Watching the Bear Dance!Building Secure and Scalable .NET Solutions for the Networked WorldJune 20-21, 2002 |
version 0.10 last updated 2002-08-10-14:02 -0700 (pdt)
Arrival
The Microsoft Campus is very nice, and the route I was given for finding the conference center took me along a wooded road, with paths, people jogging, and a sense of the sheltered quiet that is provided throughout the campus.
The Conference center is also pleasant, well-outfitted, and the people know how to provide hospitality and a comodious setting, from the Internet access stations in the foyer to the outlets and touch controls at the individual stations.
It was also impressive to see a meeting that had to ask some of its guests leave because the room was overfilled. The attention to safety and capacity is not something I see that plainly.
Setup
Nice discussion, see my notes pages on the slides. Good setup for the overview.
Surprising that it is not all about down and dirty code but lots of situated discussion. Good anecdotal material to motivate the setup and overview of the
Freebies
Two books
Trial version of VS.NET
Full-Up XP Professional 2002 complementary VIP edition. Not an upgrade.
Other materials, plus what was in the initial summit folder.
STRIDE model. Need to use that. I should try it and test it with the MISER COM Implementation.
Various illustrations about blinders and trust points. For example, an user can do a POST from anything instead of the form that was delivered to the client. So if there is stuff that is expected to be replayed (e.g., prices sent to a form), they can be altered. So it is important to not allow replay/alteration of material by the client.
Trust points are used in the discussion, but tacitly, such as trusting DNS and trusting a URL to take us to the expected place.
Get to learn that .cs means c# code. Now I feel like an insider and I belong here.
SHA1 or MD5 - SHA is currently preferred, because the weaknesses of MD5 are concerning people.
Cool tip about using Win2k and beyond to Run As ... when starting something, and never being logged on as administrator on your own machine! Also you can run as ... rather than logging off and logging on as someone else.
Uses command shell a lot. Surprise!
Comment about how if you do a correct password change, your encrypted keys will be re-encrypted. But if it gets changed some other way, you won't be able to access your OS-encrypted files anymore, because your new credential doesn't work to decrypt the encrypted keys done with the old password.
Discussion of message authentication codes. (Under mitigation tampering threats.)
p.9 slides tips. If you are denied access, the first thing you want to know is if you are authenticated properly. There are ways to check that. You can audit logon events and find out whether or not there is a successful authentication. Then you can look to see if you have authorization structures that need to be adjusted.
p.10 slide 31 - back up logs -- good things to put on a CD-R.
Code Access Security, Module 3. Running code lets the code do anything that you can do.
Components in a process-centric security model created a big exposure for component defects, even with authenticode.
I get sleepy after lunch, but this is all good material. The way that applications and code can be boxed in, and the amount of security
There are deployment wizards that create MSI files. So MSI is a big deal too. Group policies get synchronized every time you boot.
Exceptions do not provide the means to discover the policy that it came from.
The Evaluate an Assembly function gives you the result of the evidence/policy evaluation and tells you the permissions that are granted.
Unrestricted means no additional restrictions. This is a new speedbump, but it doesn't over-ride the unmanaged security context.
Forms Authentication
aspnet-isapi.dll runs inside of the Web Server and provides the .NET pipeline
More notes on the slide pages. I am busy making more Miser notes while this is all going on.
I am not so attentive on Day 2. I lapse back and forth about being excited about what I am doing in the Miser sketch, and then also with my fatigue level because I didn't rest enough.
There are exciting things about what ASP.NET provides, and the support for authenticated operation. Also, I am more interested in what the DevelopMentor folk provide. It is a cool organization.
1.x Code
Suggested topics for discussion include:
- http://staff.develop.com/jasonm
- For the resources from this Summit. The slides and the sample code are all available for download.
version 0.10 2002-06-20 Adapt a boilerplate and start capturing notes other than on the printed slide notes pages.
created 2002-06-20-09:10 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 02-11-18 16:29 $
$$Revision: 3 $