• .NET Security Blog

    My application works from my local machine, but throws a SecurityException when I move it to a network share

    • 100 Comments
    How to modify your security policy to make your application work from the LocalIntranet zone...
  • .NET Security Blog

    Using CasPol to Fully Trust a Share

    • 73 Comments
    Since network shares by default only get LocalIntranet permissions, it's relatively common to want to use CasPol to fully trust some shares that you control and know are safe. However, CasPol syntax being what it is, the command to do this isn't immediately...
  • .NET Security Blog

    How to provide extra trust for an Internet Explorer hosted assembly

    • 49 Comments
    Avoiding security exceptions that occur when you try to provide extra trust based upon strong name or X509 certificates...
  • .NET Security Blog

    Making Strings More Secure

    • 40 Comments
    The standard System.String has never been a very secure solution for storing sensitive strings such as passwords or credit card numbers. Using a string for this purpose has numerous problems, including: It's not pinned, so the garbage collector can move...
  • .NET Security Blog

    Don't Roundtrip Ciphertext Via a String Encoding

    • 37 Comments
    One common mistake that people make when using managed encryption classes is that they attempt to store the result of an encryption operation in a string by using one of the Encoding classes. That seems to make sense right? After all, Encoding.ToString...
  • .NET Security Blog

    Enforcing FIPS Certified Cryptography

    • 35 Comments
    Certain types of software, such as code written for a government contract, require adhering to a strict set of guidelines, especially when it comes to security. To better enable this type of software, v2.0 of the CLR provides the ability for you to enforce...
  • .NET Security Blog

    Sharing a Strong Name Key File Across Projects

    • 33 Comments
    v2.0 of the .NET Framework deprecated the use of the AssemblyKeyFileAttribute and AssemblyKeyContainerAttribute . Often times, these attributes were used to share a common key file across several projects. If you try to share key files using the Visual...
  • .NET Security Blog

    Allowing Partially Trusted Callers

    • 31 Comments
    The AllowPartiallyTrustedCallersAttribute (affectionately referred to as APTCA from here on out), is one of the aspects of the security system that most frequently trips people up when they run into it. Lets look at a typical scenario where I might run...
  • .NET Security Blog

    Generating a Key from a Password

    • 31 Comments
    If you're trying to encrypt data using a password, how do you convert the password into a key for symmetric encryption? The easiest way might be to simply convert the password to a byte array, and use this array as your key. However, this is a very bad...
  • .NET Security Blog

    Delay Signing

    • 28 Comments
    Most people know about the delay signing feature of the CLR. (For those who don't check out MSDN's Delay Signing an Assembly for more details). Basically, delay signing allows a developer to add the public key token to an assembly, without having access...
  • .NET Security Blog

    .NET 1.0 SP 3 and .NET 1.1 SP 1 Released

    • 23 Comments
    Today we pushed .NET 1.0 SP3 and .NET 1.1 SP1 onto Windows Update as a Critical Update. You can also download the service packs from the MSDN download center. Here's a brief review of what's new for security in each service pack: .NET 1.0 SP3 (v1.0.3705...
  • .NET Security Blog

    Assembly Level Declarative Security

    • 20 Comments
    Assembly level declarative security comes in three forms, RequestMinimum, RequestOptional, and RequestRefuse. The three can be briefly defined as: RequestMinimum -- the set of permissions that are absolutely required for this assembly to run RequestOptional...
  • .NET Security Blog

    Does Being in the GAC Grant FullTrust?

    • 20 Comments
    What does being in the GAC imply about the permission set that will be assigned to an assembly? Well, it depends ... In v1.0 and 1.1, the fact that assemblies in the GAC seem to always get a FullTrust grant is actually a side effect of the fact that the...
  • .NET Security Blog

    More on the FullTrust GAC

    • 19 Comments
    Last week I mentioned that although currently assemblies in the GAC receive FullTrust as a side effect of the GAC being on the local machine, from Whidbey beta 2 and beyond, being in the GAC will imply FullTrust on its own. A lot of the feedback wondered...
  • .NET Security Blog

    Please do not use the .NET 2.0 HMACSHA512 and HMACSHA384 Classes

    • 19 Comments
    We’ve recently discovered a bug in the HMACSHA512 and HMACSHA384 classes which shipped in the .NET Framework 2.0. This bug will cause these algorithms to produce incorrect results which are not consistent with other implementations of HMAC-SHA-512 and...
  • .NET Security Blog

    FullTrust on the LocalIntranet

    • 18 Comments
    We released the first beta of .NET 3.5 SP 1 this morning, and it includes a change to the default grant set for applications launched from the LocalIntranet zone. The quick summary is that as of .NET 3.5 SP1, applications run from a network share will...
  • .NET Security Blog

    How to Impersonate

    • 18 Comments
    Guillermo recently started blogging about some Whidbey enhancements around impersonation. However, figuring out how to impersonate in the first place can be a little less than obvious. WindowsIdentity contains an Impersonate method, but it doesn't accept...
  • .NET Security Blog

    Safely Impersonating Another User

    • 17 Comments
    Yesterday I posted a bit of code that shows how to impersonate another user in managed code. However, that code had a subtle security hole waiting to bite you if you used it directly. Both Dean and Eric found the problem. In fact Eric reminded me of a...
  • .NET Security Blog

    Whidbey's Security Off Model

    • 17 Comments
    Although the v1.0 and v1.1 versions of CasPol provided a switch to disable the CLR's security system, running without CAS enforcement on was never a scenario that we encouraged for obvious reasons. The choice to disable security was a system wide switch...
  • .NET Security Blog

    5 Reasons to Choose Simple Sandboxing

    • 17 Comments
    When it comes time to host some partially trusted code in your application, perhaps as a part of an Add-In model, you’ve got a few options to choose from. How do you decide which is the best way to go? Thankfully the answer to this one is relatively...
  • .NET Security Blog

    Enveloped PKCS #7 Signatures

    • 16 Comments
    One of the new cryptography features in the v2.0 framework is the ability to work with PKCS #7 formatted messages . The PKCS features live in the new System.Security.Cryptography.Pkcs namespace in System.Security.dll, and are thin wrappers around the...
  • .NET Security Blog

    Receiving Session Lock and Unlock Notifications

    • 16 Comments
    Some programs, such as MSN Messenger, change their behavior when the current session is locked and unlocked. Messenger, for instance, will change your status to Away while your machine is locked, and then back to Online when your machine is unlocked....
  • .NET Security Blog

    Blogging around the CLR

    • 16 Comments
    As of today, there are 40 members of the extended CLR team with blogs on and off of MSDN. Some are more active than others, but if you're looking for a blog that might cover a specific area, here's some places to check out. Note these are categorized...
  • .NET Security Blog

    Searching for Custom ID Tags With Signed XML

    • 16 Comments
    Last week, I blogged about using references to sign only specific parts of an XML document. The biggest limitation with doing this is that you must refer to the nodes that are being signed by ID, which for v1.1 and 1.0 of the framework was given by an...
  • .NET Security Blog

    Signing Assemblies With C# in Whidbey

    • 16 Comments
    You may be in for a surprise when you try to rebuild your strongly named assemblies written in C# under Whidbey for the first time. If you're using the AssemblyKeyFile attribute, you'll get a warning similar to this: signed.cs(4,11): warning CS1699...
Page 1 of 15 (368 items) 12345»