1. DEV396 Windows Forms: No Touch Deployment Tips and Tricks Jamie Cool Program Manager.NET Client Microsoft Corporation

2. Introduction Deploying the Framework Debugging Deployments Performance Tips Designing for Security How to be safe and functional? Safely modifying security policy

3. No Touch Deployment Run managed apps without install Zero-impact Deploy via network (HTTP) URL to EXE Controls in a web page UNC/File Share Requires the.NET FX on the client box

4. Deploying the Framework All deployments require Framework redistributable Detect Framework on web page Built into IE’s User-Agent String Dim clrV as String = Request.Browser.ClrVersion window.navigator.userAgent ASP.NET makes this simple on the server

5. Framework Bootstrapper Versions for RTM, Everett Launches MSI install of Framework Use if Framework not detected Use for local EXE deploys CAVEAT: User must have install rights

6. Debugging URL-Launched Apps URL-launched EXEs run in IEExec System sees IEExec, not “MyApp.exe” How to debug on launch? Launch IEExec from debugger RTM: IEExec url flags [securityZone] [domainID] 1.1: IEExec url

7. Debugging in Browser IEHost – equivalent of IEExec Provides CLR hosting, security Startup errors usually show blank page How to debug? FUSLOGVW.EXE IEHost Debug Log – Q313892

8. Debugging Network Deployments demo demo

9. No-Touch Performance “Probing”: Searching appBase for assemblies Happens for updates, resources Can hammer performance Use.config file to eliminate probing Q814668 OR: Set Language=Neutral in Forms

10. Using.config Files Used by EXEs, Browser controls App-specific data, customization RTM: ASP.NET blocks.config Resolved in 1.1 BUT: Only anonymous access allowed Alternative: Custom XML config via HTTP

11. Code Access Security Evidence-based security model Partial trust: Runs with reduced rights Granular - no more “all-or-none” Extensible (add new permissions)

12. Evidence-Based Security Evidence Strong name, site, Authenticode signature, etc. Permissions Control access to a resource Policy Evidence + Permissions Determines what code can do

13. Demands Make It Work Demand causes stack walk MYAPP (INTRANET).... myComponent.ReadSetting(key); MYCOMPONENT (LOCALMACHINE).... Stream fileStream = FileStream.Open(“settings.xml”);.... Calls Got Permission? Exception CallsFRAMEWORK public FileStream (string name) { FileIOPermission fp = new FileIOPermission(name) FileIOPermission fp = new FileIOPermission(name) fp.Demand() fp.Demand()........} 

14. Security In Action demo demo

15. Local Machine - Defaults FullTrust PermissionSet Full access to all machine capabilities UnmanagedCode permission granted But: Requires installation (xcopy) FullTrust double-edged sword

16. Intranet/Internet - Defaults Best End-User Experience No installation No registry touch No admin/user action required But: More limited permissions

17. Comparing Defaults LocalIntranetInternet UI Full Limited Network FullSame site Printing FullVia print dialog File System FullVia file dialog Environment FullSome Unmanaged Full Registry Full Database Full Security Full

18. Working In Partial Trust File system access Use FileDialogs, Isolated Storage Database access XML Web Services Remote XML Web Services Create same-site proxy

19. Working In Partial Trust demo demo

20. Changing Policy Done by Administrators Not designed for end users Also deployable via MSI Limit what you trust Design for “Least Permissions” Trust a particular server, strong name

21. Changing Policy demo demo

22. AllowPartiallyTrustedCallers Required when elevating permissions Signals developer thought about trust using System.Security; … [assembly:AllowPartiallyTrustedCallers()] Imports System.Security …

23. Summary No touch deployment Great model Takes some effort to get right Design security in! Set policies up-front Run in Partial Trust when possible Use trusted core for extended functionality

24. Community Resources Windows Form.Net http://www.windowsforms.net Windows Forms Forums http://www.windowsforms.net/Forums/ MSDN Support Database http://msdn.microsoft.com/support/

25. Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

26. Appendix Use Bootstrapper for Framework installs http://msdn.microsoft.com/library/ default.asp?url=/library/en- us/dnnetdep/html/dotnetframedepguid1_1. asp

27. evaluations evaluations

28. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.