NET Framework
  • Administering Isolated Storage
  • Administering Cryptography Settings
  • Summary
  • Chapter 23. Creating Secure Code: What All .NET Framework Developers Need to Know
  • Security and the Developer
  • Structure of the .NET Framework Security System
  • Limitations of the .NET Framework Security System
  • Summary
  • Chapter 24. Architecting a Secure Assembly
  • Thinking Like a Security Expert: How to Improve the Security of Your Designs from Day One
  • If All Else Fails
  • Don't Throw It All Away
  • Summary
  • Chapter 25. Implementing a Secure Assembly
  • Using Existing Security Mechanisms
  • Implementing Your Own Permissions
  • Working with Strong Names
  • Summary
  • Chapter 26. Testing a Secured Assembly
  • Determining What Is Being Protected
  • Determining How Resource Protection Is Implemented
  • Testing Any Applied Custom Permissions
  • Testing the Methods and Properties That Should Be Protected
  • Summary
  • Chapter 27. Writing a Secure Web Site Using ASP.NET
  • Designing a Secure Web Site
  • Implementing a Secure Web Site
  • Summary
  • Chapter 28. Writing a Secure Web Application in the .NET Development Platform
  • ASP.NET with Remoting Versus Web Services
  • Authentication and Authorization Without IIS
  • Summary
  • Chapter 29. Writing a Semi-Trusted Application
  • Restrictions on Libraries That Can Be Called
  • Making Permission Requests
  • Protecting Data
  • Being Careful About What Code Gets Executed
  • Being Aware of Permissions at Runtime
  • Summary
  • Chapter 30. Using Cryptography with the .NET Framework: The Basics
  • Setting the Stage: Key Definitions and Scenarios in Cryptography
  • The Cryptographic Object Model of the .NET Framework
  • Operating on Streams: CryptoStreams and ICryptoTransforms
  • Using Symmetric Algorithms
  • Using Cryptographic Hash Functions
  • Using Keyed Hash Functions
  • Random Number Generation and Key Derivation
  • Using Asymmetric Algorithms
  • Summary
  • Chapter 31. Using Cryptography with the .NET Framework: Advanced Topics
  • Working with CryptoAPI 1.0
  • Working with CryptoAPI 2.0
  • Finalization Versus Explicit Destruction via IDisposable
  • Extending the .NET Framework's Cryptography Classes and the Cryptographic Configuration System
  • Summary
  • Chapter 32. Using Cryptography with the .NET Framework: Creating and Verifying XML Digital Signatures
  • XMLDSIG Design Principles and Modes of Use
  • The Structure of an XMLDSIG Signature
  • Creating XMLDSIG-Compliant Signatures Using the .NET Framework
  • Verifying an XMLDSIG Signature
  • Extending System.Security.Cryptography.Xml for Custom Processing
  • Summary
  • Demystifying .NET Framework Security
  • What Do You Need to Know Prior to Reading This Book?
  • What Software Will You Need to Complete the Examples Provided with This Book?
  • How This Book Is Organized
  • Where to Download the Associated Code for This Book
  • Conventions Used in This Book
  • Part I: Introduction to the .NET Developer Platform Security
  • Part II: Code Access Security Fundamentals
  • Part III: ASP.NET and Web Services Security Fundamentals
  • Part IV: .NET Framework Security Administration
  • Part V: .NET Framework Security for Developers
  • About the Authors
  • Acknowledgments
  • Introduction
  • Previous Section Next Section

    Introduction

    By Brian A. LaMacchia

    Welcome! The book you hold in your hands is a comprehensive guide and roadmap to the security infrastructure of the Microsoft .NET Framework. The .NET Framework is Microsoft's new cross-language development environment for building rich client applications and XML Web Services. One of the key features of the .NET Framework is a robust security infrastructure that provides developers, administrators, and users with new levels of control over code that executes on their systems. Whether you are a developer, administrator, or end user, this book will help you make the most of the .NET Framework security system and create, control, deploy, and use secure .NET applications.

      Previous Section Next Section