PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.

Microsoft .NET Security

by Lynn Greiner

Copyright 2018, Faulkner Information Services. All Rights Reserved.

Docid: 00011392

Publication Date: 1807

Report Type: TUTORIAL

Preview

Designed primarily as a methodology for developers to integrate both applications and users across the Microsoft platform, .NET has evolved into a standard that is operating system- and application-agnostic, using Extensible Markup Language (XML) as a common thread across disparate platforms. Connecting information and people to a distributed computing platform with universal access, however, poses many security challenges. .NET has answered these with a set of specifications that provide the measure of security required in a Web services and Web application environment.

Report Contents:

• Executive Summary
• Description
• Current View
• Outlook
• Recommendations
• Web Links
• Related Reports

Executive Summary

[return to top of this report]

Microsoft‘s Web services strategy to
connect information, people, systems, and devices through software was
released in 2002 under the name of .NET.

Designed primarily as a methodology
for developers to integrate applications and users across the Microsoft platform, .NET has evolved into
a standard that is operating system- and application-agnostic, using
Extensible Markup Language (XML) as a common thread across disparate
platforms. Connecting information and people to a distributed computing platform
with universal access, however, poses many security challenges as well. .NET
has answered these with a set of specifications that provide the measure of security
required in a Web services and Web application environment.

Building on an XML Web services model – .NET’s Global
XML Web Services Architecture (GXA) – Microsoft, IBM, and VeriSign together published a set of guidelines called WS-Security
that addresses not only connectivity to the .NET platform but also contains
a set of
standard Web protocols to define interoperability to non-.NET XML Web services
platforms and applications. These guidelines are now standards
overseen by OASIS.

Description

[return to top of this report]

Released in 2002, Microsoft .NET and
the higher order .NET Framework are add-in software components to the Microsoft Windows
operating system that provide a large body of pre-coded multi-language
solutions to common program requirements, and manage the execution of programs
written specifically for the framework. Conceived as a web services strategy
built on Extensible Markup Language (XML), the .NET intent is to
connect information, people, systems, and devices through software. Utilizing
the Microsoft platform, .NET technology provides the tools and processes to
quickly build, deploy, manage, and use connected, security-enhanced solutions
with Web services. .NET-connected solutions enable businesses to integrate their
systems more rapidly and in a more agile manner and help them realize the
promise of information anytime, anywhere, on any device.

For example, siloed applications such as point-of-sale
(POS) systems may need only be tracked to and reportable for accounting or cash
receipts. In order to track inventory, ordering, and shipping, separate
applications or duplicate data entry may be required to complete all enterprise
application requirements. .NET was one of the first architectures to provide a method by
which the POS data could transcend siloed accounting and cash receipt
applications to allow real-time inventory updating. Orders for restock could automatically be placed
and shipments tracked to reduce costs due to over/under stocking levels and
minimizing or eliminating manual processes. Using web services, the
once-siloed applications can share information over the Internet, through systems that
are operating system or back-end software agnostic because of XML.

With the advent of universal Windows apps (aka Modern
apps) in Windows 8, Microsoft created a subset of .NET known as .NET Core, which
shares many of the platform components and interoperates with the original .NET
Framework. However, .NET Core is recommended when developers have cross-platform
needs, are targeting microservices, are using Docker containers, need high
performance and scalable systems, or need side by side versions of .NET within
an application.

.NET Security

All systems should be
designed to provide and address
security needs at the application and network layers. The key goal of
Microsoft .NET is to enable everyone – from developers to IT professionals to
end users – to securely manage who, and what, accesses their data. In the
aforementioned POS example, by their very nature legacy siloed applications that
required manual and duplicate inputs did have more than a
modicum of security. The silos of data were protected from cross-functional and
universal access by their separation. However, as markets went virtual with
ubiquitous access, the challenge was to provide the same level of siloed security
to connected applications accessible from intranets and the Internet.

Application Security.
At the application layer, .NET and the .NET Framework were
designed to include a broad and flexible range of security options that can
be implemented by developers, administrators, and users. At a high level, the
core security components of the .NET Framework include:

• Role-based security which provides a unified model for
  authenticating and authorizing users based on identity and roles.
• Evidence-based and code access security by which
  administrators can dictate what resources may be accessed by certain types of
  code. Typically the evidence is the source of the assembly (whether it is
  installed on the local machine or has been downloaded from the intranet or
  Internet).
• Cryptography which includes functions for encryption, digital signatures, hashing, and random number generation.

However, as of .NET Framework 4, Microsoft made major changes to the code
access security system. Security policy is no longer applied to applications.
All applications that can be run from the desktop are now executed as full-trust
applications. This includes both applications on the computer and applications
that can be run from a network share. Partially trusted applications must be run
in a sandbox, which determines their grant set. The permission system continues
to be used, but it is transcended by security transparency rules.

These off-the-shelf security components
of the .NET Framework address the levels of security needed to meet criteria
based on how users and applications will be handling data within their
organizations. But as universal access to data and distributed applications have
evolved, application layer security can only be one part of the whole.

Network Security.
According to a 2005 Gartner survey, eight of the top 10 security threats
identified by IT professionals involved threats from outside their
organizations, and the statistics have changed little since then. As most outside intrusions enter at the network
layer, usually via the Internet, security
must also be addressed at the point of network connectivity.

Fundamental to distributed application
computing and interoperability across intranets and the Internet is XML Web
services. XML Web
services addresses interoperability requirements through the use of
standard Web protocols such as XML, the Simple Object Access Protocol (SOAP),
and Universal Discovery Description and Integration (UDDI). XML represents a
standard way to present data, while SOAP allows different types of systems to
“talk” with each other and directs how to use data within each system. In
addition, standards such as Web Service Description Language (WSDL) allow XML
Web services a way to describe their interfaces in enough detail for
applications to “talk” to them. UDDI enables the registration of XML Web
services allowing users to find the services quickly on the Internet.

Global XML Web Services Architecture (GXA) was developed, in partnership with IBM and Verisign, as the basis of interoperability of .NET with other
distributed applications. Built on XML Web services specifications and
protocols, including SOAP and UDDI, GXA evolved through industry
partnerships to become a
specification called WS-Security (now renamed WSS, and overseen by
OASIS). WS-Security defines a set of SOAP extensions, or message headers, which can be used to implement
integrity and confidentiality in Web services applications by providing standard
mechanisms to exchange secure, signed messages in a Web services environment.

WS-Security components have been placed in the realm of the OASIS Web Services
Security Exchange technical committee (WS-SX). Its purpose is to deliver
extensions to WSS to enable trusted SOAP message exchanges involving
multiple message exchanges and to define security policies that govern the
formats and tokens of such messages. 

Parts of
the WS-Security standard addressing connectivity that have been either approved or
proposed include:

• WS-SecurityPolicy – defines how to express the
  capabilities and constraints of security policies.
• WS-Trust – describes the model for
  establishing both direct and brokered trust relationships (including third
  parties and intermediaries).
• WS-Privacy – defines how Web services
  state and implement privacy practices. It has been implemented as the Platform
  for Privacy Preferences (P3P) 1.0. Work on P3P 1.1 was suspended due to lack
  of support from browser implementers.
• WS-SecureConversation – describes how to
  manage and authenticate message exchanges between parties, including security
  context exchange and establishing and deriving session keys.
  It has not yet been submitted as a standard.
• WS-Federation – describes how to
  manage and broker trust relationships in a heterogeneous federated
  environment, including support for federated identities. It
  was managed by the WSFED
  technical committee of OASIS, which was closed in November
  2016 and its work archived.
• WS-Authorization – defines how Web
  services manage authorization data and policies. This specification has not
  yet been published.
• Windows Identity Foundation (WIF) – an extension
  released in November 2009 to enable developers to create secure
  applications with interoperable identity-based access. Formerly codenamed
  Geneva, it provides developers with a standard approach to building
  identity-based access to both on-premises and cloud-based applications using
  claims-based architecture. It is integrated into .NET 4.5 and higher.

Authentication

There are also user needs within the realm
of Web services and security that must be addressed. As applications cross both functional and organization boundaries, the need for universal user access
presents a set of challenges onto itself. The specter of having a siloed process
for authentication and authorization to applications and services does not fit
into the model of ubiquitous and distributed computing. Users need a consistent
yet secure method to gain the required authorizations needed to perform and
integrate within the enterprise application domains while protecting sensitive
user information.

After the .NET Passport debacle, Microsoft had to rethink its
strategy around user identity. Users made it clear that they did not
want any one vendor holding their universal authentication
credentials. The company responded with two identity services: Windows
Live (now known as the Microsoft ID), a Passport-like central sign-on for Microsoft sites and
services, and Windows CardSpace. CardSpace let any Windows
application give users a common way to work with digital identities,
without any vendor holding their personal information, allowing Web sites and services to provide an
experience that was related to a consistent user identity. Users determined what, and how much, of their personal information
was shared with member sites on the Internet, while giving Web sites and XML Web
service providers a means to identify users across multiple services with a
consistent set of credentials. CardSpace 2.0 had been scheduled for release in
2011, but instead Microsoft announced in February 2011 that it had cancelled the
project.

Instead, the company has added support for other claims-based identity
concepts such as SAML 2.0, OpenID 2.0, OAuth WRAP, and OAuth 2.0 protocols.
In December 2013 it released version 1.1, revision 3 of the U-Prove
Cryptographic Specification, published under the Open Specification Promise,
which allows anyone to use or implement the technology. It includes Windows
Identity Foundation extensions. In July and September of 2014, it released
new extensions to the spec, as well as updated software development kits
(SDKs) to add revocation mechanisms for developers, collaborative issuance,
and bit decomposition. There has been no activity since
then.

Windows Identity Foundation (WIF) provides developers with prebuilt .NET
security logic for use in building claims-aware applications. It is one part of
Microsoft Identity software, which is part of

Active Directory Services and Azure
Active Directory Services (for cloud-based services). It uses industry
standard protocols to identify users and their rights. As of .NET Framework 4.5,
WIF was fully integrated into the .NET Framework.

Current View

[return to top of this report]

Since its introduction in 2002, and as an integral part of the Microsoft
Office suite of applications and Microsoft Visual Studio development
tools, NET technologies, Web services
and security have become the cornerstone on which many enterprise applications
have been built. Some of the well-known names now utilizing the .NET
Framework
include Honeywell, GlaxoSmithKline, Sony, Dollar Rent A Car, Farmers Insurance,
and the United States Postal Service.

With millions of users worldwide of various Microsoft products, .NET has
become a well accepted platform on which to base and launch the enterprise
distributed computing model. Enhancements to the .NET Framework and
collaborative support from IBM and Symantec have helped the
.NET Framework and .NET WS-Security to keep pace with developer
demands. The .NET Framework is now an integral part of all of
Microsoft’s development tools.

In November of 2006, Microsoft and Novell announced an agreement
that created
a joint research facility at which technical experts
from both companies architect and test new software solutions and work with customers and the
community to build and support these technologies. At this center, developers
focus on several major technical areas. Specific to Web services and .NET is a
project known as Mono. Mono was designed to enable Windows to run
on top of Linux, and Linux to run on top of Windows; it has now been expanded to
support both 32 and 64 bit, and Mac OS X, iOS, tvOS, watchOS, Solaris, BSD, IBM AIX and i, and
Sony Playstation 4. Mono currently supports
virtually all features of .NET 4.7 except WPF, WWF, and limited WCF and ASP.NET async stack. Web services and in
particular WS-Security are involved in making it easy to manage
mixed Windows and Linux environments. Now that Microsoft has open sourced .NET,
the Mono Project is replacing large portions of its own code with the Microsoft
equivalent. 

After Novell’s acquisition by Attachmate, the Mono Project was in an uncertain
position. However, it received sponsorship
from Xamarin, a company founded in May 2011
by members of the team that built Mono, which secured its
future. After its acquisition of Xamarin in 2016,
Microsoft took over the sponsorship of Mono. Xamarin’s functionality has been integrated into Visual Studio, and
allows development of native Android, iOS, and Windows apps with a single shared .NET code base.

Outlook

[return to top of this report]

.NET technologies are baked into virtually all Microsoft products.
Part of the download for the now defunct Windows Live applications (Mail,
Messenger, and so forth), for example, was the .NET Framework, and
updates for the Framework are still routinely provided through Microsoft Update. .NET
remains a critical part of a Microsoft-based infrastructure’s
security profile.

Since .NET is an integral part of Microsoft’s Visual Studio
development suite, which is by far the most pervasive development
suite in enterprises, corporate programmers are making increasing use
of the technologies, and this will continue. Microsoft has, over the
past few years, finally come to grips with security and provides
solid guidance for users of its tools to help them build secure
applications.

Standardization of the WSS components is now
under the purview of OASIS. WS-Security 1.1 is an approved standard,
and in February 2009 WS-Trust 1.4, WS-SecurityPolicy 1.3, and WS-SecureConversation
1.4 were approved.

Recommendations

[return to top of this report]

In order for enterprises to compete in the world of ebusiness, having a
strategy that embraces the concepts of applications and data from anywhere,
inside or outside of the organization, is a building block of success.
In today’s hyper-connected world, we must assume that any exposed
application is open to, and will be attacked by, criminals, and build
with that in mind.

To do this, those applications must be secure, and for developers
using Microsoft tools, programming for Microsoft platforms,
or, now that .NET is cross-platform and open source, any other platform, that
means a thorough understanding of .NET and the function and
application of standards such as WSS. But security is not just a
matter of authentication and designation of trust. It encompasses
every line of code that could be exploited through programming errors
or other methods.

.NET is not going away; version 3.5 of the Framework is
included in Visual Studio 2008, version 4.0 is in Visual Studio 2010, Visual Studio 2013 includes version 4.5.1,
Visual Studio 2015 uses version 4.6, and Visual Studio 2017
requires .NET 4.6.1.
Windows 8 contains support for the .NET Framework 4.5 (which drops support
for Windows XP and Vista). A subset, .NET Core, is
available to allow developers to build apps using the Windows 8/10 user interface
(so-called Modern apps).
Windows 10 contains .NET 4.6 until v1604, when it moved to .NET 4.7. .NET 4.8 is under development, and is expected to arrive in Visual Studio 2019.
Thus, knowledge of sound
programming practices within the Framework, as well as knowledge of
security concepts, is still mandatory for developers. 

Web Links

[return to top of this report]

• IBM: http://www.ibm.com/
• Microsoft: http://www.microsoft.com/
• Microsoft .NET: http://www.microsoft.com/net
• Mono Project: http://www.mono-project.com
• OASIS: http://www.oasis-open.org
• OWASP .NET Security Cheat Sheet: http://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
• P3P: http://www.w3.org/TR/P3P
• Security in .NET:
  http://docs.microsoft.com/en-us/dotnet/standard/security
• Symantec: http://www.symantec.com/
• Xamarin: http://www.visualstudio.microsoft.com/xamarin

About the Author

[return to top of this report]

Lynn Greiner is Vice President, Technical
Services for a division of a multi-national corporation, and is also an
award-winning computer industry journalist. Ms. Greiner is a regular contributor
to Faulkner Information Services and a member of the Advisory Panel.

[return to top of this report]