March, 2004

  • Craig McMurtry's WebLog

    Application Security, Part 28

    • 0 Comments
    Now, the Windows Server 2003 Authorization Manager exposes a COM API, which has the unfortunate name, AzMan , that can be used to query the authorization store at run-time to identify the operations that a current user is permitted to perform. Specifically...
  • Craig McMurtry's WebLog

    Application Security, Part 27

    • 0 Comments
    So, let us follow these four steps to populate the authorization store for our application. We begin by creating operations that map to menu options and buttons on the main form of the application. An additional operation, called, Miscellaneous , is created...
  • Craig McMurtry's WebLog

    Application Security, Part 26

    • 0 Comments
    Once one has created an authorization store, one can proceed to use the Management Console snap-in to populate that store for that application. There are four steps to complete. One begins by defining operations. Those are atomic actions that a...
  • Craig McMurtry's WebLog

    Application Security, Part 25

    • 2 Comments
    So much for the user authentication requirements of application security; what about user authorization? Most applications have user interfaces with menus, button bars and buttons and we often want to restrict users' access to those operations based on...
  • Craig McMurtry's WebLog

    Application Security, Part 24

    • 2 Comments
    Here is the code for the main form of our Smart Client that handles the event of the user changing his or her language preference. private bool fLanguage_Switch(string sLanguage, System.Windows.Forms.MenuItem rMenuItem) { try { if(!...
  • Craig McMurtry's WebLog

    Application Security, Part 23

    • 2 Comments
    Back in the code for the start-up of the primary form of the Smart Client, static void Main (string[] asArguments) { Hashtable rArguments = null; try { rArguments = CUtility.rParseCommandLineArguments(asArguments,frmMain.c_sArgumentSeparator_Prefix...
  • Craig McMurtry's WebLog

    Application Security, Part 22

    • 2 Comments
    The Authentication Web Service is configured for Windows Authentication, so the credentials are automatically encrypted and validated against the Active Directory for the domain. As we know already, though, not all of the users identified in Active Directory...
  • Craig McMurtry's WebLog

    Notes on Compact Framework Development

    • 4 Comments
    I've been working on a Compact Framework application this week. My most-excellent colleague, Rockin' Ryan Storgaard (go read his blog instead of mine) referred me to SOTI ( www.soti.net ) 's terrific Pocket Controller tool. It displays the screen of your...
  • Craig McMurtry's WebLog

    Application Security, Part 21

    • 3 Comments
    Alright: at this point we have the foundation of our user authentication strategy set up. Let see how our application actually authenticates its users. We’ll begin at the entry point of the application, the static Main method of the primary form...
  • Craig McMurtry's WebLog

    Application Security, Part 20

    • 1 Comments
    Everything is now in place for the users in the YourApplicationUsers group within Active Directory to be provisioned in ADAM . So, we go to the MIIS Identity Manager and clear out the connector spaces for the ADAM and Active Directory management agents...
  • Craig McMurtry's WebLog

    Application Security, Part 19

    • 3 Comments
    Remember, however, that we don’t want all of the users in Active Directory provisioned in ADAM , but only those that belong to the YourApplicationUsers group within Active Directory, yet nothing in the code for our meta-verse rule extension checked...
  • Craig McMurtry's WebLog

    Application Security, Part 18

    • 1 Comments
    Now, our MIIS management agents can be configured to do either imports or exports when they execute. Importing means, as one might expect, moving objects into the connector space and potentially projecting them into the meta-verse. Exporting means moving...
  • Craig McMurtry's WebLog

    Application Security, Part 17

    • 3 Comments
    Let’s start with the basic problem of how to provision users in ADAM that exist in Active Directory. The solution lies in MIIS rule extensions . Rule extensions are .NET DLLs with classes that implement either one of two interfaces defined in the...
  • Craig McMurtry's WebLog

    Application Security, Part 16

    • 3 Comments
    At this point, let’s return to our scenario. Remember that our client organization has Active Directory as its directory service, while our application uses ADAM as its user data repository. Everyone in the organization is catalogued in the Active...
  • Craig McMurtry's WebLog

    Thanks to Ted Neward for kind words about the Application Security Series

    • 0 Comments
    Terrific Ted Neward was kind enough to post a link to my ongoing Application Security series on the ServerSide.NET. Thanks, Ted: I've read your stuff too, and I'm a huge fan. Anyone who is reading my blog should be reading his instead!
  • Craig McMurtry's WebLog

    Application Security, Part 15

    • 2 Comments
    Okay: so now that we have our ADAM directory service configured for TaskVision II, thereby completing the first step in our deployment of that application. The next step, you will recall, was that of setting up a channel of communication to ADAM from...
  • Craig McMurtry's WebLog

    Application Security, Part 14

    • 6 Comments
    I would like to mention to you that a tool that I find invaluable for working with both Active Directory and ADAM is the simple Active Directory Service Viewer, ADSVW.EXE , that shipped with the Windows 2000 Resource Kit. When you absolutely, positively...
  • Craig McMurtry's WebLog

    Applicaiton Security, Part 13

    • 9 Comments
    Manipulating ADAM programmatically can be a little challenging. First, the documentation that is installed with ADAM does not cover its programming interfaces. However, that documentation can be found within MSDN, under Networking and Directory Services...
  • Craig McMurtry's WebLog

    Application Security, Part 12

    • 4 Comments
    So, that is the theory of how ADAM, MIIS, and Authorization Manager can facilitate application security. Let's see how they work together in practice. For that purpose, let us assume that we are a software vendor selling an applicationI to an organization...
  • Craig McMurtry's WebLog

    Response to Darrell's question about ADAM and AD

    • 2 Comments
    Darrell wrote: If the organization you are developing for does have a directory service, but you need to modify the schema. In those cases, I have relied on AD for authentication, and then additional attributes linking userIDs to permissions for...
  • Craig McMurtry's WebLog

    Application Security, Part 9

    • 4 Comments
    COM+ provided an infrastructure for role-based security. With role-based security, users are grouped according to their function, and are assigned permissions to perform abstract operations, each of which may involve a number of actions performed on a...
  • Craig McMurtry's WebLog

    Application Security, Part 11

    • 4 Comments
    So, what we would really like to be able to do in administering permissions for an application is the following: · we would like to be able to define abstract operations for which we would want to control authorization, abstract operations...
  • Craig McMurtry's WebLog

    Application Security, Part 10

    • 3 Comments
    The .NET Framework Class Library provides authorization facilities in its System.Security.Principal namespace. It defines an interface, IPrincipal , that incorporates a method, IsInRole , that one can use for manual authorization checks. For example,...
  • Craig McMurtry's WebLog

    Application Security, Part 7

    • 3 Comments
    Now, we said that application security was about authentication—controlling who accessed your application—as well as about authorization—controlling what folk who were permitted access would be allowed to do. ADAM and MIIS are the tools...
  • Craig McMurtry's WebLog

    Application Security, Part 8

    • 3 Comments
    Access control lists are available in Windows NT, Windows 2000, Windows XP and Windows Server 2003. They provide for what may be described as object-centric authorization, in which permissions are associated with objects, such as files and folders. Object...
Page 1 of 2 (28 items) 12