Checklist: Securing Remoting

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • Remoting (.NET Framework version 1.1)

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Contents

How to Use This Checklist Design Considerations Input Validation Authentication Authorization Configuration Management Sensitive Data Exception Management Auditing and Logging

How to Use This Checklist

This checklist is a companion to Chapter 13, "Building Secure Remoted Components." Use it to help you build secure components that use the Microsoft ® .NET remoting technology and as a snapshot of the corresponding chapter.

Design Considerations

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif Remote components are not exposed to the Internet.
Ff648326.z02bthcm01(en-us,PandP.10).gif The ASP.NET host and HttpChannel are used to take advantage of Internet Information Services (IIS) and ASP.NET security features.
Ff648326.z02bthcm01(en-us,PandP.10).gif TcpChannel (if used) is only used in trusted server scenarios.
Ff648326.z02bthcm01(en-us,PandP.10).gif TcpChannel (if used) is used in conjunction with custom authentication and authorization solutions.

Input Validation

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif MarshalByRefObj objects from clients are not accepted without validating the source of the object.
Ff648326.z02bthcm01(en-us,PandP.10).gif The risk of serialization attacks are mitigated by setting the typeFilterLevel attribute programmatically or in the application's Web.config file.
Ff648326.z02bthcm01(en-us,PandP.10).gif All field items that are retrieved from serialized data streams are validated as they are created on the server side.

Authentication

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif Anonymous authentication is disabled in IIS.
Ff648326.z02bthcm01(en-us,PandP.10).gif ASP.NET is configured for Windows authentication.
Ff648326.z02bthcm01(en-us,PandP.10).gif Client credentials are configured at the client through the proxy object.
Ff648326.z02bthcm01(en-us,PandP.10).gif Authentication connection sharing is used to improve performance.
Ff648326.z02bthcm01(en-us,PandP.10).gif Clients are forced to authenticate on each call (unsafeAuthenticatedConnectionSharing is set to "false").
Ff648326.z02bthcm01(en-us,PandP.10).gif connectionGroupName is specified to prevent unwanted reuse of authentication connections.
Ff648326.z02bthcm01(en-us,PandP.10).gif Plain text credentials are not passed over the network.
Ff648326.z02bthcm01(en-us,PandP.10).gif IPrincipal objects passed from the client are not trusted.

Authorization

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif IPSec is used for machine-level access control.
Ff648326.z02bthcm01(en-us,PandP.10).gif File authorization is enabled for user access control.
Ff648326.z02bthcm01(en-us,PandP.10).gif Users are authorized with principal-based role checks.
Ff648326.z02bthcm01(en-us,PandP.10).gif Where appropriate, access to remote resources is restricted by setting rejectRemoteRequest attribute to "true".

Configuration Management

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif Configuration files are locked down and secured for both the client and the server.
Ff648326.z02bthcm01(en-us,PandP.10).gif Generic error messages are sent to the client by setting the mode attribute of the <customErrors> element to "On".

Sensitive Data

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif Exchange of sensitive application data is secured by using SSL, IPSec, or a custom encryption sink.

Exception Management

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif Structured exception handling is used.
Ff648326.z02bthcm01(en-us,PandP.10).gif Exception details are logged (not including private data, such as passwords).
Ff648326.z02bthcm01(en-us,PandP.10).gif Generic error pages with standard, user friendly messages are returned to the client.

Auditing and Logging

Check Description
Ff648326.z02bthcm01(en-us,PandP.10).gif If ASP.NET is used as the host, IIS auditing features are enabled.
Ff648326.z02bthcm01(en-us,PandP.10).gif If required, a custom channel sink is used to perform logging on the client and the server.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.