Browse by Tags

Tagged Content List
  • Blog Post: Disabling the FIPS Algorithm Check

    .NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was configured to require them. This resulted in algorithms which are not FIPS compliant (or implementations which were not FIPS certified) throwing an InvalidOperationException from their constructors. In some cases...
  • Blog Post: Which Groups Does WindowsIdentity.Groups Return?

    WindowsIdentity exposes a Groups property which returns a collection of IdentityReferences for the groups that a particular user is a member of. However, if you look closely, you'll find that these returned groups won't necessarily include all of the groups that the user is a member of. Under the covers...
  • Blog Post: Using the MMC Snap-In to Configure 64 Bit CAS Policy

    The .NET Framework SDK ships with a MMC Snap-In which enables you to, among other things, avoid using caspol to modify your local security policy. Since each runtime installed on your machine has independent security policy , the MMC Snap-In will only modify policy for the version of the CLR it is running...
  • Blog Post: Kenny Kerr Explores UAC

    Kenny Kerr , one of our Security MVPs, has updated his Windows Vista for Developers series with Part4 - User Account Control. Kenny takes an in-depth look at what UAC means for developers and covers areas that a lot of other sources don't touch on, such as integrety levels. This is absolutely worth a...
  • Blog Post: Adding a UAC Manifest to Managed Code

    The UAC feature of Vista is one of my favorite new features -- it really makes running as a non-admin much less painful than it has been in the past. One of the requirements that UAC puts on developers is that we must mark our applications with manifests which declare if the application would like to...
  • Blog Post: Return of the Mailbag

    Over the last week or so I've seen a few questions pop up multiple times. In no particular order: Q: Is calling a virtual method with a non-virtual call verifiable? A: It depends :-) In v1.x of the CLR this was verifiable. We made a change in v2.0 which disallows a non-virtual call to a virtual...
  • Blog Post: Impersonation and Exception Filters in v2.0

    A while back, I wrote about a potential security hole when malicious code can set up an exception filter before calling your code which does impersonation . In the final release of v2.0, we've added a feature to help mitigate this problem. The CLR records that you've begun impersonation on the stack...
  • Blog Post: UAC Policy Settings

    The new UAC blog (formerly LUA, formerly UAP) has up a good post on the six security policy settings that have been introduced to control how UAC works. As the Vista betas start coming out and people can start to play with UAC, knowing that some of these knobs are available can certainly be helpful....
  • Blog Post: PrincipalPermission and Finalizers

    Nicole Calinoiu , one of our developer security MVPs, has just posted a good description of the problems that occur when using PrincipalPermission with impersonation and finalizers . The key thing to take away from this is that impersonation occurs on a per-thread basis and finalizers run on a thread...
  • Blog Post: Mike Rousos on Registry Security

    Over the weekend, Mike Rousos (a BCL tester who's been temporarily drafted onto the security team) posted an interesting piece about the new BCL registry security support on the BCL blog . While the title mentions RegistryPermission, the post is actually about the NT security features of the registry...
  • Blog Post: Adding SignatureProperties to SignedXml

    One of the optional portions of the W3C XML digital signature specification allows for a set of SignatureProperties to be assigned to a signature. SignatureProperties allow the signer to place some metadata into the signature itself, such as the time the signature was created and the name of the person...
  • Blog Post: Enforcing FIPS Certified Cryptography

    Certain types of software, such as code written for a government contract, require adhering to a strict set of guidelines, especially when it comes to security. To better enable this type of software, v2.0 of the CLR provides the ability for you to enforce that only cryptograhic algorithms that have...
  • Blog Post: Forcing Security to Stay On

    Last time we looked at how the Whidbey version of CasPol uses a mutex to indicate the state of the security system. One of the more interesting fallouts from this model is that is that we can actually use this information to prevent security from being turned off in the first place. As I mentioned...
  • Blog Post: Whidbey's Security Off Model

    Although the v1.0 and v1.1 versions of CasPol provided a switch to disable the CLR's security system, running without CAS enforcement on was never a scenario that we encouraged for obvious reasons. The choice to disable security was a system wide switch that affected any managed application on any version...
  • Blog Post: Happy Birthday Channel 9

    Channel 9 turns one year old today, and to celebrate they've been releasing quite a few interesting interviews. One in particular that really stands out is the four parter with Windows Kernel Architect Dave Probert . Dave gives an overview of Windows organization, design decisions, and lots of ways that...
  • Blog Post: Safe Impersonation With Whidbey

    Over the last couple of days we've talked about how to impersonate another user , and some security issues to keep in mind while impersonating . Now I'd like to take a look at some new features available in Whidbey which can make the whole process much nicer. I'm going to code this up in Visual Basic...
  • Blog Post: Safely Impersonating Another User

    Yesterday I posted a bit of code that shows how to impersonate another user in managed code. However, that code had a subtle security hole waiting to bite you if you used it directly. Both Dean and Eric found the problem. In fact Eric reminded me of a blog entry he wrote on the same subject last fall...
  • Blog Post: How to Impersonate

    Guillermo recently started blogging about some Whidbey enhancements around impersonation. However, figuring out how to impersonate in the first place can be a little less than obvious. WindowsIdentity contains an Impersonate method, but it doesn't accept any parameters. That means that we'll need to...
  • Blog Post: Running IE with SAFER

    Michael Howard recently did a two part series on MSDN about browsing the web and reading email safely as an Administrator ( part 1 | part 2 ). Today he's got a Quick Start posted on his blog to get IE setup to run with SAFER. Personally, I prefer the run as normal user route, but if you've got to be...
  • Blog Post: Finding the Raw Strong Name Signature

    Wow ... there's been lots of interest in signatures lately :-) In response to my last post about reserving a larger section of the PE file for the signature when you create a signature with a larger key, William wants to know if you can extract the actual signature bytes from the PE file. Absolutely...
  • Blog Post: How to link to an ActiveX Control from a Strongly Named Assembly

    Windows Forms has a feature that allows you to use an ActiveX control on your managed form. All you have to do is add the control to your toolbox, and VS takes care of the rest behind the scenes. But this feature has a bit of a problem when it comes to strongly named assemblies. The root of the problem...
  • Blog Post: Why Do I Still Get an Exception Accessing a File with Full FileIOPermission?

    This issue (and its cousin: Why Do I Still Get an Exception Accessing the Registry with Full RegistryPermission?) come up fairly frequently on the newsgroups. The reasoning is actually very simple. The exception being thrown in these cases arises from the fact that the CAS model sits on top of the security...
  • Blog Post: Another Fix for the Infamous Calc Problem

    Last month I wrote about replacing Calc with CalcPlus . If you'd really like to keep the default calculator around, I've stumbled across another fix for the problem. This involves editing the registry, so the standard disclaimers apply . Recall root of the Calc problem is that it stores its settings...
  • Blog Post: Replacing Calc with Calculator Plus

    On my home machine, and one of my office machines I log in as a normal user , and only elevate to an account with admin status when installing software, or doing other maintenance. Needless to say, doing that creates problems with various programs that were written to always assume that the user has...
  • Blog Post: FormatMessage Shortcut for Win32 Error Codes

    If you ever need to P/Invoke to an API that returns extended error information via the GetLastError function, then you've also probably been through the pain of converting the error code into a usable error message via the FormatMessage API ... not exactly one of the more user-friendly APIs for managed...
Page 1 of 2 (38 items) 12