Chapter 5 Understanding .NET Security

Page 119

Chapter 5
Understanding .NET Security

CONSIDER THE PARADOX IMPLICIT in this chapter: You are about to read details about security measures in Windows and .NET, but if you can read about it, how can it remain secure? Shouldn't security rest on secrecy and depend on the fact that people can't buy books describing precisely how it works?

Well, yes and no. Somebody has to have the keys to Fort Knox. It may as well be you, the trusted programmer, or trusted IT administrator.

In fact, there are multiple layers of security within today's computer systems and they generally work on an all-or-nothing premise: all the layers must grant permission to the agency (consuming caller or user) attempting to try anything potentially dangerous. By dangerous we usually mean any kind of file access (whether to read private data, to write and maybe add viruses to files, or to have the ability to reformat drives and so on) or access to the Registry, to peripherals such as printers, or to the security system itself (where they can fiddle around and make themselves administrators and fling the doors open).

Security features in .NET are extensive, comprehensive, and powerful. You should familiarize yourself with them because, as we all know, security is Topic A in many IT departments these days. Few programmers, though, have much experience with encryption and other security measures.

In this chapter, you'll learn about the various levels of Windows (generally role-based) and .NET (generally code-based) security, including aspects of ''trust," the various kinds of permission management, and the interactions between role-based and code-based permissions. This subject is quite large, but this chapter is intended to provide you with an overview of the major tools at your disposal as you attempt to ensure the integrity of your .NET applications—prevent them from being breached, or from being misused to breach other resources.

NOTE This chapter gets you well on your way down the long road to ensuring system security. For deeper coverage of the topic, see .NET Development Security Solutions by John Mueller (Sybex, 2003).

Chapter 6 covers a different aspect of .NET security: encryption and hashing, highly effective tools for ensuring the integrity of transmitted messages and for protecting privacy.