Visual Basic .NET and Visual C # .NET programmers need to resolve security issues
Robin Reynolds-Haertlevisual Studio January 2002 Abstract: This article focuses on the major security issues that Visual Basic .NET and Visual C # .NET developers need to resolve when starting with the .NET framework. This overview discusses Windows applications and web applications, as well as implementation, debugging, and deployment phases of the development process. This article applies to the final version of the Visual Studio .NET and .NET framework. If you are using a pre-release version, the operation of the application may be slightly different from this article. table of Contents
Introduction Code Access Security
Fully trust some trust part of the trust environment development test Other resource web applications
Dynamically discovered authentication, analog, and commissioned ASPNET process identifies the security mechanism summary of the security mechanism in the Visual Studio .NET development environment in the ASPNET ID. Visual Studio .NET provides better security control for the operation of the application. The .NET framework provides more control while you also ask you to bear more programming responsibilities. When you create a friendly and easy-to-use application for users, you need to solve some security issues. Usually, in the following three cases, the security issue is required:
Users running your application may reject the application's permissions because the location running in the application has been specified to reject the user to access certain system resources. For example, users can reject file permissions for all applications stored on the network drive by configuring the public language runtime. You should pay attention to this issue when writing code and should write code to make a proper response to this refusal. Need to prevent users from accessing web applications from your web server to run malicious code or destroy data on the server. The setting of Visual Studio will make more or less to facilitate the danger of malicious code attacks. Code Access Security Code Access Security is a system of the .NET framework, which controls access to resources by executing the execution of the code. This security function is independent of the security provided by the operating system and is a supplement to the security provided by the operating system. When the user runs your application, the application will be allocated from the .NET public language runtime one of five areas. These five areas are:
My computer - the application on the user's computer. Local intranet - the application on the intranet of the user. Internet - Applications from Internet. Trusted Site - From Internet Explorer defined as a "trusted" site. Untrusted Site - from an application that is defined by Internet Explorer as a "limited" site. Each of the above regions has set specific access rights by the system administrator. You can set the security level of each area to fully trust, intermediate trust, low level trust or distrust. The trust level defines the resources that the application can access. The area is determined together with other security credentials (such as publishers, strong names, web sites, and code) to determine the permission to grant the code at runtime. You cannot control security settings on the user's computer, but your application is still limited by instant settings at runtime. This means that applications may be denied access to certain resources. For example, an application may need to write data into a file, but the user's system will refuse to write access at runtime by trigger an exception. For more information on secure credentials, see Evidence. Your job is to develop applications to handle this situation. This does not mean that your app is written to data with another method, but your application should be expected to be able to write data and then respond to this possibility. You may need to use more exception handle (Try ... catch in Visual Basic or Try ... catch) or some objects in the System.Security.Permissions named space to make the application code more reliable . The section "Development of Partial Trust Environment" is briefly explained in this paper. The security level of the area can be set by "Management Tools" installed with the .NET framework. For more information on setting a regional security level on your computer, see Administration Tools. Fully trust developers often work in a fully trust environment. They put the source code on the hard drive and test their applications on the computer used to develop. In this fully trust environment, any code compiled by the developer can run on the local computer. Since the local computer is defined by default as a full trust environment, there is no security exception. Partial trust part trust refers to all areas other than the fully trust area. When deploying an application, the application may move to a new area, and the new area may not fully trust the application. Two most common situations running code in some trust environments are: running from the Internet. Run the code that resides in the network sharing position (Intranet). Resources examples that may be denied in some trust areas include:
File I / O, including file read, write, creation, deletion, or print. System components such as registration values and environment variables. Server components, including directory services, registry, event log, performance counters, and message queues. What are the contents of some of the trust environments? This is not easy to determine. Each class in the .NET framework and each method in each class have a security property that defines the level of trust required to run the method, and is due to these security features, which may not be accessed at runtime. This property is. The regional level is not just a simple mapping of trust levels to attributes, but a collection of specific privileges granted to specific classes and methods. Your application cannot just simply query the trust level and then you can expect which resources are not available. You can determine if the application runs in a fully trust environment. In the next section "Partial Trust Environment Development", we will introduce a method. Some trust environments Development This section briefly introduces a security issue that may have a problem about the code written. Some trust environments have no single solution. Your solution depends on the application you have written. In addition, since the trust level may change during the execution of the application, only existing trust levels cannot be tested, and then continue. The first step in the development part of the trust area is to write code that can identify the unusual unusual abnormality. Please note the following code: 'Visual Basic Public Sub Makeabitmap () DIM B AS Bitmap = New Bitmap (100, 100) This code will draw a beautiful picture in bitmap format B.Save ("C: / PrettyPicture) .bmp ") End sub // c # public void makeabitmap () {bitmap b = new bitmap (100, 100); // The code here will draw a beautiful picture in the bitmap format B.Save (" C: //Prettypicture.bmp ");} If the project and project assembly is stored on your computer's hard drive, and you are a member of the computer administrators group, this method does not cause an exception at runtime. If you deploy this application to your intranet, you will trigger System.Security.securityException when the application tries to save bitmap objects (see SecurityException Class [English]). If there is no try ... catch (in Visual Basic) or Try ... catch (in the CAT) block, the application will terminate due to exceptions. This will make users feel dissatisfied. If you add an exception handling code, the application can:
WARNING User Application Unable to complete all the tasks you need to complete. Clear all existing objects so that the code behind the Catch block can run successfully. You can modify the code for saving the bitmap as shown below. The added code will warn the user that the file is not saved due to security, thereby distinguishing security failure with file I / O failure (eg, incorrect file name). This method does not produce any security vulnerabilities. Users should modify the security settings to trust your application, otherwise the application will not run. 'Visual Basic Public Sub Makeabitmap () DIM B AS Bitmap Try B = New Bitmap (100, 100) B.Save ("c: /prettypicture.bmp") Catch ex as system.security.securityException' Inform User Save Failed. MessageBox.show ("Refused to grant the permission to save the file," & _ "does not save this bitmap.") Catch ex as system.exception 'The other exceptions will be reacted. Messagebox.show (ex.Message) End and sub // c # public void makeabitmap () {Bitmap b = null; try {b = new bitmap (100, 100); b.save ("c: //prettypicture.bmp ");} catch (system.security.securityException ex) {// Inform the user to save failed. MessageBox.show ("Refused to awarded the permissions for saving the file," "Not saved this bitmap.");} Catch (System.exception EX) {// React to other exceptions here. Messagebox.show (ex.Message);}} You can use the class, attributes, enumerations in the System.Security.Permissions (English) namespace, you can more control over the security task in your application. If you are writing libraries that you can call from other applications, you can verify the permissions of the calling code. For example, you only need to add the following assembly level attribute at the top of the code file. When loading this assembly, the permission will be verified. If the requested permissions are rejected, the assembly will not be loaded and will trigger a safe exception. If you add this property to a stand-alone application, the application may not run. If this property occurs in the class library, the library may not be loaded at runtime. You need to add a TRY / CATCH block in the code called this class library. 'Visual Basic // C # [assembly: system.security.permissions.fileiopermissionattribute (securityAction.Requestminimum, Write = "c: //prettypicture.bmp")]
You can also request permissions to runtime, and the Demand method is used in the example below. The request may be allowed or rejected when runtime. Refusal requests are implemented by triggering security exceptions. You can rewrite the code as shown below to express the permissions of writing bitmap files: 'Visual Basic Public Sub Makeabitmap () DIM FileName As String = "C: /PrettyPicture.bmp" Dim Permission as fileiopermission = _ new fileiopermission (FileiOpermissionAccess.write, _ filename) DIM B AS bitmap = Nothing try b = new bitmap (100, 100) Permission.demand () B.SAVE (filename) catch ex as system.security.securityException 'Inform User Save Failed. MessageBox.show ("Refused to grant the permission to save the file," & _ "does not save this bitmap.") Catch ex as system.exception 'The other exceptions will be reacted. MessageBox.Show (ex.Message) End Try End Sub // C # using System.Security.Permissions; public void MakeABitmap () {string filename = "c: //PrettyPicture.bmp"; FileIOPermission permission = new FileIOPermission (FileIOPermissionAccess.Write , filename); Bitmap b = null; try {b = new bitmap (100, 100); permission.demand (); b.save (filename);} catch (system.security.securityException ex) {// Inform users to save failure. MessageBox.show ("Refused to awarded the permissions for saving the file," "Not saved this bitmap.");} Catch (System.exception EX) {// React to other exceptions here. MessageBox.Show (ex.Message);} The second step in the trust area of the test development is to test in multiple environments, especially on your intranet, and Internet. This will force a safe abnormality. Other resources In addition to the content described above, there are many other content available. The following topics discusses the code access security in more detail: Introduction to Code Acurity (English) Code Access Security (English) SECURITY NAMESPACES IN VISUAL Studio (English) Web application Solve the security of web applications, protect your server Free attacks from malicious code and protect data is not damaged. You can use a variety of ways to protect the server.
Use the user to find and run your XML Web Services by disabling the dynamic discovery feature of XML Web Services. The user's identity is verified by authentication before allowing the user to access the server. By using the ASPNET process identifier, you can better adjust the resources you can use. Each method will be discussed in detail below. Dynamic discovery dynamic discovery is a feature of the .NET framework that allows the web browser to find XML Web Services running on the server. After finding the XML Web Service, the user can call the XML Web Services method. Dynamic Discovery Although the user provides a powerful feature, it also brings potential security hazards to the server. In most cases, you don't need to enable dynamic discovery. Dynamic discovery when installing the .NET framework, is discovered by default. This does not mean that XML Web Services is not available, but only the server will not provide a directory for available services. Clients can still use XML Web Services, but you need to provide the exact location of the service. Warning: After disabling dynamic discovery, you need to send the location of XML Web Services to the client.
On the deployment server, there are two items to control the discovery features of XML Web Services. The first (Machine.config file) controls the overall discovery function of the server. The Machine.config file is an XML file containing the settings of the web application on the web application, which is located on the /%Windows% / Microsoft.Net/framework/Version/config folder. This file contains an element that is annotated by default. To enable the discovery feature, you need to delete these comment characters. You also need to use the ASPNET account to run the application, as described in the "ASPNET Process Identity" as described in the following section.
The second item is a discovery file. Discovery files can be the default discovery file (Default.vsdisco), or the XML Web Services specific discovery file. It is an XML file that contains information about the location of the XML Web Services file. To find a specific XML Web Services, you need to enable discovery features in the Machine.config file and create and deploy the application's discovery file. Discovery file is an XML file that lists only paths that do not contain XML Web Services. One example is provided below. For a complete description of this file, see Deploying XML Web Services In Managed Code.
If your deployment server is installed with Visual Studio .NET, the web root folder will contain default.vsdisco, which is created during the installation of Visual Studio .NET. If this file is included in the server and the discovery function is enabled in the Machine.config file, you can find all the XML Web Services on the server. If you want to discover XML Web Services, you need to delete this file.
Warning: If the deployment server is installed Visual Studio .NET, you should delete the default.vsdisco file before the server is put into use.
It is recommended that you deploy XML Web Services on the server where Visual Studio .NET is installed. The Visual Studio .NET installer will add files and users you can use to your system. You can protect the security of the system that is installed in Visual Studio. However, if you don't need to install Visual Studio .NET on the deployment server, it is recommended that you do not install it.
For more information on enabling dynamic discovery, see Enabling Discovery for An XML Web Services (English) and Fine-Tuning Discovery Mechanisms. Authentication, simulation, and delegate By default, the web application will run in anonymous mode, that is, the application does not require any information about the user ID. This is very applicable for sites that contain public information. If you want to control users accessing an application or other resource, you need to add authentication to your application. Authentication is the process of identifying applications and verifying if the user has access to this application. ASP.NET supports a variety of authentication methods. The most common methods are:
Anonymous does not require users to provide any identification information. This method applies to a Web site that contains public content. If you need a personalization site, you can use the cookie. For more information on using cookies in the ASP.NET application, see Introduction to Web Forms State Management. The form application provides a login form to the user requesting the user to provide login information (such as name and password). The form will be sent back to the server, and the server compares the information with the data warehouse. Basic Basic Authentication is configured using Internet Information Services (IIS), most browsers support basic authentication. If enabled, the browser prompts the user to enter the name and password, then use Base64 encoding (this encoding is easy to decrypt) transfer the information back to the ASP.NET application. This method requires the user to have a Windows account. If you use a secure socket layer (SSL) outside of basic authentication, you can make sure this authentication method is secure. For information on SSL support in ASP.NET, see Using Secure Sockets Layer. Brief Summary Authentication is configured with IIS, which can be used to run Microsoft Windows 2000 or Windows XP. Brief authentication provides a higher password encryption level than the basic authentication. This method requires the user to have a Windows account stored in Microsoft Active Directory? Integrated Windows Integration Windows Authentication Similar to basic authentication and brief authentication, the only difference is that the user's name and password do not return to the web application. This method is especially suitable for intranet environment. It requires the user to have a Windows account and only the Internet Explorer browser supports this method. The certificate certificate is a digital key installed in the computer. This key is required when the user tries to access the server. The server is then verified in the domain or Active Directory. This method applies to applications that require high security and pay management certificates. Passport Microsoft provides this set of authentication services. Passport authentication applies to the following: When your Web site is used with other Passport sites, users can access all sites with just a time; or you don't want to maintain user databases. Authentication allows you to authorize your application, but this is not enough to enable users to access resources, such as files and databases. You can configure resource to make it available for specific users (not the web application itself). In this case, you can use analog to allow users to access these resources. When using analog, the server process runs through the authenticated user ID. When the application uses analog and query the database, the database application will consider query from the user when processing the query, not the server. As shown in the following example, the simulation can be enabled by setting the Identity element in the application's web.config file. Web.config files are created as part of each web application project. Further, it is further delegate, entrusting to use the user ID when accessing the remote resource (other computers). As shown in the table below, not all authentication methods support delegate.
Support for entrusting Basic Anonymous Integration Windows Profile Passport Forms For detailed discussion on selecting and implementing authentication methods, see Authentication In ASP.NET: Net Security Guidance (English). For more information on Web Application Security, see Web Application Security At Run Time. ASPNET Process Logo When the web application starts running on the server, it is not logged in as you (author of the web application). Instead, log in to a Windows user account defined on the server. This account (also known as identification) can be one of the following three accounts: ASPNET ID, SYSTEM ID, or custom ID. This identity is specified in the Machine.config XML file (located in the server /%Windows% / Microsoft.Net/framework/Version/config folder). The following is a simplified example of the three configuration methods of this element. The elements in the file have several properties, and this example is not shown. The ASPNET is the default identity selected when installing a Machine.config file with the .NET framework. The ASPNET account is a member of the UserS group. By default, the UserS group only has the smallest permission. The ASPNET account also has several other permissions, including all permissions to the ASP.NET and Windows temporary directory. If the ID is changed to System, the application will run under the System ID, which has the permissions of the Administrators group. The System account can almost access all resources on the server.
Warning: If the server runs under the System ID, the danger of being damaged by malicious code attacks and data is very large.
To use a custom ID, you must create an account and configure its permissions as a specific manner. For more information on creating custom ID, see Authentication in ASP.NET: Net Security Guidelines. By default, several system resources are not available to the ASPNET account. The following summary describes common restrictions and solutions. It is recommended that you use the ASPNET account and the solution described without running the application under the System ID.
File resources can access the file and folder permissions granted to the ASPNET account via the Windows Explorer access to the Access Control List (ACL) of each file and folder. Changes to ASPNET's ACL will not automatically spread through deployment. For example, you may allow an ASPNET account to have write permissions on the C: /Picture.bmp file on the development computer. When the application is deployed, the application will run on another computer, which also has an ASPNET account. You need to add a write permission to add a C: /Picture.Bmp file on the deployment computer for the ASPNET account on the deployment. Fortunately, you can make changes to the ACL using custom operations in deployment projects, but you must track the changes you want. Event Log ASPNET accounts can add an entry to existing logs, but cannot create new event log categories. At this point you can enable simulation when using an ASPNET account to create a new event log class. The analog identity must have sufficient permissions to create an event log class. If the event log required by the application can be specified before being put into use, these logs can be created by deploying items. Directory services and Active Directory are accessible to them, requiring analog and delegate, or passing specific secure credentials to the DirectoryEntry object. If you choose to pass a particular secure credential to the DirectoryEntry object, you need to make sure this information is stored correctly. Performance Counter ASPNET accounts can only be written without reading performance counters and cannot create new performance counters categories. At this point you can enable simulation when using an ASPNET account to create a new performance counter category. The analog identity must have sufficient permissions to create a performance counter category. If the performance counter required by the application can be specified before being put into use, these performance counters can be created by deploying items. Safety Note on the ASPNET ID Running File Resources: This section is for systems that run the NTFS file system. If your server is running a FAT32 file system, see File System Description Files to learn about the security of the file security.
By default, the ASPNET account has only read and execute permissions of the UserS group. If the web application needs to be written or created, you can authorize the specific file and folder by modifying the Access Control List (ACL). To access the ACL of a file, you can right-click the file in the Windows Explorer, then select the Properties and Security tabs. It is best to modify the ACL of a particular file instead of adding general purpose rights to the ASPNET account. The most common permissions include:
Read-data files and executables require read permissions. Writing - Data file updated by the application requires write permissions. Execute - In the web application, .asmx files are executable. Create-To create a file, you need to add a creation permission to add a folder to create a file. These permissions apply to:
File folder
WARNING: Avoid allowing the same file or directory to have execute permissions and write or create permissions. In this case, the user may try to write malicious code in the file and then execute.
The following is some techniques for simplifying the authorization process:
According to the permissions required in the application, put files separately in different directories. For example, if you only store read / execution files in a directory, you only need to set these permissions for a directory without having to set permissions per file. Consider creating a directory for reading / execution, reading / writing, and reading / creating permissions in your application. The application can include a data file that is empty when deploying, and can also include the code required to create a file when running an application. This requires adding permissions to add creating permissions, which is a high security setting. To avoid adding code to create new empty files, consider providing an empty file to the application when deploying. This way, you only need to add write permissions to this file without having to add creating permissions to the directory. When developing an application, you will add permissions to files and directories on your computer to accurately adjust the security level of the application. Unfortunately, ACLs will not be passed to the corresponding files on the deployment computer. To plan to pass these ACLs, remember the following points:
Custom operations can be used to change the ACL using custom operations in the deployment package. For more information, see Custom Actions. You can use a third-party tool to track and find what changes. You may need to confirm each setting with the system administrator. You need to record the reasons for making changes, and why you must achieve the purpose by changing settings. When using the ASPNET ID to debug debugging XML Web Services, if the ASPNET ID is defined in the machine.config file, this identity will be used to call this XML Web Services. By default, the ASPNET ID is not a member of the debugger user group (see the security mechanism in the "Visual Studio .NET development environment), so you cannot access the XML Web Services code during the debugging process. To debug XML Web Services, open the XML Web Services code and set a breakpoint. It is recommended that you debug on the test computer (not deployed). This will be discussed in the "security mechanism in the Visual Studio .NET development environment". For more information on configuring your process ID, see ASP.NET Process Identity (English) and ASP.NET Impersonation. Security Mechanism in the Visual Studio .NET development environment In addition to the security of the server, it is necessary to protect the development of computers from malicious code attacks and data destruction. You can use multiple mechanisms in the development environment to protect the security of development servers: Vs Developers and Debuggers will add these two account groups when installing Visual Studio .NET. The VS Developers group has the necessary files, sharing, and IIS privileges that create and develop web applications on the server. The DEBUGGERS group can debug the process on a specific computer (local or remote). Both groups are users with great permissions on the server, and most resources can be accessed. For more information, see Web Application Security At Design Time in Visual Studio. Debug recommends that you debug on the test computer (not deployed). If you must debug on the deployment server, just install remote debug components and uninstall the component after completing debugging. Please debug the server in the offline state. For more information, see Introduction To Web Application Debugging. Deployment For most applications, you only need to install the .NET framework on the server. If you have a Visual Studio .NET or Visual Studio .Net server component installed on your deployment, the VS developers group and the Debuggers group will appear on the deployment computer. You need to limit the members and Debugger users of VS Developers. In addition, you may need to disable dynamic discovery. Warning: It is highly recommended that you do not install Visual Studio on the deployment server.
