creating secure applications

Microsoft Australia Security Summit


Creating Reliable And Robust Creating Reliable And Robust Applications With Visual Applications With Visual Studio 2005 And SQL Server Studio 2005 And SQL Server 20052005

Andrew CoatesAndrew CoatesDeveloper EvangelistDeveloper EvangelistMicrosoft AustraliaMicrosoft Australiahttp://blogs.msdn.com/acoathttp://blogs.msdn.com/acoat


AgendaAgenda

IntroductionIntroduction

Enhancements for secure application Enhancements for secure application development with Visual Studio 2005development with Visual Studio 2005

Security enhancements in SQL Server Security enhancements in SQL Server 20052005


Introduction: Security TodayIntroduction: Security Today

More mission-critical systemsMore mission-critical systems

More IT assets exposed via the More IT assets exposed via the InternetInternet

More ways to connect (more threat paths)More ways to connect (more threat paths)

Everything is becoming connectedEverything is becoming connected

Increased complexity and Increased complexity and functionality functionality lead to increased vulnerabilitieslead to increased vulnerabilities

Software must do more to protect Software must do more to protect on the security fronton the security front

Major effort to enhance security capability Major effort to enhance security capability

and features in Visual Studio 2005 andand features in Visual Studio 2005 andSQL Server 2005SQL Server 2005


Visual Studio 2005 and .NET Visual Studio 2005 and .NET 2.0 Enhancements2.0 Enhancements


Managed CodeManaged Code

Designed to run under less privileged Designed to run under less privileged accountsaccounts

Improved Code Access SecurityImproved Code Access Security

Permissions CalculatorPermissions Calculator

Debug in ZoneDebug in Zone

IntelliSense in Zone (Visual IntelliSense in Zone (Visual Basic .NET)Basic .NET)

FxCopFxCop


Develop Under Less Privileged Develop Under Less Privileged AccountAccount

Developing under Least Privileged Developing under Least Privileged account is a good practiceaccount is a good practice

User will not run your application User will not run your application as an administratoras an administrator

When developing as admin you may be When developing as admin you may be unaware that non-admin accounts don’t unaware that non-admin accounts don’t have access to resources that you may have access to resources that you may accessaccess

Visual Studio 2005 runs much better Visual Studio 2005 runs much better under non administrative account under non administrative account than than previous versionsprevious versions


Security Principles to Live By Security Principles to Live By Practical Least PrivilegePractical Least Privilege

Elevate as necessaryElevate as necessaryRunAsRunAsMakeMeAdmin (http://blogs.msdn.com/aaron_margosis)MakeMeAdmin (http://blogs.msdn.com/aaron_margosis)Fast User SwitchingFast User SwitchingTerminal Services / Remote DesktopTerminal Services / Remote Desktop

Vista/Longhorn LUAVista/Longhorn LUAhttphttp://msdn.microsoft.com/library/default.asp?url=/library/en-u://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asps/dnlong/html/leastprivlh.asp

Add Granular PermissionsAdd Granular PermissionsSQL Server 2005SQL Server 2005

Granular permissionsGranular permissionsSecurity execution contextSecurity execution contextDDL TriggersDDL Triggers

Code Access Security easier with VS 2005Code Access Security easier with VS 2005Permission CalculatorPermission CalculatorCode Access Security - IntelliSense in Zone, Debugging in Code Access Security - IntelliSense in Zone, Debugging in ZoneZone

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp




Code Access SecurityCode Access Security

Applies security to Assembly IdentityApplies security to Assembly Identity

Allows restriction on the actions an Allows restriction on the actions an assembly can performassembly can perform

Predefined permission sets are Predefined permission sets are available available to sandbox low trust codeto sandbox low trust code

Visual Studio 2005 allows the Visual Studio 2005 allows the developer developer to select a target permission setto select a target permission set


Code Access Security (CAS)Code Access Security (CAS)

Code access security is a mechanism that helps Code access security is a mechanism that helps limit the access code limit the access code has to protected resources and operations; Has has to protected resources and operations; Has following functionsfollowing functions

Defines permissions and permission sets that represent Defines permissions and permission sets that represent the right the right to access various system resources to access various system resources Enables administrators to configure security policy Enables administrators to configure security policy Enables code to request the permissions it requires in Enables code to request the permissions it requires in order to run, order to run, and specifies which permissions the code must never haveand specifies which permissions the code must never haveGrants permissions to each assembly that is loaded, based Grants permissions to each assembly that is loaded, based on the on the permissions requested and on the operations permitted by permissions requested and on the operations permitted by security policysecurity policyEnables code to demand that its callers have specific Enables code to demand that its callers have specific permissionspermissionsEnables code to demand that its callers possess a digital Enables code to demand that its callers possess a digital signature, signature, thus allowing only callers from a particular organization or thus allowing only callers from a particular organization or site to call the protected codesite to call the protected codeEnforces restrictions on code at run time by comparing the Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the granted permissions of every caller on the call stack to the permissions permissions that callers must havethat callers must have


Code Access SecurityCode Access Security

EvidencePolicy +

Permissions


Stack WalkStack Walk

Essential part of the security system Essential part of the security system To protect unauthorized access to To protect unauthorized access to protected resourcesprotected resourcesBefore allowing an assembly access the Before allowing an assembly access the protected resource may demand a stack protected resource may demand a stack walk to verify that all functions in the call walk to verify that all functions in the call chain have permission to access the system chain have permission to access the system resourceresourceFunctions can choose to modify the stack Functions can choose to modify the stack walk, walk, and there are a few mechanisms to do thisand there are a few mechanisms to do this

LinkDemandsLinkDemandsAssertAssertDenyDenyPermitOnlyPermitOnly


Stack WalkStack Walk


SandboxingSandboxing

Application Domains can be created Application Domains can be created to sandbox assembliesto sandbox assemblies

Process for creating a sandbox has Process for creating a sandbox has been simplified under the 2.0 been simplified under the 2.0 frameworkframework

API is exposed as a new overload of API is exposed as a new overload of AppDomain.CreateDomainAppDomain.CreateDomainAppDomain.CreateDomain( string friendlyName, Evidence securityInfo, AppDomainSetup info,

PermissionSet grantSet, params StrongName[] fullTrustAssemblies );

AppDomain.CreateDomain( string friendlyName, Evidence securityInfo, AppDomainSetup info,

PermissionSet grantSet, params StrongName[] fullTrustAssemblies );


Global Assembly Cache (GAC) Is Global Assembly Cache (GAC) Is Full-TrustFull-Trust

.NET 2.0 assemblies in the GAC get .NET 2.0 assemblies in the GAC get FullTrust no matter what the security FullTrust no matter what the security policy sayspolicy says

The new GacMembershipCondition The new GacMembershipCondition Class determines whether an Class determines whether an assembly belongs to a code group by assembly belongs to a code group by testing its global assembly cache testing its global assembly cache membershipmembership

Rather than having to know about Rather than having to know about both the full-trust list and the GAC, a both the full-trust list and the GAC, a framework developer only has to framework developer only has to install their framework in the GAC install their framework in the GAC now.now.


Permissions CalculatorPermissions Calculator

PermCalc replaces the PermView PermCalc replaces the PermView utilityutility

Looks into assemblies on which target Looks into assemblies on which target

has dependencieshas dependencies

Available as both a command line Available as both a command line tool and integrated into Visual Studiotool and integrated into Visual Studio


PermCalcPermCalc


Debugging EnhancementsDebugging Enhancements

Debug in Zone – Visual Studio can Debug in Zone – Visual Studio can create environment to match create environment to match permissions for restricted permissions for restricted environmentsenvironments

IntelliSense in Zone (Visual Basic) IntelliSense in Zone (Visual Basic)


Debug In ZoneDebug In Zone


FxCopFxCop

Integrated into Visual StudioIntegrated into Visual Studio

Identifies Design Issues and supplies Identifies Design Issues and supplies information on how to fix theminformation on how to fix them

Enforces Microsoft .Net Design Enforces Microsoft .Net Design GuidelinesGuidelines

Can be used as a part of the code Can be used as a part of the code check-in policycheck-in policy


FxCopFxCop


Other Managed Code Security Other Managed Code Security EnhancementsEnhancements

Security cannot be turned of Security cannot be turned of permanentlypermanently

New classesNew classesSecureStringSecureString

Contents are kept encryptedContents are kept encrypted

Modified until set to ReadOnlyModified until set to ReadOnly

Deleted from memory on demandDeleted from memory on demand

ProtectedMemoryProtectedMemoryUsed to Encrypt data in MemoryUsed to Encrypt data in Memory

Uses Data Protection API available Uses Data Protection API available in Windows XP and Laterin Windows XP and Later


What Else Is New In .NET 2.0 What Else Is New In .NET 2.0 SecuritySecurity

Enhanced SecurityExceptionEnhanced SecurityExceptionIncreased SN Key SizeIncreased SN Key SizeTransparent CodeTransparent CodeManaged ACLsManaged ACLsPKCS7 supportPKCS7 supportFIPS enforcementFIPS enforcementRFC 2898 PBKDF 2 RFC 2898 PBKDF 2 Test key signingTest key signingEnhanced X509 support (via Enhanced X509 support (via X509Certificate2)X509Certificate2)XML EncryptionXML EncryptionAppDomainManager/HostSecurityManagerAppDomainManager/HostSecurityManager


Team Foundation ServerTeam Foundation ServerCheck In PoliciesCheck In Policies

Code AnalysisCode Analysis

TestingTesting

Peer ReviewPeer Review


Unmanaged CodeUnmanaged Code

Application VerifierApplication Verifier

Integrated Code Analysis ToolsIntegrated Code Analysis Tools

Buffer Check SwitchBuffer Check Switch

Safe C Runtime LibrarySafe C Runtime Library


SQL Server 2005 SQL Server 2005 EnhancementsEnhancements


SQL Server 2005 EnhancementsSQL Server 2005 Enhancements

Secure by DefaultSecure by Default

Password PolicyPassword Policy

Strengthened AuthenticationStrengthened Authentication

User-Schema SeparationUser-Schema Separation

Granular PermissionsGranular Permissions

Execution ContextExecution Context

EncryptionEncryption

Catalog Security Catalog Security


Secure By DefaultSecure By Default

If SQL Server 2005 is installed and no If SQL Server 2005 is installed and no options are changed, it is installed in options are changed, it is installed in a secure statea secure state

Access to many resources must now Access to many resources must now be explicitly granted or enabled be explicitly granted or enabled before being used before being used

Surface Area Configuration ToolSurface Area Configuration Tool


Surface Area Configuration ToolSurface Area Configuration Tool


Password Policy And AuthenticationPassword Policy And Authentication

SQL Server 2005 can inherit the SQL Server 2005 can inherit the Password Policy when hosted on Password Policy when hosted on Windows 2003Windows 2003

Can be enabled or disabled on a per Can be enabled or disabled on a per login basislogin basis

Logins can be enabled and disabledLogins can be enabled and disabled

Login protocol uses stronger channelLogin protocol uses stronger channelUses SQL Server generated certificateUses SQL Server generated certificate

No SSL certificate loading is requiredNo SSL certificate loading is required



Objects are associated with a schema Objects are associated with a schema instead of a userinstead of a user

Object naming scheme and resolution Object naming scheme and resolution have been changedhave been changedserver.database.schema.objectserver.database.schema.object

Users can be assigned a default Users can be assigned a default schemaschema


Granular PermissionsGranular Permissions

Permissions can be applied to three Permissions can be applied to three scopes: Server, database, and scopes: Server, database, and schemaschema

Permissions can have one of three Permissions can have one of three states: Granted, revoked, and deniedstates: Granted, revoked, and denied

New Permissions AddedNew Permissions Added

Securable – entities to be secured Securable – entities to be secured (tables, views, assemblies, servers, (tables, views, assemblies, servers, and others)and others)

Grantee – Server level permissionGrantee – Server level permission

Catalog Security Catalog Security


Execution ContextExecution Context

EXECUTE AS CALLER (default)EXECUTE AS CALLER (default)

EXECUTE AS ‘USER’EXECUTE AS ‘USER’

EXECUTE AS SELFEXECUTE AS SELF

EXECUTE AS OWNER EXECUTE AS OWNER


Execute ASExecute AS


Endpoint SecurityEndpoint Security

An Endpoint is a point of entry into SQL An Endpoint is a point of entry into SQL ServerServerEndpoint Transports IncludeEndpoint Transports Include

Shared MemoryShared MemoryNamed PipesNamed PipesTCPTCPVirtual Interface AdapterVirtual Interface AdapterHTTP (Windows 2003 and XP SP2 Only)HTTP (Windows 2003 and XP SP2 Only)

HTTP Transport is not created by defaultHTTP Transport is not created by defaultHTTP Endpoints support 4 authentication HTTP Endpoints support 4 authentication types for web methodstypes for web methodsAnonymous access is not allowedAnonymous access is not allowedCommunications can be secured with SSL Communications can be secured with SSL


EncryptionEncryption

SQL Server now has built in support SQL Server now has built in support for encryption and decryptionfor encryption and decryption

Keys can be secured within or Keys can be secured within or external to SQL Serverexternal to SQL Server

Supports Symmetric encryption, Supports Symmetric encryption, Asymmetric encryption, Encryption by Asymmetric encryption, Encryption by paraphrase and certificatesparaphrase and certificates


Some More Microsoft ResourcesSome More Microsoft Resources

Security eForum siteSecurity eForum sitehttp://www.microsoft.com/http://www.microsoft.com/australia/eforumaustralia/eforum

MSDN Security Development CentreMSDN Security Development Centrehttp://http://msdn.microsoft.commsdn.microsoft.com/security//security/

Security Development Centre – Writing Secure CodeSecurity Development Centre – Writing Secure Codehttp://http://msdn.microsoft.com/security/securecode/default.aspxmsdn.microsoft.com/security/securecode/default.aspx

Patterns and Practices: Security GuidelinesPatterns and Practices: Security Guidelineshttp://msdn.microsoft.com/library/en-us/dnpag2/html/pagguidelines0003.asphttp://msdn.microsoft.com/library/en-us/dnpag2/html/pagguidelines0003.asp

What’s new in Security for v2.0What’s new in Security for v2.0http://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspxhttp://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspx

What’s new with Code Access Security in the .Net Framework 2.0What’s new with Code Access Security in the .Net Framework 2.0http://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/default.aspxhttp://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/default.aspx

Security Enhancements in Visual Studio 2005 Security Enhancements in Visual Studio 2005 http://msdn.microsoft.com/library/en-us/dnvs05/html/vs05security.asphttp://msdn.microsoft.com/library/en-us/dnvs05/html/vs05security.asp

Repel Attacks on Your Code with Visual Studio 2005 Safe C Repel Attacks on Your Code with Visual Studio 2005 Safe C and C++ Librariesand C++ Libraries

http://msdn.microsoft.com/msdnmag/issues/05/05/SafeCandC/http://msdn.microsoft.com/msdnmag/issues/05/05/SafeCandC/

SQL Server 2005 SecuritySQL Server 2005 Securityhttp://msdn.microsoft.com/sql/learning/security/default.aspxhttp://msdn.microsoft.com/sql/learning/security/default.aspx

Visual Studio 2005 and SQL Server 2005 WebcastVisual Studio 2005 and SQL Server 2005 Webcasthttp://www.microsoft.com/eventshttp://www.microsoft.com/events

http://www.microsoft.com/australia/eforum

http://www.microsoft.com/australia/eforum

http://msdn.microsoft.com/security/



http://msdn.microsoft.com/security/securecode/default.aspx

http://msdn.microsoft.com/security/securecode/default.aspx

http://msdn.microsoft.com/library/en-us/dnpag2/html/pagguidelines0003.asp

http://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspx

http://msdn.microsoft.com/msdnmag/issues/05/11/%0BCodeAccessSecurity/default.aspx

http://msdn.microsoft.com/library/en-us/dnvs05/html/vs05security.asp

http://msdn.microsoft.com/msdnmag/issues/05/05/SafeCandC/

http://msdn.microsoft.com/sql/learning/security/default.aspx

http://www.microsoft.com/events

© 2006 Microsoft Corporation. All rights reserved.© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

creating secure applications

Business