A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright 2003 by Ed Robinson and Michael Bond
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.
Library of Congress Cataloging-in-Publication Data
Robinson, Ed, 1967-
Security for Microsoft Visual Basic .NET / Ed Robinson, Michael James Bond.
1. Computer security. 2. Microsoft Visual Basic. 3. Basic (Computer program
language). 4. Microsoft .NET I. Bond, Michael, 1965- II. Title.
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWE 8 7 6 5 4 3
Distributed in Canada by H.B. Fenn and Company Ltd.
Microsoft Press books are available through booksellers and
Microsoft, Microsoft Press, the .NET logo, Visual Basic, Visual Studio, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain
Danielle Voeller Bird
Project Editor: Denise Bankaitis
Technical Editor: Christoph Wille
Body Part No. X09-39065
To my wife, Catherine, and to my mum, Dorothy
To my wife, Jane, for her love and support; to my daughters Sarah and Katie, for their encouragement; and to my
About the Authors
Ed Robinson, a lead program manager for Microsoft, helped drive the development of security features for Visual Basic .NET and other Microsoft products. He has 13
Michael Bond is a development lead on the Visual Basic .NET team. He has supported, developed, and helped secure many features of Visual Basic over the past 13 years. You can find Mike in the Visual Basic chat rooms on MSDN, Microsoft Developer Network, as well as at industry events.
This book is an introduction to security for Visual Basic programmers. You’ll find it useful both as a prescriptive guide for writing secure applications and as a technical reference for how to actually implement security techniques in your own code. For example, in Chapter 1, “Encryption,” we explain what encryption is and when to use the different types of encryption, and we provide examples that show you how to actually encrypt and decrypt information.
Although there is already a wealth of information available about security, very little has been written that targets the Visual Basic programmer. In writing this book, we set out to change this. We have followed three principles that make this book better for the Visual Basic programmer than any other publication you will find on security:
Make it simple
Clear guidance Some security books explain security techniques without telling you where or where not to use them. This book is different: we offer clear guidance on how, when, and where you should use each security technique.
Although this is an introductory-level book, it covers everything from coding techniques to designing a secure architecture to performing a security audit. Our
The authors of this book, like you, are Visual Basic programmers. We use straight, no-
Section 2 is about identifying threats to your Visual Basic .NET application and
Section 3 discusses how to lock down the environments that your application runs in or depends upon such as the Microsoft Windows operating system, Internet Information Services, .NET runtime, Microsoft SQL Server, and Microsoft Access databases. In addition, this section discusses how to lock down your application for deployment.
Section 4 focuses on architecture, how to design secure systems, perform a security audit of your application, come up with a contingency plan, and execute the contingency plan if an intruder does make his or her way past the security measures you have put into place.
Microsoft Visual Basic .NET is built on a number of technologies, including the .NET platform, Microsoft Visual Studio .NET, and of course the Microsoft Visual Basic .NET compiler. For the sake of simplicity and brevity, unless the distinction is important, we refer to all of these technologies collectively as Microsoft Visual Basic .NET. As a Microsoft Visual Basic .NET developer, you don’t need to think about these composite technologies to get your job done.