@CyberForge
 Live Well. Laugh Often. Love Much.

Last Updated: 2/22/2004; 5:54:08 PM.


 Friday, June 20, 2003

Determining an Image's CLR Version

To get it programmatically, from managed code, use Assembly.ImageRuntimeVersion. From unmanaged, use mscoree.dll’s GetFileVersion(). (From the command line, starting in v1.2, ildasm.exe will show it if you double-click on "MANIFEST" and look for "Metadata version".) Those will give you the CLR version that the image claims it wants. However, that’s not necessarily what it was actually built against (compilers can be configured to put any string there).

Also, the CLR version that will be run by an exe is not necessarily the same as what’s in its image runtime version. The chosen version can also depend on its hosting application’s choice, a config file, environment variables, and registry settings. If you need to override those, you can set the supportedRuntime/requiredRuntime in the app.config for the process exe.
[Suzanne Cook's .NET CLR Loader Notes]

Not strictly security related BUT the security capabilities of the .NET CLR is tied to which version you are running. For example, Code Access Security (CAS) is available for ASP.NET applications starting in version 1.1 but is pretty much turned off (runs with FullTrust) in version 1.0. So it would be nice to programmatically find out version of the CLR your server is running :-)

7:33:31 PM     Comment
  


Immutable Laws of Security (and Security Administration)

I came across these again on TechNet. They've been around for some time, but we can all use a reminder now and then. 

The Ten Immutable Laws of Security by Microsoft Security Response Center

  1. If a bad guy can persuade you to run his program on your computer, its not your computer anymore.
  2. If a bad guy can alter the operating system on your computer, its not your computer anymore.
  3. If a bad guy has unrestricted physical access to your computer, its not your computer anymore.
  4. If you allow a bad guy to upload programs to your web site, its not your web site any more.
  5. Weak passwords trump strong security.
  6. A machine is only as secure as the administrator is trustworthy.
  7. Encrypted data is only as secure as the decryption key.
  8. An out of date virus scanner is only marginally better than no virus scanner at all.
  9. Absolute anonymity isn't practical, in real life or on the web.
  10. Technology is not a panacea.
The Ten Immutable Laws of Security Administration by Scott Culp (MS Security Response Center)
  1. Nobody believes anything bad can happen to them, until it does.
  2. Security only works if the secure way also happens to be the easy way.
  3. If you don't keep up with security fixes, your network won't be yours for long.
  4. It doesn't do much good to install security fixes on a computer that was never secured to begin with.
  5. Eternal vigilance is the price of security.
  6. There really is someone out there trying to guess your passwords.
  7. The most secure network is a well-administered one.
  8. The difficulty of defending a network is directly proportional to its complexity.
  9. Security isn't about risk avoidance; it's about risk management.
  10. Technology is not a panacea.

5:48:09 PM     Comment
  


 
© Copyright 2004 Anil John. All rights reserved.
The above are solely my opinions and do not represent the thoughts, intentions, plans or strategies of anyone else, including my employer.