MCSD 70-310 Creating and Consuming .NET Remoting Objects Exam Question

Discussion in 'MCSD' started by Greg, Jul 13, 2004.

  1. Greg

    Greg Guest

    I have a sample question:

    You are creating a .NET remoting application for hosting on an IIS server.
    You need to restrict the resources a remote object can access on a computer.
    You implement ____ to control the resources a remote object can access on a
    computer. (Choose one correct option)


    1.. Role-base security
    2.. SSL security
    3.. Code Access security
    4.. HttpChannel Web Security
    What is the correct answer and why?
    Greg, Jul 13, 2004
    #1
    1. Advertising

  2. Greg

    Sunny Guest

    Hi Greg,


    In article <>,
    says...
    > I have a sample question:
    >
    > You are creating a .NET remoting application for hosting on an IIS server.
    > You need to restrict the resources a remote object can access on a computer.
    > You implement ____ to control the resources a remote object can access on a
    > computer. (Choose one correct option)
    >
    >
    > 1.. Role-base security
    > 2.. SSL security
    > 3.. Code Access security
    > 4.. HttpChannel Web Security
    > What is the correct answer and why?
    >
    >
    >


    I do not think that the question is very clear, but I'll bet on Role-
    base security. IIS hosted objects are running as ASPNET user by default,
    or if impersonated, with some other user's rights. And what a user can
    do with machine resources is controlled by this users rights. I.e. role-
    based security is the most right answer in my view.

    Sunny
    Sunny, Jul 13, 2004
    #2
    1. Advertising

  3. Greg

    Eric Guest

    Sunny wrote:

    > I do not think that the question is very clear, but I'll bet on Role-
    > base security. IIS hosted objects are running as ASPNET user by
    > default, or if impersonated, with some other user's rights.


    Remoting objects don't log in

    Since it's hosted in IIS, and uses HTTP, I would go with SSL.

    Eric
    Eric, Jul 13, 2004
    #3
  4. Greg

    Sunny Guest

    In article <#>, "Eric" <Eric>
    says...
    > Sunny wrote:
    >
    > > I do not think that the question is very clear, but I'll bet on Role-
    > > base security. IIS hosted objects are running as ASPNET user by
    > > default, or if impersonated, with some other user's rights.

    >
    > Remoting objects don't log in
    >
    > Since it's hosted in IIS, and uses HTTP, I would go with SSL.
    >
    > Eric
    >



    They are running with the rights of the process in which they are
    hosted. This is aspnet for asp.net processes.

    SSL is only encryption, it does nothing to do with the rights a process
    has over resources.

    Sunny
    Sunny, Jul 13, 2004
    #4
  5. Greg

    Ken Kolda Guest

    I agree with Sunny that this is pretty vaguely worded... it says you want to
    "restrict the resources a remote object can access" -- it doesn't say
    anything about whether that's based on the identity of the user invoking the
    object's methods. So, to me, that implies code access security (i.e.
    independent of identity). But, since the server is in control of what
    objects get remoted, it would seem silly to remote an object that could
    perform operations you don't want to allow.

    So, I'd probably go with #4, HttpChannel security, because this is what
    allows the client to pass to the server the identity info with the object's
    method calls. But, I would think you'd use this in conjunction with
    role-based security on the server side.

    Ken


    "Sunny" <> wrote in message
    news:...
    > Hi Greg,
    >
    >
    > In article <>,
    > says...
    > > I have a sample question:
    > >
    > > You are creating a .NET remoting application for hosting on an IIS

    server.
    > > You need to restrict the resources a remote object can access on a

    computer.
    > > You implement ____ to control the resources a remote object can access

    on a
    > > computer. (Choose one correct option)
    > >
    > >
    > > 1.. Role-base security
    > > 2.. SSL security
    > > 3.. Code Access security
    > > 4.. HttpChannel Web Security
    > > What is the correct answer and why?
    > >
    > >
    > >

    >
    > I do not think that the question is very clear, but I'll bet on Role-
    > base security. IIS hosted objects are running as ASPNET user by default,
    > or if impersonated, with some other user's rights. And what a user can
    > do with machine resources is controlled by this users rights. I.e. role-
    > based security is the most right answer in my view.
    >
    > Sunny
    Ken Kolda, Jul 13, 2004
    #5
  6. Greg

    Eric Guest

    Sunny wrote:

    > SSL is only encryption, it does nothing to do with the rights a
    > process has over resources.


    That leaves us with CAS.

    Eric
    Eric, Jul 13, 2004
    #6
  7. Greg

    Greg Guest

    Well, this question was from the Practice Exam of the Microsoft official study guide Developing XML Web Services and Server Components with Microsoft Visual Basic .NET and Microsoft Visual C# .NET for exam 70-310.

    But apparently 3 Code Access security is the correct answer. The study guide says You can use code-access security to secure remote objects. But the study guide also mentions that If you host remote objects in IIS, you can use the security feature of IIS and SSL to secure remote objects. IIS hosting provides SSL, which allows you to secure messages sent to or received from remote objects. In addition, you can use Integrated Windows Authentication or Kerberos to secure the remote objects hosted in IIS.

    So go figure.

    "Ken Kolda" <> wrote in message news:...
    > I agree with Sunny that this is pretty vaguely worded... it says you want to
    > "restrict the resources a remote object can access" -- it doesn't say
    > anything about whether that's based on the identity of the user invoking the
    > object's methods. So, to me, that implies code access security (i.e.
    > independent of identity). But, since the server is in control of what
    > objects get remoted, it would seem silly to remote an object that could
    > perform operations you don't want to allow.
    >
    > So, I'd probably go with #4, HttpChannel security, because this is what
    > allows the client to pass to the server the identity info with the object's
    > method calls. But, I would think you'd use this in conjunction with
    > role-based security on the server side.
    >
    > Ken
    >
    >
    > "Sunny" <> wrote in message
    > news:...
    > > Hi Greg,
    > >
    > >
    > > In article <>,
    > > says...
    > > > I have a sample question:
    > > >
    > > > You are creating a .NET remoting application for hosting on an IIS

    > server.
    > > > You need to restrict the resources a remote object can access on a

    > computer.
    > > > You implement ____ to control the resources a remote object can access

    > on a
    > > > computer. (Choose one correct option)
    > > >
    > > >
    > > > 1.. Role-base security
    > > > 2.. SSL security
    > > > 3.. Code Access security
    > > > 4.. HttpChannel Web Security
    > > > What is the correct answer and why?
    > > >
    > > >
    > > >

    > >
    > > I do not think that the question is very clear, but I'll bet on Role-
    > > base security. IIS hosted objects are running as ASPNET user by default,
    > > or if impersonated, with some other user's rights. And what a user can
    > > do with machine resources is controlled by this users rights. I.e. role-
    > > based security is the most right answer in my view.
    > >
    > > Sunny

    >
    >
    Greg, Jul 14, 2004
    #7
  8. Greg

    Bob Grommes Guest

    This is exactly why I think certification exams and the whole cottage industry surrounding them are a load of cr*p.

    In the first place it's a fallacy to suppose that you can accurately gauge software development skill by asking a bunch of multiple-choice questions. I'd rather have someone working for me that would flunk an exam for lack of having memorized a bunch of sterile facts, but who has common sense, good problem-solving skills, and knows how to RTFM, STFW, or pick up the blasted reference books next to his or her desk when confronted with something new or obscure.

    Add to this sloppily worded questions with indifferent editing, like the example under consideration here, and you have yourself a real mess. Nothing infuriates me more than someone making judgments about my skills based on prose like this, that can't even clearly frame the question. Time and again you find yourself thinking, not "what is the correct answer"? But rather, "I wonder what they're fishing for?" A testee should never have to read the test author's mind!

    I am acquainted with how this stuff is developed; as a former seminar developer / instructor, I've been offered writing assignments through intermediary contractors for MSFT tests. I have three words to describe this process, at least the parts of it I've witnessed: Pa thet ic.

    --Bob
    "Greg" <> wrote in message news:...
    Well, this question was from the Practice Exam of the Microsoft official study guide Developing XML Web Services and Server Components with Microsoft Visual Basic .NET and Microsoft Visual C# .NET for exam 70-310.

    But apparently 3 Code Access security is the correct answer. The study guide says You can use code-access security to secure remote objects. But the study guide also mentions that If you host remote objects in IIS, you can use the security feature of IIS and SSL to secure remote objects. IIS hosting provides SSL, which allows you to secure messages sent to or received from remote objects. In addition, you can use Integrated Windows Authentication or Kerberos to secure the remote objects hosted in IIS.

    So go figure.

    "Ken Kolda" <> wrote in message news:...
    > I agree with Sunny that this is pretty vaguely worded... it says you want to
    > "restrict the resources a remote object can access" -- it doesn't say
    > anything about whether that's based on the identity of the user invoking the
    > object's methods. So, to me, that implies code access security (i.e.
    > independent of identity). But, since the server is in control of what
    > objects get remoted, it would seem silly to remote an object that could
    > perform operations you don't want to allow.
    >
    > So, I'd probably go with #4, HttpChannel security, because this is what
    > allows the client to pass to the server the identity info with the object's
    > method calls. But, I would think you'd use this in conjunction with
    > role-based security on the server side.
    >
    > Ken
    >
    >
    > "Sunny" <> wrote in message
    > news:...
    > > Hi Greg,
    > >
    > >
    > > In article <>,
    > > says...
    > > > I have a sample question:
    > > >
    > > > You are creating a .NET remoting application for hosting on an IIS

    > server.
    > > > You need to restrict the resources a remote object can access on a

    > computer.
    > > > You implement ____ to control the resources a remote object can access

    > on a
    > > > computer. (Choose one correct option)
    > > >
    > > >
    > > > 1.. Role-base security
    > > > 2.. SSL security
    > > > 3.. Code Access security
    > > > 4.. HttpChannel Web Security
    > > > What is the correct answer and why?
    > > >
    > > >
    > > >

    > >
    > > I do not think that the question is very clear, but I'll bet on Role-
    > > base security. IIS hosted objects are running as ASPNET user by default,
    > > or if impersonated, with some other user's rights. And what a user can
    > > do with machine resources is controlled by this users rights. I.e. role-
    > > based security is the most right answer in my view.
    > >
    > > Sunny
    Bob Grommes, Jul 14, 2004
    #8
  9. Greg

    Sunny Guest

    Yes, as we can see :)

    Still the question is not very clear.

    Sunny

    In article <>, "Eric" <Eric> says...
    > Sunny wrote:
    >
    > > SSL is only encryption, it does nothing to do with the rights a
    > > process has over resources.

    >
    > That leaves us with CAS.
    >
    > Eric
    >
    Sunny, Jul 14, 2004
    #9
  10. Greg

    Eric Guest

    Greg wrote:

    > Well, this question was from the Practice Exam of the Microsoft
    > official study guide


    That explains why the question is weakly-worded.

    I took the 70-320 test, and I don't remember anything worded so vaguely.

    Eric
    Eric, Jul 14, 2004
    #10
  11. my first inclination would be to use Role Base Security in this
    instance. However, its more than likely code access security.

    On Mon, 12 Jul 2004 21:54:15 -0600, "Greg" <> wrote:

    >I have a sample question:
    >
    >You are creating a .NET remoting application for hosting on an IIS server.
    >You need to restrict the resources a remote object can access on a computer.
    >You implement ____ to control the resources a remote object can access on a
    >computer. (Choose one correct option)
    >
    >
    > 1.. Role-base security
    > 2.. SSL security
    > 3.. Code Access security
    > 4.. HttpChannel Web Security
    >What is the correct answer and why?
    >
    Allen Anderson, Jul 15, 2004
    #11
  12. Greg

    Pollux Guest

    In article <>,
    says...
    > my first inclination would be to use Role Base Security in this
    > instance. However, its more than likely code access security.
    >
    > On Mon, 12 Jul 2004 21:54:15 -0600, "Greg" <> wrote:
    >
    > >I have a sample question:
    > >
    > >You are creating a .NET remoting application for hosting on an IIS server.
    > >You need to restrict the resources a remote object can access on a computer.
    > >You implement ____ to control the resources a remote object can access on a
    > >computer. (Choose one correct option)
    > >
    > >
    > > 1.. Role-base security
    > > 2.. SSL security
    > > 3.. Code Access security
    > > 4.. HttpChannel Web Security
    > >What is the correct answer and why?
    > >

    >
    >


    Why would you chose anything else than Code Access Security? The wording
    of the question makes it pretty clear that it is the remote object
    you're trying to restrict, so role based security would be a wrong
    answer. Just curious.
    Pollux, Jul 15, 2004
    #12
  13. Greg

    Pollux Guest

    In article <>,
    says...
    > I have a sample question:
    >
    > You are creating a .NET remoting application for hosting on an IIS server.
    > You need to restrict the resources a remote object can access on a computer.
    > You implement ____ to control the resources a remote object can access on a
    > computer. (Choose one correct option)
    >
    >
    > 1.. Role-base security
    > 2.. SSL security
    > 3.. Code Access security
    > 4.. HttpChannel Web Security
    > What is the correct answer and why?
    >
    >
    >


    Oh, I see the full thread now and there are quite a few confused people
    apparently. There is absolutely nothing vague about this question.

    It cannot be 1 as the question clearly want to restrict access to the
    object, not the user accessing it.

    It cannot be 2 as SSL is a form of encryption.

    I'm not sure what 4 is, but it looks like some form of authentication.

    The correct answer is definitely 3.

    Remoting has nothing to do with IIS as you could achieve remoting on
    Apache too if that what you wanted to do.
    Pollux, Jul 15, 2004
    #13
  14. >Why would you chose anything else than Code Access Security? The wording
    >of the question makes it pretty clear that it is the remote object
    >you're trying to restrict, so role based security would be a wrong
    >answer. Just curious.


    You are entitled to your opinion.
    Allen Anderson, Jul 15, 2004
    #14
  15. Greg

    Ken Kolda Guest

    To me the confusion comes because it's not clear when they say "a computer"
    in the second sentence whether they're referring to the client or the
    server.

    If the remoted object is MBR, then the only resources that would be relevant
    are server resources. In this case, I usually think of this as being a
    situation for role-based security (i.e. based on the identity of the user on
    the other end of the remote object), which also involves HttpChannel
    security when used under IIS.

    If the remoted object is MBV, then the relevant resources are on the client,
    in which case I would think of code access security (so the remoted object
    can't be used maliciously by untrusted client code).

    Ken


    "Pollux" <> wrote in message
    news:...
    > In article <>,
    > says...
    > > I have a sample question:
    > >
    > > You are creating a .NET remoting application for hosting on an IIS

    server.
    > > You need to restrict the resources a remote object can access on a

    computer.
    > > You implement ____ to control the resources a remote object can access

    on a
    > > computer. (Choose one correct option)
    > >
    > >
    > > 1.. Role-base security
    > > 2.. SSL security
    > > 3.. Code Access security
    > > 4.. HttpChannel Web Security
    > > What is the correct answer and why?
    > >
    > >
    > >

    >
    > Oh, I see the full thread now and there are quite a few confused people
    > apparently. There is absolutely nothing vague about this question.
    >
    > It cannot be 1 as the question clearly want to restrict access to the
    > object, not the user accessing it.
    >
    > It cannot be 2 as SSL is a form of encryption.
    >
    > I'm not sure what 4 is, but it looks like some form of authentication.
    >
    > The correct answer is definitely 3.
    >
    > Remoting has nothing to do with IIS as you could achieve remoting on
    > Apache too if that what you wanted to do.
    Ken Kolda, Jul 15, 2004
    #15
  16. Greg

    Pollux Guest

    In article <>,
    says...
    > >Why would you chose anything else than Code Access Security? The wording
    > >of the question makes it pretty clear that it is the remote object
    > >you're trying to restrict, so role based security would be a wrong
    > >answer. Just curious.

    >
    > You are entitled to your opinion.
    >
    >


    I hope you didn't feel offended or anything. I was genuinely interested
    in your reasoning.
    Pollux, Jul 15, 2004
    #16
  17. Greg

    Pollux Guest

    In article <O$>, ken.kolda@elliemae-
    nospamplease.com says...
    > To me the confusion comes because it's not clear when they say "a computer"
    > in the second sentence whether they're referring to the client or the
    > server.
    >
    > If the remoted object is MBR, then the only resources that would be relevant
    > are server resources. In this case, I usually think of this as being a
    > situation for role-based security (i.e. based on the identity of the user on
    > the other end of the remote object), which also involves HttpChannel
    > security when used under IIS.
    >
    > If the remoted object is MBV, then the relevant resources are on the client,
    > in which case I would think of code access security (so the remoted object
    > can't be used maliciously by untrusted client code).
    >
    > Ken
    >
    >
    > "Pollux" <> wrote in message
    > news:...
    > > In article <>,
    > > says...
    > > > I have a sample question:
    > > >
    > > > You are creating a .NET remoting application for hosting on an IIS

    > server.
    > > > You need to restrict the resources a remote object can access on a

    > computer.
    > > > You implement ____ to control the resources a remote object can access

    > on a
    > > > computer. (Choose one correct option)
    > > >
    > > >
    > > > 1.. Role-base security
    > > > 2.. SSL security
    > > > 3.. Code Access security
    > > > 4.. HttpChannel Web Security
    > > > What is the correct answer and why?
    > > >
    > > >
    > > >

    > >
    > > Oh, I see the full thread now and there are quite a few confused people
    > > apparently. There is absolutely nothing vague about this question.
    > >
    > > It cannot be 1 as the question clearly want to restrict access to the
    > > object, not the user accessing it.
    > >
    > > It cannot be 2 as SSL is a form of encryption.
    > >
    > > I'm not sure what 4 is, but it looks like some form of authentication.


    I'm not sure what you mean by MBR or MBV, but doesn't the fact that it
    involves remoting imply that we're talking about the resources on the
    client?
    Pollux, Jul 15, 2004
    #17
  18. Greg

    Ken Kolda Guest

    By MBR I mean Marshal-By-Reference. Since objects that derive from
    MarshalByRefObject actually live on the server, they have no way of
    accessing client resources (unless the resource is passed to them).
    Conversely, marshal-by-value objects (MBV) will actually live in the client,
    so from the client side they have no means of accessing server resources.

    Ken



    "Pollux" <> wrote in message
    news:...
    > In article <O$>, ken.kolda@elliemae-
    > nospamplease.com says...
    > > To me the confusion comes because it's not clear when they say "a

    computer"
    > > in the second sentence whether they're referring to the client or the
    > > server.
    > >
    > > If the remoted object is MBR, then the only resources that would be

    relevant
    > > are server resources. In this case, I usually think of this as being a
    > > situation for role-based security (i.e. based on the identity of the

    user on
    > > the other end of the remote object), which also involves HttpChannel
    > > security when used under IIS.
    > >
    > > If the remoted object is MBV, then the relevant resources are on the

    client,
    > > in which case I would think of code access security (so the remoted

    object
    > > can't be used maliciously by untrusted client code).
    > >
    > > Ken
    > >
    > >
    > > "Pollux" <> wrote in message
    > > news:...
    > > > In article <>,
    > > > says...
    > > > > I have a sample question:
    > > > >
    > > > > You are creating a .NET remoting application for hosting on an IIS

    > > server.
    > > > > You need to restrict the resources a remote object can access on a

    > > computer.
    > > > > You implement ____ to control the resources a remote object can

    access
    > > on a
    > > > > computer. (Choose one correct option)
    > > > >
    > > > >
    > > > > 1.. Role-base security
    > > > > 2.. SSL security
    > > > > 3.. Code Access security
    > > > > 4.. HttpChannel Web Security
    > > > > What is the correct answer and why?
    > > > >
    > > > >
    > > > >
    > > >
    > > > Oh, I see the full thread now and there are quite a few confused

    people
    > > > apparently. There is absolutely nothing vague about this question.
    > > >
    > > > It cannot be 1 as the question clearly want to restrict access to the
    > > > object, not the user accessing it.
    > > >
    > > > It cannot be 2 as SSL is a form of encryption.
    > > >
    > > > I'm not sure what 4 is, but it looks like some form of authentication.

    >
    > I'm not sure what you mean by MBR or MBV, but doesn't the fact that it
    > involves remoting imply that we're talking about the resources on the
    > client?
    Ken Kolda, Jul 16, 2004
    #18
  19. indeed, it sounded like you were suggesting anyone that didn't choose
    Code Access Security wasn't playing with a full deck. However, if
    that wasn't your inference, then the reason that RBS might be used for
    the same thing is that roles are setup specifically to restrict
    various accesses based on a users role. Thus, you would not let
    someone access something via this mechanism fairly easily. CAS is a
    better option, but RBS could be used for the same thing.

    On Thu, 15 Jul 2004 23:36:22 +0100, Pollux <> wrote:

    >In article <>,
    > says...
    >> >Why would you chose anything else than Code Access Security? The wording
    >> >of the question makes it pretty clear that it is the remote object
    >> >you're trying to restrict, so role based security would be a wrong
    >> >answer. Just curious.

    >>
    >> You are entitled to your opinion.
    >>
    >>

    >
    >I hope you didn't feel offended or anything. I was genuinely interested
    >in your reasoning.
    Allen Anderson, Jul 16, 2004
    #19
  20. Greg

    Pollux Guest

    In article <>,
    says...
    > indeed, it sounded like you were suggesting anyone that didn't choose
    > Code Access Security wasn't playing with a full deck. However, if
    > that wasn't your inference, then the reason that RBS might be used for
    > the same thing is that roles are setup specifically to restrict
    > various accesses based on a users role. Thus, you would not let
    > someone access something via this mechanism fairly easily. CAS is a
    > better option, but RBS could be used for the same thing.
    >
    > On Thu, 15 Jul 2004 23:36:22 +0100, Pollux <> wrote:
    >
    > >In article <>,
    > > says...
    > >> >Why would you chose anything else than Code Access Security? The wording
    > >> >of the question makes it pretty clear that it is the remote object
    > >> >you're trying to restrict, so role based security would be a wrong
    > >> >answer. Just curious.
    > >>
    > >> You are entitled to your opinion.
    > >>
    > >>

    > >
    > >I hope you didn't feel offended or anything. I was genuinely interested
    > >in your reasoning.

    >
    >


    I apologise if that's how I came across. It certainly wasn't my
    intention. It's just that I can think of a thousand of tricker questions
    than this particular one so I was suprised that so many people had a
    different opinion on this one.
    Pollux, Jul 16, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg
    Replies:
    1
    Views:
    639
    The Poster Formerly Known as Kline Sphere
    Jul 17, 2004
  2. Greg
    Replies:
    31
    Views:
    1,328
  3. Greg
    Replies:
    10
    Views:
    1,090
    The Poster Formerly Known as Kline Sphere
    Jul 21, 2004
  4. Lord2702
    Replies:
    0
    Views:
    698
    Lord2702
    Dec 19, 2003
  5. ShaneB
    Replies:
    1
    Views:
    273
    Ryan Walberg
    Feb 6, 2004
Loading...

Share This Page