Welcome! The book you hold in your hands is a comprehensive guide androadmap to the security infrastructure of the Microsoft .NET Framework. The .NET Framework is Microsoft's new cross-language development environment for building rich client applications and XML Web Services. One of the key features of the .NET Framework is a robust security infrastructure that provides developers, administrators, and users with new levels of control over code that executes on their systems.
Whether you are a developer, administrator, or end user, this book will help you make the most of the .NET Framework security system and create, control, deploy, and use secure .NET applications.
Demystifying .NET Framework Security
Our primary goal in writing this book is to explain the .NET Framework securitysystem in detail and make it easy to understand. As a group, the authors have over 10 years of combined experience as members of the .NET Framework securityproduct team at Microsoft. We have gathered together in this book our combinedadvice, experience, and wisdom to help you make the .NET Framework securitysystem best serve your needs. We hope that you will find this book useful not only as an introduction to the fundamental security features of the .NET Framework but also as a frequent desktop reference as you author or administer applications.
This book is designed to serve the security needs of .NET developers, administrators, and end users. Developers who are currently writing code in one or more .NET languages (or planning to start a coding project) will find detailed instructions on how to perform security checks, how to write code conforming to the "principle of least privilege," and how to include security in your software architectures from the outset. For example, we will teach you how to use cryptographic strong names to protect your programs from outside modification and guarantee that they run with the same shared libraries with which you intended for them to run. We will also demonstrate how to create "semipublic" application programming interfaces (APIs) that can only be called by identities you specify. Debugging security exceptions and interpreting the data returned by the Common Language Runtime when your code is denied access to some protected operation are also covered in this book. Everything you need to know to develop secure components and applications iscontained herein.
If you are an administrator, you will find in the following chapters detailed examples showing how to modify security policy to tighten or loosen it as needed for your particular environment. We will walk you through all the common policy modification scenarios and show you how you can configure an entire enterprise from one location through the use of the .NET Framework's security configuration tool and the Windows Active Directory. We will also explain ASP.NET configuration for deploying secure Web Services with authentication and authorization customized to fit your needs.
For end users, our primary task in this book is to demonstrate how you can control the security behavior of .NET Framework applications running on your machine. Depending on your particular situation, you may need to administer portions of your security configuration to allow or refuse rights to particular applications. You may have encountered a security exception while executing an application and want to know why that exception occurred. You might also be trying to use a Web Service and need to understand its security requirements. All of these topics are covered in this book.
What Do You Need to Know Prior to Reading This Book?
We assume that if you are reading .NET Framework Security that you are already familiar with the .NET Framework, the Common Language Runtime, and one or more.NET programming languages (C++, C#, Visual Basic .NET, and so on). Nearly all of the examples in this book are written in the C# programming language, so some basic familiarity with C# will help you learn the most from the sample code. Every sample in this book could just as easily been written in Visual Basic .NET, or any of the other languages that compile to MSIL and run on top of the Common Language Runtime, so what you learn from the samples will be immediately applicable in your particular programming environment.
Some specific chapters in this book assume additional topic-specific knowledge. For example, the two chapters that discuss the cryptography classes in the .NETFramework (Chapter 30, "Using Cryptography with the .NET Framework: The Basicsand Chapter 31, "Using Cryptography with the .NET Framework: Advanced Topics")assume that you already have a basic understanding of cryptography. The chapters describing the security features of ASP.NET (Chapters 13 through 16) assume that the reader has previous exposure to the core features of ASP and/or ASP.NET. Chapter 18 ("Administering Security Policy Using the .NET Framework Configuration Tool") assumes basic familiarity with the Microsoft Management Console (MMC), because the .NET Framework Configuration tool is an MMC "snap-in" that works alongside other MMC-based configuration tools, such as the Device Manager.
What Software Will You Need to Complete the Examples Provided with This Book?
At a minimum, you will need to have the .NET Framework Software DevelopmentKit (SDK) installed on your computer to compile and run the samples shownthroughout this book. The .NET Framework SDK includes the Common LanguageRuntime, the .NET Framework class libraries, command-line compilers, and administration tools. You can install the .NET Framework SDK on any of the following versions of the Windows operating system: Windows NT 4.0 (with Service Pack 6a), Windows 2000 (at least Service Pack 2 recommended) or Windows XP Professional. The .NET Framework SDK can be downloaded for free from the Microsoft Developer Network Web site at http://msdn.microsoft.com/net/.Some of the examples in this book demonstrate solutions using Visual Studio .NET. Visual Studio .NET is Microsoft's premier integrated development environment (IDE) for writing programs on top of the .NET Framework. Visual Studio .NET includes the Visual Basic .NET, Visual C# .NET, and Visual C++ .NET compilers, an integrated editor, graphical debugger, design-time wizards, and other supporting tools. Visual Studio .NET is available in three product flavors--Professional, Enterprise Developer, and Enterprise Architect. (Note that if you are a member of the Microsoft Developer Network (MSDN), your subscription may already include Visual Studio .NET.) Complete product information for Visual Studio .NET may be found on the Web at http://msdn.microsoft.com/vstudio/.
NOTE
Although the .NET Framework SDK is only available for Windows NT 4.0, Windows 2000, and Windows XP Professional, the .NET Framework Redistributable is available for Windows 98, Windows Millennium Edition, and Windows XP Home Edition in addition to the platforms supported by the SDK. Programs written on top of the .NET Framework require only that the Redistributable be present to run. Thus, while you need to run Windows NT 4.0, Windows 2000, or Windows XP Professional to develop .NET Framework programs, those programs can run on any of the platforms supported by the Redistributable.
Visual Studio .NET is currently available on the same platforms as the .NET Framework SDK--Windows NT 4.0 (Workstation and Server), Windows 2000 (Professional and Server), and Windows XP Professional.
How This Book Is Organized
We have arranged the content of this book into five broad sections. Each section is aimed at answering questions and providing examples for one or more of our core constituencies--developers, administrators, and end users. Because this book is intend