Application Security 

This topic briefly discusses aspects of application security in ADO.NET and provides links to in-depth topics for more information.

Securing Applications

The .NET Framework provides many useful classes and services that support developers in securing applications, enabling the developer to combine Code Access Security (CAS) with role-based security.

Topic	Description
Securing Applications	Discusses the advisability of designing for security and contains additional links to topics for securing distributed, mobile, Web, and desktop applications.
Recommendations for Data Access Strategies	Discusses techniques for accessing data efficiently and securely from client applications.
Code Access Security	Discusses the basics of CAS and provides links to additional topics.
Key Security Concepts	Introduces fundamental concepts for understanding security in the .NET Framework.

Securing Assemblies

The links in this section discuss securing your code and your assemblies. Strong-naming gives an application or component a unique identity that other software can use to refer explicitly to it. Strong-naming your assemblies guards them against being spoofed by an assembly that contains hostile code. It also ensures versioning consistency among different versions of a component. You must strong-name assemblies that will be deployed to the Global Assembly Cache (GAC).

Topic	Description
Guidelines for Writing Secure Code	Emphasizes the importance of designing security in your applications from the start.
Creating and Using Strong-Named Assemblies	Discusses how to sign an assembly and reference it in an application.
Delay Signing an Assembly	Discusses strong-naming assemblies where the key is protected.
Strong Name Tool (Sn.exe)	Discusses using the command-line tool Sn.exe to strong-name assemblies.
Building Secure Assembl	Contains comprehensive information on writing and deploying secure code. This white paper is part of the Patterns and Practices series on MSDN.

Role-Based Security

Applications are often required to provide access to data or resources based on credentials supplied by the user. Typically, such applications check the role of a user and provide access to resources based on those roles. The Common Language Runtime (CLR) provides support for role-based authorization based on a Windows account or a custom identity. Another option is to use COM+ security with serviced components.

• Role-Based Security
  Discusses role-based security and provides links to additional topics.

• Setting Role-Based Security Policy and Principals
  Discusses how to implement role-based security policy.

• COM+ Role-Based Security and the .NET Framework
  Discusses how to integrated managed code with COM+ security services.

• Writing Serviced Components
  Discusses how to use the classes in the EnterpriseServices namespace to create serviced components.

Windows Applications

In the past, Windows applications generally ran with full permissions. The .NET Framework provides the infrastructure to restrict code executing in a Windows application by using Code Access Security (CAS).

• Windows Forms Security
  Discusses how to secure Windows Forms applications and provides links to related topics.

• More Secure File and Data Access in Windows Forms
  Discusses how to access files and data from a Windows Forms application in a partially trusted environment.

• Validating User Input
  Discusses techniques for validating user input.

ASP.NET Applications

ASP.NET applications generally need to restrict access to some portions of the Web site and provide other mechanisms for data protection and site security.

• ASP.NET Web Site Security
  Discusses how to secure ASP.NET applications. It contains links to the following topics.

• ASP.NET Web Application Security
  Discusses how ASP.NET security works and covers secure design as well as security in a hosted environment.

• Basic Security Practices for Web Applications
  Discusses minimum-security guidelines that apply to all Web applications.

• Securing XML Web Services Created Using ASP.NET
  Discusses how to implement security for an ASP.NET Web Service.

• Validating User Input
  Discusses techniques for validating user input.

• Improving Web Ap
  MSDN content discussing many different aspects of Web application security. This content can be downloaded or read online.

• Building Secure ASP.NET Applications
  MSDN content discussing many different aspects of Web application security. This content can be downloaded or read online.

Interoperability with Unmanaged Code

Code that runs outside the Common Language Runtime (CLR) is called unmanaged code. COM components, ActiveX interfaces, and Win32 API functions are examples of unmanaged code. Special security considerations apply when executing unmanaged code.

• Interoperating with Unmanaged Code
  Provides links to additional topics discussing interoperability with unmanaged code.

• Primary Interop Assemblies
  Discusses how to work with primary interop assemblies in a .NET application.

• How to: Request Permission to Access Unmanaged Code
  Discusses how to request permission to access unmanaged code using a SecurityPermissionAttribute.

Enterprise Services

The System.EnterpriseServices namespace provides wrappers that allow .NET applications to integrate managed code with COM+ security services through the ServicedComponent class.

• COM+ Role-Based Security and the .NET Framework
  Discusses how to integrated managed code with COM+ security services.

• Writing Serviced Components
  Discusses how to use the classes in the EnterpriseServices namespace to create serviced components.

See Also

Other Resources

Securing ADO.NET Applications