What's New in Security for v2.0

There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.  However, finding a definitive list of them all can be a somewhat challenging task.  Dominick Baier has an excellent slide deck detailing some of the changes and some demo code as well.  You can find both linked from his blog entry here.  Keith Brown also highlighted Security Enhancements in the .NET Framework 2.0 in his Security Briefs column for January's MSDN magazine.

Although there's no official list of new security features anywhere, here's some of the highlights of what we've added.  I've covered most of these in this blog before, but some of the big ones (like transparency) have yet to show up.  You can look for those over the next few weeks.  In no particular order:

• Transparency
• Simple Sandboxing API
• ClickOnce
• AppDomainManager / HostSecurityManager
• Permission Evaporation
• PermCalc
• FullTrust means FullTrust
• XML Encryption
• Enhanced X509 support (via X509Certificate2)
• Support for larger SN keys
• Enhanced SecurityException
• Managed ACLs
• PKCS7 support
• FIPS enforcement
• RFC 2898 PBKDF 2  
• Full trust GAC
• CasPol -s off changes
• Visual Studio enhancements, such as debug in zone, and enhanced support for debugging security exceptions.
• Test key signing

Performance work was also one of the security team's main focuses during the v2.0 release.  And of course there were numerous bug fixes, and other odds and ends.  From the number of entries with no links above, it looks like I've got quite a few more blog posts to get writing :-)  When I write something on each topic, I'll try to come back and update this post with the link ... there's a lot of great stuff up there -- I can't wait to finally ship this product so that everyone can start using it!

Comments

• Anonymous
  August 24, 2005
  Permission Evaporation?
• Anonymous
  August 24, 2005
  AKA HostProtection -- basically allows hosts to disallow certain classes of actions. It's an upcoming blog entry :-)
  
  -Shawn
• Anonymous
  August 24, 2005
  You can also download the "Security Enhancements in the .NET 2.0 Framework" Slides presented at the .NET Community Conference at Vienna this month:
  
  http://blogs.dotnetgerman.com/alexonasp.net/PermaLink,guid,1e0b559e-391e-4430-b9fc-bc3ec1ea3681.aspx
• Anonymous
  September 01, 2005
  I just posted a Secure Remote Password (SRP) c# implementation at:
  http://channel9.msdn.com/ShowPost.aspx?PostID=107763
  Implemented using fx 2.0 Beta1.
• Anonymous
  September 05, 2005
  And what about the old new features ?
  
  I'm working with Beta 2 and I'm using PrincipalPermissionAttribute. As I wished to use more than 1 attribute on a single method, I tried the new SecurityAction.DemandeChoice flag. To my surprise, the compiler said this flag is obsolete ! There is nothing about that on MSDN2.
  
  As this new feature been removed ?
  Is there other removed features ?
  
  Thx
• Anonymous
  September 07, 2005
  Yep -- we removed disjunctive LinkDemands from Whidbey. See my comment here: http://forums.microsoft.com/msdn/ShowPost.aspx?PostID=83571
  
  -Shawn
• Anonymous
  February 22, 2006
  Ya... That's Good . I work in .net Framework 2.0 It is More Robust.
• Anonymous
  March 14, 2006
  The comment has been removed
• Anonymous
  March 20, 2006
  Muitas novidades no CAS, vejam nos seguintes links :
  http://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspx...