Chapter 11. Security Issues

‚   ‚  

O BJECTIVES

This chapter covers the following Microsoft-specified objective for the "Creating and Managing Microsoft Windows Services, Serviced Components, .NET Remoting Objects, and XML Web Services" section of the "Developing XML Web Services and Server Components with Microsoft Visual Basic .NET and the Microsoft .NET Framework" exam:

Implement security for a Windows service, a serviced component, a .NET Remoting object, and an XML Web service.

This chapter also covers the following Microsoft-specified objectives for the Deploying Microsoft Windows Services, Serviced Components, .NET Remoting Objects, and XML Web Services section of the Developing XML Web Services and Server Components with Microsoft Visual Basic .NET and the Microsoft .NET Framework exam:

Configure security for a Windows service, a serviced component, a .NET Remoting object, and an XML Web service.

• Configure authentication type. Authentication types include Windows authentication, Microsoft .NET Passport, custom authentication, and none.

• Configure and control authorization. Authorization methods include file-based authorization and URL-based authorization.

• Configure and implement identity management.

• These days, it's not enough to write correct code. You must also write secure code if you want your applications to be widely useful. Thanks to the increasing connectivity of computers over LANs and the Internet, your applications will often be visible to thousands or millions of potential attackers . Thus, it's necessary to secure these applications so that only authorized users can work with them. These objectives test your understanding of the basic security features of the .NET Framework and the ways in which you can apply those features to particular applications.

O UTLINE

Introduction

Configuring Security

Understanding Code Access Security

Understanding Permissions

Requesting Minimum Permissions

Code Groups and Permission Sets

Granting Permission

Imperative Security

Computing Permissions

Requesting Other Types of Permissions

Using Custom Security Attributes

Configuring Authentication

No Authentication

IIS and ASP.NET Authentication

Authentication Providers

Configuring IIS Authentication

Passport Authentication

Forms Authentication

Configuring Authorization

Implementing Impersonation

Identity and Principal Objects

Verifying Role Membership

Using the PrincipalPermission Class

Security for Windows Services

Security for Web Services

Platform and Application Security

Configuring Web Services for Security

WS-Security

Remoting Security

Enterprise Services Security

Chapter Summary

Apply Your Knowledge

S TUDY S TRATEGIES

• Use code access security to specify the permissions required by an assembly. Make sure that you understand the differences between minimum and optional permission requests .

• Use the Microsoft .NET Framework Configuration Tool to specify security policies for an assembly and understand the effects of those policies on the assembly. Experiment with the interaction between multiple security policies for the same assembly.

• Use authentication to control who can access an ASP.NET application and understand what happens when a user cannot be authenticated.

• Configure a Web service for secure access and confirm that you cannot use the Web service without proper authentication and authorization.