Microsoft Dynamics Ax Writing Secure X++ Code
Páginas: 36 (8908 palabras)
Publicado: 27 de enero de 2013
Microsoft Dynamics AX 4.0
Writing Secure X++ Code
White Paper
[Security and Trustworthy Computing]
Date: June 12, 2006
Michael Fruergaard Pontoppidan
Mukkul Dasgupta
This is a preliminary document and may be changed substantially prior to finalcommercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of anyinformation presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in orintroduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. \Except as expresslyprovided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any realcompany, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.
© (2006) Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Dynamics, Axapta, Dynamics AX, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companiesand products mentioned herein may be the trademarks of their respective owners.
Table of Contents
Introduction 5
Kernel APIs 5
Dangerous Code Patterns in X++ 5
Recommended Approach for Updating Legacy Code 5
Credentials and Cryptography 7
Dynamics AX Code Access Security 8
Implementing Code Access Security 8
API Owner 8
API Consumer 8
UserImpersonation API 9
Mitigation 9
New Best Practice Rules 10
Direct SQL 10
Mitigation 11
New Best Practice Rules 11
Run-time Compilation and Execution of X++ 11
Mitigation 11
New Best Practice Rules 12
Data-controlled Execution of X++ 12
Mitigation 12
New Best Practice Rules 13
Files 13
Mitigation 14
New Best Practice Rules 14
Win32 Interop 15Mitigation 15
New Best Practice Rules 15
Using Managed Assemblies 16
WinAPI 16
Mitigation 17
New Best Practice Rules 17
Server-bound Batch Processing 18
Provisioning Legacy Batch-enabled X++ Classes 18
Checking for Unsupported AX Client Interactions 19
Enabling a Class to Run as a Server-bound Batch Job 19
Classes in Batch Journals 19
Tighter Privileges on APIs20
Modifying X++ and Metadata 20
Mitigation 20
APIs with Enforced Authorization Checks 20
APIs that are Turned Off by Default 20
Data Authorization 21
Access to System Tables (Table Permission Framework) 21
AOSAuthorization Property 21
AOSValidate Functions 22
Record-level Security 22
Using Display and Edit methods 22
Using a ListView, TreeView, or Table to...
Writing Secure X++ Code
White Paper
[Security and Trustworthy Computing]
Date: June 12, 2006
Michael Fruergaard Pontoppidan
Mukkul Dasgupta
This is a preliminary document and may be changed substantially prior to finalcommercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of anyinformation presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in orintroduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. \Except as expresslyprovided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any realcompany, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.
© (2006) Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Dynamics, Axapta, Dynamics AX, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companiesand products mentioned herein may be the trademarks of their respective owners.
Table of Contents
Introduction 5
Kernel APIs 5
Dangerous Code Patterns in X++ 5
Recommended Approach for Updating Legacy Code 5
Credentials and Cryptography 7
Dynamics AX Code Access Security 8
Implementing Code Access Security 8
API Owner 8
API Consumer 8
UserImpersonation API 9
Mitigation 9
New Best Practice Rules 10
Direct SQL 10
Mitigation 11
New Best Practice Rules 11
Run-time Compilation and Execution of X++ 11
Mitigation 11
New Best Practice Rules 12
Data-controlled Execution of X++ 12
Mitigation 12
New Best Practice Rules 13
Files 13
Mitigation 14
New Best Practice Rules 14
Win32 Interop 15Mitigation 15
New Best Practice Rules 15
Using Managed Assemblies 16
WinAPI 16
Mitigation 17
New Best Practice Rules 17
Server-bound Batch Processing 18
Provisioning Legacy Batch-enabled X++ Classes 18
Checking for Unsupported AX Client Interactions 19
Enabling a Class to Run as a Server-bound Batch Job 19
Classes in Batch Journals 19
Tighter Privileges on APIs20
Modifying X++ and Metadata 20
Mitigation 20
APIs with Enforced Authorization Checks 20
APIs that are Turned Off by Default 20
Data Authorization 21
Access to System Tables (Table Permission Framework) 21
AOSAuthorization Property 21
AOSValidate Functions 22
Record-level Security 22
Using Display and Edit methods 22
Using a ListView, TreeView, or Table to...
Leer documento completo
Regístrate para leer el documento completo.