Resource Access Considerations
File I/O
| Check | Description |
|---|---|
|
| No security decisions are made based on filenames. |
|
| Input file paths and file names are well formed . |
|
| Environment variables are not used to construct file paths. |
|
| File access is constrained to the context of the application (by using a restricted FileIOPermission ). |
|
| Assembly file I/O requirements are specified using declarative security attributes (with SecurityAction.RequestMinimum ). |
Event Log
| Check | Description |
|---|---|
|
| Event log access code is constrained using EventLogPermission . This particularly applies if your event logging code could be called by untrusted callers . |
|
| Event sources are created at installation time (or the account used to run the code that writes to the event log must be allowed to create event sources by configuring an appropriate ACL in the registry). |
|
| Security-sensitive data, such as passwords, is not written to the event log. |
Registry
| Check | Description |
|---|---|
|
| Sensitive data, such as database connection strings or credentials, is encrypted prior to storage in the registry. |
|
| Keys are restricted. If a key beneath HKEY_CURRENT_MACHINE is used, the key is configured with a restricted ACL. Alternatively, HKEY_CURRENT_USER is used. |
|
| Registry access is constrained by using RegistryPermission . This applies especially if your registry access code could be called by untrusted callers. |
Environment Variables
| Check | Description |
|---|---|
|
| Code that accesses environment variables is restricted with EnvironmentPermission . This applies especially if your code can be called by untrusted code. |
|
| Environment permission requirements are declared by using declarative security attributes with SecurityAction.RequestMinimum . |
EAN: 2147483647
Pages: 613