.NET Security Training
(FW255)
4 Day Course
Security is a feature. But not every security feature is also a secure feature. Essential .NET Security gives you the necessary background and from-the-ground-up knowledge to design security into applications. Learn about symmetric and public-key cryptography and operating system security concepts important for developers. Discover the CLR's native security infrastructure (Code Access Security) and the security architecture behind web applications (ASP.NET), web services (Windows Communication Foundation (WCF)), and Windows CardSpace. You'll get answers to these questions:
- How do I protect data?
- How can I write applications that integrate with Windows security?
- What's the best way to secure ASP.NET applications?
- How do I secure WCF web services?
- How do I write secure extensible applications?
Come and learn to secure your applications!
- Identify and prioritize risks and vulnerabilities in applications
- Protect data using encryption and signatures
- Impersonate and delegate Windows credentials
- Integrate with Windows domains and network authentication
- Write sandboxed applications
- Avoid common security threats like cross-site scripting or SQL
injection
- Use CardSpace to authenticate users
- Secure communication with WCF
- Authenticate and authorize users in ASP.NET
Day 1
Threats and Mitigation
This first module identifies and categorizes the general threats posed to applications running on the .NET platform and discusses how to prioritize and mitigate them. Also included are general tips on security issues you should be thinking about when designing and implementing software, as well as ideas on how to make security a more integral part of the software development process. You can't just bolt security on at the end, as so many have discovered the hard way!
Conventional Cryptography
Many security techniques revolve around cryptography and strong authentication. This module introduces symmetric (secret) key cryptography and the .NET Framework classes that expose it. This module will teach you how to convert a password or passphrase into a conventional key, and how to measure the strength of that key. It provides guidelines on choosing cryptographic algorithms and key lengths, as well as the coding techniques you'll need to implement cryptography in your .NET application.
Public Key Cryptography and SSL
This module introduces asymmetric (public) key cryptography and certificates. We explain the design consideration behind asymmetric cryptography, and how X509 and PKCS based applications can be implemented on Windows and .NET. We wrap up with a look at how SSL works.
Day 2
Windows Security 101
This is a whirlwind tour of features in the operating system that are important for developers to know. This is the first of two modules on the topic, and it discusses the Trusted Computing Base, principals, authorities, groups, privileges, tokens, logon sessions, window stations, and the secondary logon service. The student will also learn how role and object-based security works in the .NET Framework and how to facilitate the Windows security features in .NET applications. This module concludes with the security changes that come with Vista like User Account Control (UAC), virtualization, and service hardening. Incorporating these features is a Vista logo requirement.
Windows Security 102
This second module on operating system security focuses on client identity management in distributed systems and the Kerberos authentication protocol. This includes impersonation and delegation, and discusses the difference in the delegation model between Windows 2000 and Windows Server 2003, where constrained delegation and protocol transition give you much more flexibility in building authentication systems. The module ends by describing how to "Kerberize" your own applications and the design implications you have to take into account.
CLR Security - Part 1: Verification, Strong Names, and CAS
The CLR is an execution engine on top of Windows kernel security. It provides its own security services like code verification and signing and a technology called, Code Access Security. We discuss how these services can result in more secure software, and have a in-depth look at CAS evidence, policy, and permissions. This module concludes with techniques to implement extensible applications that potentially load third party code and how the CLR can provide sandboxing services to control the security context of that code.
Day 3
CLR Security - Part 2: Programming for Partial Trust and ClickOnce
While the preceding module covered the basics and mechanics of CLR security and CAS, this module gives practical advice on how to write partially trusted code from an application and framework developer perspective. We provide guidance on how to keep your required permissions as low as possible, and how to provide libraries that can temporarily elevate permissions to accomplish specialized tasks. This is followed by a discussion that clears up the oft misunderstood attribute AllowPartiallyTrustedCallers, explaining why it's there and how to use it. Also covered is the ClickOnce deployment technology that is supposed to make deployment of partially trusted applications easier. This has some security implications everyone using ClickOnce should be aware of. We wrap up with a discussion of how to implement custom permissions, which is really a great way to learn how CAS works.
Web Application Security
When developing a Web application, it's critical to understand the authentication options that are available so that you can make an informed decision when choosing one. For instance, Kerberos is a great choice for closed Intranet applications, but for public Web applications, SSL coupled with basic authentication or some sort of forms authentication is much more reliable. This module will describe the HTTP pipeline that ASP.NET uses, and the security services provided at each point in the pipeline, including Integrated Windows authentication, Forms authentication, and Role-based authorization. Based on that security infrastructure, the provider model provides libraries that can streamline the development security services, their usage, benefits, and limitations are discussed.
Web Services Security (using WCF)
The never-ending question - How do I secure my Web service? With the Windows Communication Foundation, we finally have a toolkit that supports most of the available security options. This module will discuss the current practical thoughts on authentication models for Web services, like transport vs. message-based security, and direct vs. brokered authentication. Included are guidelines and best practices on how to secure services built with WCF.
Day 4
Federation, Claims, and CardSpace
The WS-* protocols allow us to build complex security infrastructures that were not possible before (at least in an interoperable way). How can we bridge the gap between (incompatible) authentication types and credential shapes? How do organizations share services without having to duplicate accounts across trust domains? How can these new standards streamline identity transactions and thus make them more secure? The answers to all these questions lie in WCF’s new native authorization, SAML tokens, and WS-Trust Security Token Services which are covered in this module.
Dumb Code
This module teaches how to write robust code by showing examples of bad code and the security holes it opens. This is followed with a discussion of how to avoid the problem. There are many common attacks that developers need to be aware of: buffer overflows, SQL injection attacks, cross site scripting, format string vulnerabilities, elevation of privilege attacks, etc.
|
|
|
Pre-Class
- Verify your learning Objectives
During-Class
- Capture Tools, Q&A, demos and white boards
- Screen Sharing
|
- Feedback on Lab work
- On-the-fly Adjustments to meet your needs
After-Class
|
| Onsite Setup Instructions
|  |
Course Set-up Requirements
FW255 Essential .NET Security | The hardware and software needed to successfully deliver this
course is listed below. PC configurations, including processor, RAM, and hard
drive, are recommended minimums. Courses can be run on lower performing
machine, but with slower performance. Please call for confirmation if your PC
configuration is significantly less than what is recommended.
In addition to PC equipment, each instructor will require projection equipment
that is capable of projecting the instructor's monitor onto a screen clearly
visible by all students participating.
| | Student Machines |
Instructor Machines |
| Hardware Requirements |
Hardware Requirements | COMPUTER:
Pentium Processor (>=700MHz recommended)
>= 128 MB RAM
>= 500 MB free hard disk space (after recommended software is installed)
17" color monitor (required)
Network connectivity (required)
Internet connection (optional)
PRINTER: please make sure the student (and instructor) machines are connected to a printer in the room (or VERY close by). The students will occassionally need to print out labs or other materials.
| Pentium Processor (>=700MHz recommended)
>= 128 MB RAM
>= 500 MB free hard disk space (after recommended software is installed)
17" color monitor (required)
XGA Projector with a minimum resolution of
1024 x 768 for displaying PowerPoint slides
Network connectivity (required)
Internet connection
| | Software Requirements |
Software Requirements | For the domain controller, do the following:
1) Install Windows Server 2003, retail build (either version, standard or enterprise are fine, but please do NOT install the debug/checked build).
2) Once you get the operating system installed and you've logged in for the first time, use the window that pops up to add a role to the machine, making it a domain controller. Choose a simple, short name for the domain, like "ESEC.LOCAL". The wizard will also install DNS for you, which is an important part of the setup.
3) Once the machine has successfully been promoted to be a domain
controller, add a total of T unique student accounts to the new domain (where T is the total number of students), naming each of them
"studentN" (where N is a number from 1 to T). These should all be normal domain user accounts, which is what you'll get by default. Set the password to whatever you like, just let the instructor know how the students can figure out what their passwords are. Please also check the box to force students to change their passwords at first login.
Be sure you've set up the domain controller first (see above), only
then, for each student machine, do the following in the order listed
here:
1) Install Windows Server 2003 (either standard or enterprise; doesn't matter which) and
then, while running as Administrator, continue following these
instructions. NOTE: Please choose the NTFS file system, not FAT.
2) Make sure the machine is on the same subnet as the domain controller (if you can use DHCP to do this, great, otherwise, please give each student machine a unique IP address on that subnet).
3) Make sure the client machine uses the domain controller's IP address for its DNS server setting. Once again, you can set this up via DHCP if you like, or set it up statically on each student box. This is an important step to allow the machine to be joined to the domain.
4) Name each machine macN (where N is a number from 1 to T, T being the total number of student machines). This naming convention is important to the class, as it helps students understand the difference between machine names and user principal names.
5) Although students won't normally be running with administrative
privileges, they will occasionally need to elevate privileges to perform administrative tasks. So set the local administrator password on each student machine to some value that we can tell the students during class.
6) Join the machine into the domain.
7) While running as the local administrator, install
the following products in this order:
* Internet Information Server (IIS 6), and DO enable ASP.NET if asked
* Microsoft Office 2003, with a typical installation
* SQL Server 2005 (Developer of Professional Edition - not Express)
* Visual Studio .NET 2005 (Professional or Team Suite)
| Machine #1: Same as student machines. Note: Visual Studio .NET 2005 required.
Machine #2: Windows Server 2003 (Domain Controller)
Instructor requires administrative privileges on all machines in classroom (i.e., instructor must know the password for the domain administrator account on the classroom domain).
|
|
|
|
|
| Remote Access Available
| |
.NET Security Training is now available as a remote access course.
You can now take open enrollment courses in our Los Angeles and Boston facilities without traveling. Remote Access to our ongoing schedule of instructor-led courses will allow you to fully participate real-time in expert-level lectures, demos and labs that have made DevelopMentor a leader in software development training. We've added new collaboration tools and prepared our instructors for remote students in class so you will be fully engaged in the learning process.
|
|
|
| Mentoring
| |
Quickly assimilate what you learn in .NET Security Training and apply it to your project by taking advantage of our Mentoring services.
Our dedicated mentors facilitate your team's development. We add value to your business by enhancing the talent of your employees and maximizing their productivity. Mentors integrate the methodologies, technologies and practical experiences of the classroom through an on-the-job and on-the-project experience that produces real-world results.
|
|
|
| Onsite
| |
.NET Security Training is also available as an onsite course.
If you have a group of people to train, an on-site course, delivered at your facility may be the most cost-effective solution for you. Our staff will work with your team to plan and produce the best possible result based on your team's size, experience levels, project needs and longer-term goals. We can structure a training course, or broader program, tailored to meet the specific needs of your organization. We'll make sure that any lab exercises run on the platform you use and we can tailor the lab exercises to be appropriate to your business. If you prefer to focus on just the pure technological principles, we can also deliver courses at your facility following the same format as our public curriculum.
|
|
|
| About the Author
| |
|
|
Course price includeds course materials provided on an eco friendly USB memory stick. Use of a PC for lab exercises.
Onsite Setup
|
|
