Watching the Bear Dance!

Building Secure and Scalable .NET Solutions for the Networked World

 June 20-21, 2002

version 0.10 last updated 2002-08-10-14:02 -0700 (pdt)


 


Arrival

The Microsoft Campus is very nice, and the route I was given for finding the conference center took me along a wooded road, with paths, people jogging, and a sense of the sheltered quiet that is provided throughout the campus.

The Conference center is also pleasant, well-outfitted, and the people know how to provide hospitality and a comodious setting, from the Internet access stations in the foyer to the outlets and touch controls at the individual stations.

It was also impressive to see a meeting that had to ask some of its guests leave because the room was overfilled.  The attention to safety and capacity is not something I see that plainly.

Setup

Nice discussion, see my notes pages on the slides.  Good setup for the overview.

Surprising that it is not all about down and dirty code but lots of situated discussion.  Good anecdotal material to motivate the setup and overview of the

Freebies

Two books

Trial version of VS.NET

Full-Up XP Professional 2002 complementary VIP edition.  Not an upgrade.

Other materials, plus what was in the initial summit folder.

1. Presentation

1.1 Module 1 - Security Concepts

STRIDE model.  Need to use that.  I should try it and test it with the MISER COM Implementation.

Various illustrations about blinders and trust points.  For example, an user can do a POST from anything instead of the form that was delivered to the client.  So if there is stuff that is expected to be replayed (e.g., prices sent to a form), they can be altered.  So it is important to not allow replay/alteration of material by the client.

Trust points are used in the discussion, but tacitly, such as trusting DNS and trusting a URL to take us to the expected place.

Get to learn that .cs means c# code.  Now I feel like an insider and I belong here.

SHA1 or MD5 - SHA is currently preferred, because the weaknesses of MD5 are concerning people.

Cool tip about using Win2k and beyond to Run As ... when starting something, and never being logged on as administrator on your own machine!  Also you can run as ... rather than logging off and logging on as someone else.

Uses command shell a lot.  Surprise!

Comment about how if you do a correct password change, your encrypted keys will be re-encrypted.  But if it gets changed some other way, you won't be able to access your OS-encrypted files anymore, because your new credential doesn't work to decrypt the encrypted keys done with the old password.

Discussion of message authentication codes.  (Under mitigation tampering threats.)

p.9 slides tips.  If you are denied access, the first thing you want to know is if you are authenticated properly.  There are ways to check that.  You can audit logon events and find out whether or not there is a successful authentication.  Then you can look to see if you have authorization structures that need to be adjusted.

p.10 slide 31 - back up logs -- good things to put on a CD-R.

Code Access Security, Module 3.  Running code lets the code do anything that you can do.

Components in a process-centric security model created a big exposure for component defects, even with authenticode.

I get sleepy after lunch, but this is all good material.  The way that applications and code can be boxed in, and the amount of security 

There are deployment wizards that create MSI files.  So MSI is a big deal too.  Group policies get synchronized every time you boot. 

Exceptions do not provide the means to discover the policy that it came from.

The Evaluate an Assembly function gives you the result of the evidence/policy evaluation and tells you the permissions that are granted.

Unrestricted means no additional restrictions.  This is a new speedbump, but it doesn't over-ride the unmanaged security context.

1.x Day 2, Module 5 - Forms Authentication (middle of module we left off with yesterday)

Forms Authentication

aspnet-isapi.dll runs inside of the Web Server and provides the .NET pipeline

More notes on the slide pages.  I am busy making more Miser notes while this is all going on.

I am not so attentive on Day 2.  I lapse back and forth about being excited about what I am doing in the Miser sketch, and then also with my fatigue level because I didn't rest enough.

There are exciting things about what ASP.NET provides, and the support for authenticated operation.  Also, I am more interested in what the DevelopMentor folk provide.  It is a cool organization.

1.x Code 

 

2. Discussion

Suggested topics for discussion include:

3. Resources and References

http://staff.develop.com/jasonm
For the resources from this Summit.  The slides and the sample code are all available for download.

History

version 0.10 2002-06-20 Adapt a boilerplate and start capturing notes other than on the printed slide notes pages.

created 2002-06-20-09:10 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 02-11-18 16:29 $
$$Revision: 3 $