IDesign C # Coding specification (x.)

Code | Code 4.6 Security
1. Always publish code with a strong name that is private to the application and is public to you.
Always demand your own strong name on assemblies and components "are private to" application, but are public (so tha T only use them).
public class Publickeys
{
Public Const string MyCompany = "55555555588888888DDDDDDDDD";
}
[StrongNameIdentityPermission (SecurityAction.LinkDemand, PublicKey = Publickeys.mycompany)]
public class MyClass
{}
2. Apply encryption and security to the application configuration file.
Apply encryption and security protection on application configuration files.
3. When an interop method is introduced, it is asserted that an uncontrollable code operation is allowed and that the appropriate permission is declared.
When importing a interop method, assert unmanaged code permission, and demand appropriate permission.
[DllImport ("user32", EntryPoint = "MessageBoxA")]
private static extern int show (INTPTR handle, string text. String caption, int msgtype);
[SecurityPermission (Securtiyaction.assert, UnmanagedCode = True)]
[UIPermission (Security.demand, Window = uipermissionwindow.safetoplevelwindows)]
public static void Show (string text, string caption)
{
Show (IntPtr.Zero, text, caption,0);
}
4. Do not use the SuppressUnmanagedCodeSecurity property to suppress access to uncontrolled code.
Do not suppress unmanaged code access via the SuppressUnmanagedCodeSecurity attribute.
5. Do not use TlbImp.exe this unsafe conversion program. Include the CCW within the controllable code so that you can assert and authorize it.
Don't use the/unsafe switch of TlbImp.exe. Wrap the CCW in managed code so, could assert and demand permissions declaratively on the wrapper.
6. Publish code access policy on the server side, authorize to Microsft, ECMA and self as Full trust.
On server machines Deploy Access-code security Policy This grants only microsft, ECMA and self (identified by stong name) F Ull Trust.
Other code can show that the authorization is nothing.
A) All the other code are implicitly granted nothing.
7. On the client server, the Publish security policy is licensed to the client application, giving it the right to callback the server-side program and potentially display the user interface.
On client machine, deploy a security policy which grants client application only the permissions to call back the server A nd to potentially display user interface.
The client's application should be strongly named firm.
A) Client application identified by strong name.
8. Permissions are always denied at the level of the permission set because they cannot be requested to perform a task nearby.
Always refuse at the assembly level all permissions not required to perform the task at hand.
A) to counter a luring attack.
[Assembly:uipermission (securityaction.requestrefuse, Window = uipermissionwindow.allwindows)]
9. Always apply principal policy to Windows in each main () method
Always set the principal policy in every Main () method to Windows.
public class MyClass
{
static void Main ()
{
AppDomain CurrentDomain = Thread.getdomain ();
Currentdomain.setprincipalpolicy (Principalpolicy.windowsprincipal);
}
Other methods
}
10. You cannot assert a permission without requiring a different permission.
Never assert a permission without demanding a different permission in it place. Chapter in programming. NET components.