• .NET Security Blog

    My application works from my local machine, but throws a SecurityException when I move it to a network share

    • 100 Comments
    How to modify your security policy to make your application work from the LocalIntranet zone...
  • .NET Security Blog

    Using CasPol to Fully Trust a Share

    • 73 Comments
    Since network shares by default only get LocalIntranet permissions, it's relatively common to want to use CasPol to fully trust some shares that you control and know are safe. However, CasPol syntax being what it is, the command to do this isn't immediately...
  • .NET Security Blog

    Allowing Partially Trusted Callers

    • 31 Comments
    The AllowPartiallyTrustedCallersAttribute (affectionately referred to as APTCA from here on out), is one of the aspects of the security system that most frequently trips people up when they run into it. Lets look at a typical scenario where I might run...
  • .NET Security Blog

    Generating a Key from a Password

    • 31 Comments
    If you're trying to encrypt data using a password, how do you convert the password into a key for symmetric encryption? The easiest way might be to simply convert the password to a byte array, and use this array as your key. However, this is a very bad...
  • .NET Security Blog

    How to Impersonate

    • 18 Comments
    Guillermo recently started blogging about some Whidbey enhancements around impersonation. However, figuring out how to impersonate in the first place can be a little less than obvious. WindowsIdentity contains an Impersonate method, but it doesn't accept...
  • .NET Security Blog

    Adding a UAC Manifest to Managed Code

    • 12 Comments
    The UAC feature of Vista is one of my favorite new features -- it really makes running as a non-admin much less painful than it has been in the past. One of the requirements that UAC puts on developers is that we must mark our applications with manifests...
  • .NET Security Blog

    The Differences Between Rijndael and AES

    • 9 Comments
    When you need to write managed code that encrypts or decrypts data according to the AES standard, most people just plug the RijndaelManaged class in and go on their way. After all, Rijndael was the winner of the NIST competition to select the algorithm...
  • .NET Security Blog

    Blogging around the CLR

    • 16 Comments
    As of today, there are 40 members of the extended CLR team with blogs on and off of MSDN. Some are more active than others, but if you're looking for a blog that might cover a specific area, here's some places to check out. Note these are categorized...
  • .NET Security Blog

    Don't Roundtrip Ciphertext Via a String Encoding

    • 37 Comments
    One common mistake that people make when using managed encryption classes is that they attempt to store the result of an encryption operation in a string by using one of the Encoding classes. That seems to make sense right? After all, Encoding.ToString...
  • .NET Security Blog

    Enforcing FIPS Certified Cryptography

    • 35 Comments
    Certain types of software, such as code written for a government contract, require adhering to a strict set of guidelines, especially when it comes to security. To better enable this type of software, v2.0 of the CLR provides the ability for you to enforce...
  • .NET Security Blog

    How to provide extra trust for an Internet Explorer hosted assembly

    • 49 Comments
    Avoiding security exceptions that occur when you try to provide extra trust based upon strong name or X509 certificates...
  • .NET Security Blog

    Whidbey's New SecurityException

    • 14 Comments
    One of the more difficult things to debug with .NET 1.0 and 1.1 is the security exception. With these frameworks generally the only information that you got was the state of the failed permission. Due to the complexity of debugging security problems,...
  • .NET Security Blog

    Making Strings More Secure

    • 40 Comments
    The standard System.String has never been a very secure solution for storing sensitive strings such as passwords or credit card numbers. Using a string for this purpose has numerous problems, including: It's not pinned, so the garbage collector can move...
  • .NET Security Blog

    Sharing a Strong Name Key File Across Projects

    • 34 Comments
    v2.0 of the .NET Framework deprecated the use of the AssemblyKeyFileAttribute and AssemblyKeyContainerAttribute . Often times, these attributes were used to share a common key file across several projects. If you try to share key files using the Visual...
  • .NET Security Blog

    Safely Impersonating Another User

    • 17 Comments
    Yesterday I posted a bit of code that shows how to impersonate another user in managed code. However, that code had a subtle security hole waiting to bite you if you used it directly. Both Dean and Eric found the problem. In fact Eric reminded me of a...
  • .NET Security Blog

    Receiving Session Lock and Unlock Notifications

    • 16 Comments
    Some programs, such as MSN Messenger, change their behavior when the current session is locked and unlocked. Messenger, for instance, will change your status to Away while your machine is locked, and then back to Online when your machine is unlocked....
  • .NET Security Blog

    Enveloped PKCS #7 Signatures

    • 16 Comments
    One of the new cryptography features in the v2.0 framework is the ability to work with PKCS #7 formatted messages . The PKCS features live in the new System.Security.Cryptography.Pkcs namespace in System.Security.dll, and are thin wrappers around the...
  • .NET Security Blog

    The Silverlight Security Model

    • 12 Comments
    You may have heard a thing or two last week about a little project we like to call Silverlight , including a small version of the CLR that will run in the browser on both Windows and the Mac. (If you haven't grabbed the Silverlight v1.1 alpha bits yet...
  • .NET Security Blog

    The Simple Sandboxing API

    • 10 Comments
    A while back I gave some sample code to show how to setup a sandboxed AppDomain . This technique has worked since v1.0, and will continue to work with Whidbey. However, Whidbey also introduces a simple sandboxing API which eliminates the need for this...
  • .NET Security Blog

    What's New in Security for v2.0

    • 10 Comments
    There's a ton of new and enhanced security features coming with the v2.0 release of the CLR. However, finding a definitive list of them all can be a somewhat challenging task. Dominick Baier has an excellent slide deck detailing some of the changes and...
  • .NET Security Blog

    New ClickOnce Article on MSDN

    • 2 Comments
    MSDN is hosting a sample chapter from Douncan Mackenzie's upcoming book Essential ClickOnce .  Although the chapter doesn't go into the security aspects, such as Permission Elevation or TrustMangers, its still an interesting read. http://msdn...
  • .NET Security Blog

    Managed DPAPI Part I: ProtectedData

    • 13 Comments
    Overview of DPAPI Although APIs such as CAPI and the .NET System.Security.Cryptography classes make using cryptography relatively easy, one of the hardest things to do when implementing a secure cryptographic system is key management. In order to help...
  • .NET Security Blog

    .NET 1.0 SP 3 and .NET 1.1 SP 1 Released

    • 23 Comments
    Today we pushed .NET 1.0 SP3 and .NET 1.1 SP1 onto Windows Update as a Critical Update. You can also download the service packs from the MSDN download center. Here's a brief review of what's new for security in each service pack: .NET 1.0 SP3 (v1.0.3705...
  • .NET Security Blog

    Signing Assemblies With C# in Whidbey

    • 16 Comments
    You may be in for a surprise when you try to rebuild your strongly named assemblies written in C# under Whidbey for the first time. If you're using the AssemblyKeyFile attribute, you'll get a warning similar to this: signed.cs(4,11): warning CS1699...
  • .NET Security Blog

    More Implicit Uses of CAS Policy: loadFromRemoteSources

    • 6 Comments
    In my last post about changes to the CLR v4 security policy model, I looked at APIs which implicitly use CAS policy in their operation (such as Assembly.Load overloads that take an Evidence parameter), and how to migrate code that was using those APIs...
Page 1 of 15 (368 items) 12345»