Re: Main advantage of .NET

From: Richard Grimes [MVP] (read)
Date: 07/16/04 

Date: Fri, 16 Jul 2004 11:32:47 +0100

Rudolf Ball wrote:
> I hope I am not off-topic. My question is, what is the main advantage
> of .NET? If I want to sell my boss .NET for a Web/Desktop/Mobile
> solution, where is the main advantage? What is "new", "better" or
> "innovative" in .NET? What is now, with .NET, possible? What business
> challenges can be solved with .NET better than ever before?

Security.

1 Access to all memory is bounds checked, so there are no buffer overruns
2 String formating checks the parameters, so there's sprintf-like exploits
[1]
3 .NET sits over NT security, so you get everything that is already
available through NT security
4 Code Access Security checks the source (ie where it was downloaded from)
of the code that's about to run and gives the code appropriate permissions.
The permissions are used to determine if the code can call other code, and
if so, what it can do.

[1] but note that SQL injection is still possible, so if you create a SQL
string from data provided by a user, you'll still have to check *all* of the
parameters to make sure they don't add extra SQL.

#4 is incredibly useful and has no equivalent at all in Win32. In Win32 if
you use a ActiveX control, the control runs under *your* access token and
can do everything that *you* can do. Under .NET a component will be given
permissions according to 'evidence', and by default this is the location
where the component was downloaded from (but you can configure this), so if
the component comes from the internet it will *not* have access to your hard
disk. It gets better: when code requests that the framework checks
permissions (which the framework library classes will do) a stack walk is
performed and *every* assembly (ie DLL) in the stack is checked to see if it
has the required permission. There's no way you can do that in Win32.

Richard 

-- 
my email evpuneqt@zicf.bet is encrypted with ROT13 (www.rot13.org)
sign up for my free .NET newsletter at
http://www.wd-mag.com/newsletters/

Relevant Pages

  • Re: Public Group Security Issue
    ... SQL uses the most restrictive security setting to determine the ... the public fixed database role and cannot be removed from it. ... The database contains a table dbo.tableb which has had no permissions ...
    (microsoft.public.sqlserver.security)
  • Re: Minimum permissions for SQL2005 development?
    ... One would think the security admins would need to know something about SQL security if managing SQL security is part of their job. ... You should only need to tell them what you need to do and they ought to be able to know enough to give you those permissions and nothing more. ... If you don't need to change server configuration options, install service packs and that sort of thing, sysadmin is probably overkill. ...
    (microsoft.public.sqlserver.security)
  • Re: bit-wise and
    ... database you can set object security by using Access' user security (on ... Tools> Security> User and Group Permissions). ... > The access control in SQL will rarely map properly to the permissions ... >>SQL has three sub-languages: DDL, ...
    (microsoft.public.sqlserver.programming)
  • Re: Security and Tables!
    ... Your best best is understanding how SQLS security works. ... With an unsecured SQL Server, ... >> objects that the connected user does not have permissions on. ... >>>that machine as administrator. ...
    (microsoft.public.sqlserver.security)
  • RE: What server hardening are you doing these days?
    ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
    (Focus-Microsoft)