About This Book

Welcome to MCAD/MCSD Self-Paced Training Kit: Implementing Security for Applications with Microsoft Visual Basic .NET and Microsoft Visual C# .NET.

Developers have learned an important lesson in the last few years: they cannot rely on networks and operating systems to protect applications from attack. Any application, including both Web applications and Microsoft Windows Forms applications, is susceptible to several different types of attacks that might reveal a user’s private information or allow an attacker to gain elevated privileges. If you create an application that has a security vulnerability, your users will almost certainly hold you responsible. Reducing the risk of an attacker exploiting your application requires specialized skills—the skills that are taught in this book. Developing these skills will not only help you secure your system, but will also help prepare you to take Microsoft Certified Professional (MCP) exam 70-330, “Implementing Security for Applications with Microsoft Visual Basic .NET,” and exam 70-340, “Implementing Security for Applications with Microsoft Visual C# .NET.”

Each chapter addresses an important aspect of development security and a range of exam objectives. The goal of both the objectives and the chapter orientation is to provide a complete guide to Visual C# .NET and Visual Basic .NET development security. The book focuses primarily on the skills necessary to implement security when developing applications and only briefly covers concepts related to network security design and implementing security infrastructure.

Intended Audience

This book was created for developers who design, develop, and implement software solutions for Microsoft Windows–based environments using Microsoft tools and technologies. It was also created for developers who plan to take the related MCP exam 70-330, “Implementing Security for Applications with Microsoft Visual Basic .NET,” and exam 70-340, “Implementing Security for Applications with Microsoft Visual C# .NET.”

Prerequisites

This training kit requires that students meet the following prerequisites:

• Must be full-time application developers with 1 year minimum experience using Visual Studio .NET.

• Must be developers creating the following types of applications:

  • Web applications

  • Windows Forms applications

  • Server components

  • XML Web services

• Must understand security across Tiers and Lifecycle phases.

• Must understand best security practices for accessing and modifying data stored in databases using ADO.NET.

About the CD-ROM

For your use, this book includes a companion CD-ROM that contains a variety of informational aids to complement the book content:

• The Microsoft Press Readiness Review Suite Powered by MeasureUp. This suite of practice tests and objective reviews contains questions of varying degrees of complexity and offers multiple testing modes. You can assess your understanding of the concepts presented in this book and use the results to develop a learning plan that meets your needs.

• An electronic version of this book (eBook). For information about using the eBook, see the “The eBook” section later in this introduction.

• C# and Visual Basic .NET projects for use with certain practices.

A second CD-ROM contains a 180-day evaluation edition of Microsoft Windows Server 2003, Standard Edition, and a DVD includes a 60-day evaluation edition of Microsoft Visual Studio .NET 2003, Professional Edition, which includes the Microsoft SQL Server Desktop Engine (MSDE).

For additional support information regarding this book and the CD-ROM (including answers to commonly asked questions about installation and use), visit the Microsoft Learning Technical Support Web site at http://www.microsoft.com/learning/support/. You can also e-mail tkinput@microsoft.com or send a letter to Microsoft Learning, Attention: Microsoft Learning Technical Support, One Microsoft Way, Redmond, WA 98052-6399.

Features of This Book

Each chapter in this book identifies the exam objectives that are covered within the chapter, provides an overview of why the topics matter by identifying how the information is applied in the real world, and lists any prerequisites that must be met to complete the lessons presented in the chapter.

The chapters are divided into lessons. Lessons contain practices that include hands-on exercises. These exercises give you an opportunity to use the skills being presented or explore the part of the application being described. Most of the practices include fictitious scenarios that require you to apply what you learned in the lesson to a realistic work situation—responding to the needs and requirements of various organizations, bosses, stakeholders, and co-workers.

After the lessons, you are given an opportunity to apply what you’ve learned in a chapter-ending lab. In this lab, you work through a multi-step solution for a realistic case scenario—this time applying what you learned in all the lessons in the chapter to the scenario.

Each chapter ends with a short summary of key concepts and a short section listing key terms and summarizing topics you need to know before taking the exam, with a focus on demonstrating that knowledge on the exam.

Real World: Helpful Information You will find sidebars like this one that contain related information you might find helpful. “Real World” sidebars contain specific information gained through the experience of the author and other developers on the job.

Informational Notes

Several types of reader aids appear throughout the training kit.

• Tip Contains methods of performing a task more quickly or in a not-so-obvious way.

• Important Contains information that is essential to completing a task.

• Note Contains supplemental information.

• Caution Contains valuable information about possible loss of data; be sure to read this information carefully.

• Warning Contains critical information about possible physical injury; be sure to read this information carefully.

• See also Contains references to other sources of information.

• Design Reminds the reader that something needs to be considered during design, not during implementation.

• On the CD Points you to supplementary information or files you need that are on the companion CD.

• Security Alert Highlights information you need to know to maximize security in your work environment.

• Exam Tip Flags information you should know before taking the certification exam.

• Off the Record Contains practical advice about the real-world implications of information presented in the lesson.

Notational Conventions

The following conventions are used throughout this book:

• Characters or commands that you type appear in bold type.

• The names of screen elements appear in Title caps, regardless of how they appear on the screen.

• Italic in syntax statements indicates placeholders for variable information. Italic is also used for book titles, for new terms when they are being defined, and for URLs.

• Names of files and folders appear in Title caps. Unless otherwise indicated, you can use all lowercase letters when you type a filename in a dialog box or at a command prompt.

• Filename extensions appear in all lowercase letters and are preceded by a period (.)—for example, .exe.

• Acronyms appear in all uppercase.

• Monospace type represents code samples, or entries that you might type at a command prompt or in initialization files.

• Square brackets [ ] are used in syntax statements to enclose optional items. For example, [filename] in command syntax indicates that you can choose to type a filename with the command. Type only the information within the brackets, not the brackets themselves.

• Braces { } are used in syntax statements to enclose required items. Type only the information within the braces, not the braces themselves.

Keyboard Conventions

• A plus sign (+) between two key names means that you must press those keys at the same time. For example, “Press ALT+TAB” means that you hold down ALT while you press TAB.

• A comma ( , ) between two or more key names means that you must press each of the keys consecutively, not together. For example, “Press ALT, F, X” means that you press and release each key in sequence. “Press ALT+W, L” means that you first press ALT and W at the same time, and then release them and press L.

Getting Started

This training kit contains hands-on practices and labs to help you learn about implementing application security. Use this section to prepare your self-paced training environment.

Hardware Requirements

Each computer must have the following minimum configuration. All hardware should be on the Microsoft Windows Server 2003 Hardware Compatibility List.

• Minimum CPU speed of 450 MHz

• 160 MB RAM

• 6 GB free disk space

• CD-ROM drive or DVD drive for installing software

• Super VGA (1024 x 768) or higher-resolution display with 256 colors

• Microsoft Mouse or compatible pointing device

• Some Internet functionality might require Internet access, a Microsoft Passport account, and payment of a separate fee to a service provider. Local and/or longdistance telephone toll charges might apply. A high-speed modem or broadband Internet connection is recommended.

• For networking, you must have a network adapter appropriate for the type of local-area, wide-area, wireless, or home network to which you want to connect and access to an appropriate network infrastructure. Access to third-party networks might require additional charges.

Software Requirements

The following software is required to complete the procedures in this training kit. (A 180-day evaluation edition of Windows Server 2003, Standard Edition is included on a CD-ROM included with this book. A 60-day evaluation version of Microsoft Visual Studio .NET 2003, which includes the SQL Server Desktop Engine [MSDE], is included on a DVD included with this book.)

• Windows Server 2003, Standard Edition, or Windows Server 2003, Enterprise Edition

• Microsoft Visual Studio .NET 2003

• Microsoft SQL Server 2000

Setup Instructions

To complete the practices and labs in this chapter, you must have one computer running Microsoft Windows Server 2003. Set up your computer according to the manufacturer’s instructions.

During the course of performing the practices and labs in this chapter, the computer’s security can be reduced. Therefore, the computer should not be a production computer and should not be connected to any network, especially the Internet, even if a firewall is present. Install Microsoft Visual Studio .NET 2003 by using the default settings. In particular, install Visual Studio .NET so that it is accessible to all users on the computer.

The Readiness Review Suite

The companion CD-ROM includes two practice tests with a total of 600 sample exam questions (300 C#-related questions and 300 Visual Basic–related questions). Use these tools to reinforce your learning and to identify any areas in which you need to gain more experience before taking the exam.

▸ To install the practice tests

1.	Insert the companion CD-ROM into your CD-ROM drive. Note If AutoRun is disabled on your machine, refer to the Readme.txt file on the CD-ROM.
2.	Click Readiness Review Suite 70-330 or Readiness Review Suite 70-340 on the user interface menu.

The eBook

The companion CD-ROM includes an electronic version of the training kit. The eBook is in portable document format (PDF) and can be viewed using Adobe Acrobat Reader.

▸ To use the eBook

1.	Insert the companion CD-ROM into your CD-ROM drive. Note If AutoRun is disabled on your machine, refer to the Readme.txt file on the CD-ROM.
2.	Click Training Kit eBook on the user interface menu.

The Microsoft Certified Professional Program

The Microsoft Certified Professional (MCP) program provides the best method to prove your command of current Microsoft products and technologies. The exams and corresponding certifications are developed to validate your mastery of critical competencies as you design and develop, or implement and support, solutions with Microsoft products and technologies. Computer professionals who become Microsoft certified are recognized as experts and are sought after industry-wide. Certification brings a variety of benefits to the individual and to employers and organizations.

Certifications

The Microsoft Certified Professional program offers multiple certifications, based on specific areas of technical expertise:

• Microsoft Certified Professional (MCP). Demonstrated in-depth knowledge of at least one Microsoft Windows operating system or architecturally significant platform. An MCP is qualified to implement a Microsoft product or technology as part of a business solution for an organization.

• Microsoft Certified Solution Developer (MCSD). Professional developers qualified to analyze, design, and develop enterprise business solutions with Microsoft development tools and technologies including the Microsoft .NET Framework.

• Microsoft Certified Application Developer (MCAD). Professional developers qualified to develop, test, deploy, and maintain powerful applications using Microsoft tools and technologies including Microsoft Visual Studio .NET and XML Web services.

• Microsoft Certified Systems Engineer (MCSE). Qualified to effectively analyze the business requirements and design and implement the infrastructure for business solutions based on the Microsoft Windows and Microsoft Windows Server 2003 operating systems.

• Microsoft Certified Systems Administrator (MCSA). Individuals with the skills to manage and troubleshoot existing network and system environments based on the Microsoft Windows and Microsoft Server 2003 operating systems.

• Microsoft Certified Desktop Support Technician (MCDST). Individuals who support end users and troubleshoot desktop environments running on the Windows operating system.

• Microsoft Certified Database Administrator (MCDBA). Individuals who design, implement, and administer Microsoft SQL Server databases.

• Microsoft Certified Trainer (MCT). Instructionally and technically qualified to deliver Microsoft Official Curriculum through a Certified Partner for Learning Solutions (CPLS).

Requirements for Becoming a Microsoft Certified Professional

The certification requirements differ for each certification and are specific to the products and job functions addressed by the certification.

To become a Microsoft Certified Professional, you must pass rigorous certification exams that provide a valid and reliable measure of technical proficiency and expertise. These exams are designed to test your expertise and ability to perform a role or task with a product and are developed with the input of professionals in the industry. Questions in the exams reflect how Microsoft products are used in actual organizations, giving them “real-world” relevance. Requirements for certifications are as follows:

• Microsoft Certified Product (MCP) candidates are required to pass one current Microsoft certification exam. Candidates can pass additional Microsoft certification exams to further qualify their skills with other Microsoft products, development tools, or desktop applications.

• Microsoft Certified Solution Developers (MCSDs) are required to pass three core exams and one elective exam. (MCSD for Microsoft .NET candidates are required to pass four core exams and one elective.)

• Microsoft Certified Application Developers (MCADs) are required to pass two core exams and one elective exam in an area of specialization.

• Microsoft Certified Systems Engineers (MCSEs) are required to pass five core exams and two elective exams.

• Microsoft Certified Systems Administrators (MCSAs) are required to pass three core exams and one elective exam that provide a valid and reliable measure of technical proficiency and expertise.

• Microsoft Certified Database Administrators (MCDBAs) are required to pass three core exams and one elective exam that provide a valid and reliable measure of technical proficiency and expertise.

• Microsoft Certified Trainers (MCTs) are required to meet instructional and technical requirements specific to each Microsoft Official Curriculum course they are certified to deliver. The MCT program requires on-going training to meet the requirements for the annual renewal of certification. For more information about becoming a Microsoft Certified Trainer, visit http://www.microsoft.com/learning/mcp/mct/ or contact a regional service center near you.

Technical Support

Every effort has been made to ensure the accuracy of this book and the contents of the companion disc. If you have comments, questions, or ideas regarding this book or the companion disc, please send them to Microsoft Press using either of the following methods:

E-mail:	tkinput@microsoft.com
Postal mail:	Microsoft Press Attn: MCAD/MCSD Self-Paced Training Kit (Exams 70-330/70-340): Implementing Security for Applications with Microsoft Visual Basic .NET and Microsoft Visual C# .NET Editor One Microsoft Way Redmond, WA 98052-6399

For additional support information regarding this book and the CD-ROMs and DVD (including answers to commonly asked questions about installation and use), visit the Microsoft Learning Technical Support Web site at http://www.microsoft.com/learning/support/. To connect directly to the Microsoft Press Knowledge Base and enter a query, visit http://www.microsoft.com/mspress/support/search.asp. For support information regarding Microsoft software, please visit http://support.microsoft.com/.

Evaluation Edition Software Support

The 180-day evaluation edition of Microsoft Windows Server 2003 and the 60-day evaluation edition of Microsoft Visual Studio .NET 2003 (and Microsoft SQL Server 2000) that are provided with this training kit are not the full retail products and are provided only for the purposes of training and evaluation. Microsoft and Microsoft Technical Support do not support these evaluation editions.

Information about any issues relating to the use of these evaluation editions with this training kit is posted to the Support section of the Microsoft Learning Web site (http://www.microsoft.com/learning/support/). For information about ordering the full version of any Microsoft software, please call Microsoft Sales at (800) 426-9400 or visit http://www.microsoft.com.