MCSD 70-310 Creating and Consuming .NET Remoting Objects Exam Question

Discussion in 'MCSD' started by Greg, Jul 13, 2004.

  1. Greg

    Sunny Guest

    Hi,

    inline:


    There is :)
    From the question:
    No one says TO the object, but how to restrict the object itself.

    And, also, the object is hosted in IIS. So this object runs with the
    rights of the ASPNET user, or some other user (using impersonation).

    With RBS you can restrict the rights of the user, so you can restrict
    the object as well. The question is not that clear at all, and RBS is
    possible answer.
    Maybe the best, but not "definitely".

    In general you are right, but this thread is about a specific question,
    and there IIS is a vital component :)

    Sunny
     
    Sunny, Jul 16, 2004
    #21
    1. Advertisements

  2. Greg

    Pollux Guest

    I'm probably beating a dead horse, but I still don't see how there could
    have been any confusion. I know close to nothing about ASP.NET, but I'm
    aware that it runs within the context of the ASP User or whatever you
    chose. By the way, ASP was never mentioned here. They keyword here is
    remoting application which by definition I believe an ASP.Net
    application isn't. A remoting application is executed on your machine
    whereas an ASP.Net isn't unless IIS is on your machine.

    Now let's assume for a second that we were indeed talking about an
    ASP.Net application. Wouldn't it still make more sense to use Code
    Access Security than Role Based security? I have no clue how it works,
    but I would suspect that it works along the lines of loading up the said
    assembly and do whatever it needs to do. As per the requirement, you
    probably want to block access to the assembly rather than the more
    general ASP user.

    I'm starting to think that it's my lack of knowledge of ASP.Net that
    prevented me from being confused.
     
    Pollux, Jul 16, 2004
    #22
    1. Advertisements

  3. Greg

    Sunny Guest

    Same feeling (the horse). They definitely say "hosted in IIS". To be
    hosted in IIS, there definitely IS running ASP.Net process. The keyword
    here is "IIS hosted".

    The remoting object is executed on the server, not on the client. That's
    why it is "remote". It runs with the rights of the hosting process on
    the server.

    Remoting is not like downloading some assembly and running code locally.
    This is the starting point. It is "remotely" runned.
    You do not have to restrict the ASPNET user. You can create a special
    user just for that app, and impersonate. So the object will run with the
    rights of that specific user.
    .... and remoting.


    One way or another, I'm not arguing that RBS is the best solution, but
    it is possible one. I have never implemented CBS, so I do not know how
    much time it will take me to restrict an assembly, comparing to restrict
    a user (which I know how to do).

    The main point is that even id CBS is the better solution, the posted
    question is not clear and has more than one answer.

    Sunny
     
    Sunny, Jul 16, 2004
    #23
  4. Greg

    Pollux Guest

    I think I can see where the confusion started for me. The only remoting
    I was aware of was "URL remoting". In this case the exe runs within the
    context of ieeexec.exe on your machine. Obviously in that context, the
    exe could have been hosted on Apache as well, so obviously, as far as I
    was concerned, there could be no doubt.

    You were confused by the fact that it said "hosted on IIS" so you
    automatically assumed ASP.Net. I glanced MSDN and apparently it is a
    wrong assumption. IIS is merely a "listener" that acts as a broker
    between the 2 processes.
     
    Pollux, Jul 16, 2004
    #24
  5. Greg

    UAError Guest

    Probably. Who ever phrased that question probably was too
    sloppy to use precise language while remaining obscure
    enough to be actually asking "multiple" questions.

    ***You are creating a .NET remoting application for hosting
    on an IIS server.

    What's a remoting application? An application that uses .NET
    remote objects? That resides on the client, not the server
    and has got nothing to do with IIS. However, remotable
    classes can be hosted on IIS in which case you are
    restricted to using an HttpChannel with a Soap Formatter.
    Your first clue that ASP.NET is involved on the server side
    is that you need supply a web.config file. Just to make sure
    I resurrected my Kalani 70-320 StepByStep3_19 to
    StepByStep3_21 projects and got the MBR remotable object to
    return its Process ID - sure enough it was the one for the
    ASP.NET worker process. So yes, ASP.NET is involved as soon
    as you use IIS as a remoting host.

    ***You need to restrict the resources a remote object can
    access on a computer.
    "A computer"? There are at least two computers involved here
    - the client and the server (not to speak of the ones on the
    respective networks that would like to be "safe").
    "Resources" probably means server resources or resources
    associated through the servers network. MBV objects cannot
    access server resources as they are deserialized on the
    client's end - so we be must be talking about MBR objects.

    ***You implement ____ to control the resources a remote
    object can access on a computer. (Choose one correct option)

    Here we go again, "a computer"...

    ***1.. Role-base security

    Which one? COM+ Role-based security, Windows Role-based
    security? COM+ wasn't mentioned but COM+ role-based security
    definitely does not transfer over a remoting channel.
    Windows Roles? Possibly, especially because
    that's how it was done before CAS. Nothing is said about IIS
    Authentication or ASP.NET Authentication or the
    configuration of the ASP.NET.
    IIS: By default anonymous access is enabled.
    ASP.NET Authentication: By default no authentication.
    ASP.NET WP: No impersonation configuration is mentioned so
    the default is the "least privilege" ASPNET account which
    belongs to the "Users" group.
    No mention is made that the client updates the credentials
    of the ChannelSinkProperties after the remote object is
    created.

    So you could create a new windows group assign it the
    appropriate privileges to access the particular resources
    and make ASPNET a member of it, with the following caveats:

    - anything else that ASPNET runs also has access to those
    resources
    - if any other group ASPNET belongs to denies access to a
    resource you need, you're hosed.
    - ultimately its the administrator that determines the
    privileges not the developer/application.

    so windows role-based security is not ideal but you can't
    discount it either. But to use it, we stil need to choose an
    authentication method.

    ***2.. SSL security

    Only protects data in transit, can't protect resources with
    it.
    ***3.. Code Access security

    Well, yes if the "resources" that you are trying to control
    are covered by one of the following:

    DirectoryServicesPermission
    Controls access to the System.DirectoryServices
    namespace
    DnsPermission
    Controls access to domain name system (DNS) services.
    EnvironmentPermission
    Controls access to environment variables.
    EventLogPermission
    Controls access to the Windows event log.
    FileDialogPermission
    Controls access to files selected from the Open dialog
    box.
    FileIOPermission
    Controls access to reading and writing files and
    directories.
    IsolatedStorageFilePermission
    Controls access to private virtual file systems.
    IsolatedStoragePermission
    Controls access to generic isolated storage.
    MessageQueuePermission
    Controls access to message queuing via MSMQ.
    OleDbPermission
    Controls access to data via the System.Data.OleDb
    namespace.
    PerformanceCounterPermission
    Controls access to performance counters
    PrintingPermission
    Controls access to printers.
    ReflectionPermission
    Controls access to reflection features of .NET.
    RegistryPermission
    Controls access to the Windows Registry.
    SecurityPermission
    Controls access to unmanaged code.
    ServiceControllerPermission
    Controls access to starting and stopping services.
    SocketPermission
    Controls access to windows sockets.
    SqlClientPermission
    Controls access to data via the System.Data.SqlClient
    namespace
    UIPermission
    Controls access to the user interface.
    WebPermission
    Controls access to making Web connections.

    Now you can basically reject any permissions you don't need
    so that you are working with the least privileges. But we
    have no idea even what kind of resources we are trying to
    control now do we?
    And the default ASPNET is a low privilege account to start
    with...

    ***4.. HttpChannel Web Security
    Only takes care of authentication, not authorization which
    is needed to "control resources" (that's what windows
    role-based security would do).

    So as you are restricted to "one option" (3) looks like the
    candidate - but there are a lot of assumptions you have to
    take for granted.
     
    UAError, Jul 16, 2004
    #25
  6. Greg

    Ken Kolda Guest

    Ooohhh. Now I see where you're coming from. But I think Microsoft refers to
    this as "Smart Client Deployment" -- it's not really "remoting" (which is
    not to say that your small client app couldn't use remoting). Definitely
    code access permissions make sense for apps deployed in this way -- it's all
    running on the client and in a restrictive sandbox, so CAPs are needed to do
    things like access the disk, etc.

    Remoting, on the other hand, is about processes that run code remotely (i.e.
    client/server), not just that retrieve code from a remote source and run it
    locally. And although you're right that IIS basically acts as a listener, a
    remoting server running IIS is subject to all the ASP.NET security
    contraints as a typical UI-based ASP.NET application.

    Anyway, I think this just goes to show how poorly-worded a question this
    was -- we couldn't even all agree on what they meant by a "remoted object".

    Ken
     
    Ken Kolda, Jul 16, 2004
    #26
  7. Greg

    UAError Guest

    The MSDN quickly stopped using that term, probably because
    it caused too much confusion with .NET Remoting.
    Unfortunately the certification literature had already
    adopted it and never bothered to expunge it.


    No-Touch Deployment in the .NET Framework
    http://msdn.microsoft.com/library/d...tml/vbtchNo-TouchDeploymentInNETFramework.asp


    ..NET Zero Deployment
    Security and Versioning Models in the Windows Forms Engine
    Help You Create and Deploy Smart Clients
    http://msdn.microsoft.com/msdnmag/issues/02/07/NetSmartClients/


    "Using Internet Deployment to Achieve Zero Install and Zero
    Administration for Client Computers"
    Page 52

    in

    Deploying .NET Applications: Lifecycle Guide
    http://www.microsoft.com/downloads/...18-7f17-4e0b-9e62-61d698bf0ee1&displaylang=en
     
    UAError, Jul 16, 2004
    #27
  8. Greg

    UAError Guest

    UAError, Jul 16, 2004
    #28
  9. Greg

    Pollux Guest

    Yes apparently remoting is closer to DCOM in concept than what I had in
    mind which is as you said more of a deployment technique.

    There is still one thing that isn't clear in my mind. I've read about
    how you can deploy your application on a share and have you users access
    it this way. If you then want to override to config file, you need to do
    so in you local machine.config file. This is exactly the same principle
    as URL Remoting right, ie the exe is downloaded to your download cache
    and then is executed locally right?
     
    Pollux, Jul 16, 2004
    #29
  10. Greg

    UAError Guest

    The MSDN quickly stopped using that term, probably because
    it caused too much confusion with .NET Remoting.
    Unfortunately the certification literature had already
    adopted it and never bothered to expunge it.


    No-Touch Deployment in the .NET Framework
    http://msdn.microsoft.com/library/d...tml/vbtchNo-TouchDeploymentInNETFramework.asp


    ..NET Zero Deployment
    Security and Versioning Models in the Windows Forms Engine
    Help You Create and Deploy Smart Clients
    http://msdn.microsoft.com/msdnmag/issues/02/07/NetSmartClients/


    "Using Internet Deployment to Achieve Zero Install and Zero
    Administration for Client Computers"
    Page 52

    in

    Deploying .NET Applications: Lifecycle Guide
    http://www.microsoft.com/downloads/...18-7f17-4e0b-9e62-61d698bf0ee1&displaylang=en


    The MSDN does not use the term "remoting application" to
    refer to "No-Touch Deployment" or "Zero Install"

    Building a Basic .NET Remoting Application
    http://msdn.microsoft.com/library/d.../cpconbuildingbasicnetremotingapplication.asp
     
    UAError, Jul 17, 2004
    #30
  11. Greg

    Pollux Guest

    Thanks for that
     
    Pollux, Jul 17, 2004
    #31
  12. Why would you chose anything else than Code Access Security? The wording
    Totally agree.

    Kline Sphere (Chalk) MCNGP #3
     
    The Poster Formerly Known as Kline Sphere, Jul 17, 2004
    #32
  13. Because You creating .. You will implement ...
    tells me that I will do the Job that eliminates 2 and 4
    Restricting object (probably assembly) not Users eliminates 1
    so Answer is 3

    Regards,
    Daniel
     
    Daniel Joskovski, Jul 18, 2004
    #33
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.