Microsoft-Implementing Security for Applications with Microsoft Visual C# .NET

You are an application developer for your company. You are reviewing the security for a console application that was written by another developer. The application uses impersonation to run as a member of the Administrators group. The following code segment is the only code that deals with security in the application. RegistryKey key = Registry.CurrentUser.CreateSubKey("Name"); key.SetValue("Name", "Tester"); You need to improve the security of the application. What should you do?

You are an application developer for your company. You are developing a client application that queries a Microsoft SQL Server database. The application uses an unmanaged component to retrieve data from another application, and your application uses that data as part of a SQL query. In the application code, you use a variable named externalobject to refer to the unmanaged component. A variable named calcval contains an integer value that is calculated by your application. A SqlCommand object named sqlcmd is already defined and associated with an open ADO.NET connection to the SQL Server database. The application contains the following code segment. string myquery; myquery = "INSERT INTO DataStore (ExternalID, CalcValue)"; myquery += " VALUES(" + externalobject.LegacyData + ","; myquery += calcval.ToString() + ")"; sqlcmd.CommandText = myquery; sqlcmd.ExecuteNonQuery(); You need to improve the security of this code segment. What should you do?

You are an application developer for your company. You are developing a Windows Forms client application that will be used within the company to access data in a Microsoft SQL Server database. The application defines a SqlConnection object named sqlconn and a SQLCommand object named sqlcmd. The application also includes the following code segment. SqlDataReader sqlreader = sqlcmd.ExecuteReader(); You need to improve the security of this code segment. You decide to replace the existing code segment. Which code segment should you use?

You are an application developer for your company. Your development computer is named Dev1, and the computer has IIS 5.0 installed. You log on to Dev1 by using an account named User1. On Dev1, you develop an ASP.NET Web application for testing user authentication. Your project uses the default settings from Microsoft Visual Studio .NET 2003. Your Web application contains a form that includes a label control named Label1. The Machine.config file contains the following code segment. The Web.config file contains the following code segment. The application contains the following code segment. Label1.Text = WindowsIdentity.GetCurrent().Name.ToString(); When you run the application, you discover that the text property of Label1 is set to Dev1\ASPNET. You need to ensure that the application sets the text property of Label1 to Dev1\User1. What should you do?

You are an application developer for your company. You are developing a three-tier Windows Forms application that will be used to manage confidential records. The business layer includes a remote object that is installed on an application server. The remote object is hosted in ASP.NET on the application server. IIS is configured to use Integrated Windows authentication, and ASP.NET is configured to use Windows authentication. All client computers and servers on the network support Kerberos authentication. The Windows Forms application communicates with the remote object by using a remoting proxy named myProxy. The remote object accesses a Microsoft SQL Server database. Permissions to database objects are granted based on the identity of the user. The remote object needs to run under the security context of the user. You need to write the code in the Windows Forms application that will configure the remoting proxy to have the credentials to use for authentication. Which code segment should you use?

You are an application developer for your company, which is named Humongous Insurance. You are developing an application to manage medical insurance claims. The application includes a serviced component named ClaimRecord. The business rules implemented by the application allow only those users who are members of the HumongousInsurance\ClaimsProcessor domain group to access the ClaimRecord component. You apply attributes to the ClaimRecord component to enable role-based security. You use the following assembly-level attribute to add a role named ClaimsProcessor to the COM+ application that hosts the ClaimRecord component. [assembly: SecurityRole("ClaimsProcessor")] You deploy the ClaimRecord component to your staging server. You log on to the application by using a user account that is a member of the HumongousInsurance\ClaimsProcessor domain group. When your application attempts to access the ClaimRecord component, an UnauthorizedAccessException exception is thrown. You need to modify the ClaimRecord component or reconfigure the COM+ application so that access is granted. You need to achieve this goal without compromising the security requirement of the ClaimRecord component. What should you do?

You are an application developer for your company. You are developing a multithreaded application. Some of the application's threads perform maintenance tasks in the application's database. These maintenance tasks are performed by dedicated assemblies, and the assemblies need to run under different security permissions. The other assemblies of the application must not have the different permissions. You need to ensure that the application's threads have the correct security permissions. You want to achieve this goal without negatively affecting response times for the application. What should you do?

You are an application developer for your company. You develop an ASP.NET Web application for the company's intranet. The application accesses data that is stored in a Microsoft SQL Server database. The application authenticates users by using Windows authentication, and it has impersonation enabled. You configure database object permissions based on the identity of the user of the application. You need to provide the user's identity to the SQL Server database. What should you do?

You are an application developer for your company, which is named Proseware, Inc. You are developing an ASP.NET Web application that users in the accounting department will use to process payroll reports and view payroll reports. The application will use Integrated Windows authentication to authenticate all users. Because payroll data is confidential, only users in the accounting department will be granted access to the application. All employees in the accounting department belong to a specific Active Directory group. However, users in the IT department can add themselves to various Active Directory groups in order to troubleshoot resource access problems. These IT department users must not be granted access to the ASP.NET Web application. The following rules can be used to distinguish between users in the accounting department and users in the IT department: All users in the accounting department are members of a group named Proseware\Accounting. Some users in the IT department are members of the Proseware\Accounting group. All users in the IT department are members of a group named Proseware\Domain Admin. No users in the accounting department are members of the Proseware\Domain Admin group. You need to configure URL authorization for the application by adding an element to the Web.config file in the application root. Which element should you use?

You are an application developer for your company. You are developing a client application that queries a Microsoft SQL Server database. The application uses an unmanaged component to retrieve data from another application, and your application uses that data as part of a SQL query. In the application code, you use a variable named externalobject to refer to the unmanaged component. A variable named calcval contains an integer value that is calculated by your application. A SqlCommand object named sqlcmd is already defined and associated with an open ADO.NET connection to the SQL Server database. The application contains the following code segment. string myquery; myquery = "INSERT INTO DataStore (ExternalID, CalcValue)"; myquery += " VALUES(" + externalobject.LegacyData + ","; myquery += calcval.ToString() + ")"; sqlcmd.CommandText = myquery; sqlcmd.ExecuteNonQuery(); You need to improve the security of this code segment. What should you do?