您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

安全框架:授权 | 缓解措施Security Frame: Authorization | Mitigations

产品/服务Product/Service 文章Article
计算机信任边界Machine Trust Boundary
Web 应用程序Web Application
数据库Database
IoT 云网关IoT Cloud Gateway
Azure 事件中心Azure Event Hub
Azure Document DBAzure Document DB
Azure 信任边界Azure Trust Boundary
Service Fabric 信任边界Service Fabric Trust Boundary
Dynamics CRMDynamics CRM
Dynamics CRM 门户Dynamics CRM Portal
Azure 存储Azure Storage
移动客户端Mobile Client
WCFWCF
Web APIWeb API
IoT 设备IoT Device
IoT 现场网关IoT Field Gateway

确保配置适当的 ACL 来限制对设备中的数据进行未经授权的访问Ensure that proper ACLs are configured to restrict unauthorized access to data on the device

标题Title 详细信息Details
组件Component 计算机信任边界Machine Trust Boundary
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 确保配置适当的 ACL 来限制对设备中的数据进行未经授权的访问Ensure that proper ACLs are configured to restrict unauthorized access to data on the device

确保将特定于用户的敏感应用程序内容存储在用户配置文件目录中Ensure that sensitive user-specific application content is stored in user-profile directory

标题Title 详细信息Details
组件Component 计算机信任边界Machine Trust Boundary
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 确保将特定于用户的敏感应用程序内容存储在用户配置文件目录中。Ensure that sensitive user-specific application content is stored in user-profile directory. 这是为了防止计算机的多个用户访问彼此的数据。This is to prevent multiple users of the machine from accessing each other's data.

确保以最低特权运行部署的应用程序Ensure that the deployed applications are run with least privileges

标题Title 详细信息Details
组件Component 计算机信任边界Machine Trust Boundary
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 确保以最低特权运行部署的应用程序。Ensure that the deployed application is run with least privileges.

处理业务逻辑流时执行有序步骤顺序Enforce sequential step order when processing business logic flows

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 若要验证真实的用户是否能够从头到尾运行此阶段,可以强制要求应用程序只按步骤顺序依序处理业务逻辑流并按照真实的人类时间处理所有步骤,而不会无序处理、跳过步骤、由其他用户处理步骤,或者过快提交事务。In order to verify that this stage was run through by a genuine user you want to enforce the application to only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, processed steps from another user, or too quickly submitted transactions.

实施速率限制机制来防止枚举Implement rate limiting mechanism to prevent enumeration

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 确保敏感标识符是随机的。Ensure that sensitive identifiers are random. 针对匿名页面实施 CAPTCHA 控制。Implement CAPTCHA control on anonymous pages. 确保错误和异常不会透露特定的数据Ensure that error and exception should not reveal specific data

确保实施适当的授权并遵循最低特权原则Ensure that proper authorization is in place and principle of least privileges is followed

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

原则是只向用户帐户授予用户在工作时最起码需要的特权。The principle means giving a user account only those privileges which are essential to that users work. 例如,备份用户不需要安装软件,因此,备份用户只拥有运行备份以及与备份相关的应用程序的权限。For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. 其他任何权限(例如安装新软件)会被阻止。Any other privileges, such as installing new software, are blocked. 该原则也适用于个人计算机用户,他们通常使用普通用户帐户工作,只在绝对有必要时才打开受密码保护的特权帐户(即超级用户)。The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account (that is, a superuser) only when the situation absolutely demands it.

也可以向 Web 应用程序应用此原则。This principle can also be applied to your web-applications. 我们不完全依赖于使用会话的基于角色的身份验证方法,而可以通过基于数据库的身份验证系统向用户分配特权。Instead of solely depending on role-based authentication methods using sessions, we rather want to assign privileges to users by means of a Database-Based Authentication system. 以后我们仍要使用会话来确定用户是否正确登录,只是暂时向该用户分配特定的角色和特权,目的是验证该用户在系统上有权执行哪些操作。We still use sessions in order to identify if the user was logged in correctly, only now instead of assigning that user with a specific role we assign him with privileges to verify which actions he is privileged to perform on the system. 另外,此方法的一个较大优势是,每当需要向用户分配较少的特权时,可以即时应用更改,因为这种分配不依赖于会话,否则必须先使会话过期。Also a big pro of this method is, whenever a user has to be assigned fewer privileges your changes will be applied on the fly since the assigning does not depend on the session which otherwise had to expire first.

业务逻辑和资源访问授权决策不应该基于传入的请求参数Business logic and resource access authorization decisions should not be based on incoming request parameters

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 每当需要检查用户是否仅有权查看特定的数据时,应该在服务器端处理访问限制。Whenever you are checking whether a user is restricted to review certain data, the access restrictions should be processed server-side. 在登录时,userID 应存储在会话变量内部,并且应该使用它来检索数据库中的用户数据The userID should be stored inside of a session variable on login and should be used to retrieve user data from the database

示例Example

SELECT data 
FROM personaldata 
WHERE userID=:id < - session var 

现在,攻击者无法篡改和更改应用程序操作,因为用于检索数据的标识符在服务器端处理。Now an possible attacker can not tamper and change the application operation since the identifier for retrieving the data is handled server-side.

确保通过强行浏览无法枚举或访问内容和资源Ensure that content and resources are not enumerable or accessible via forceful browsing

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

不应在 web 根目录中保留敏感的静态文件和配置文件。Sensitive static and configuration files should not be kept in the web-root. 对于不需要公开的内容,应该应用适当的访问控制或删除内容本身。For content not required to be public, either proper access controls should be applied or removal of the content itself.

此外,攻击者通常会将强行浏览与暴力破解技术相结合,尝试访问尽可能多的 URL 来枚举服务器上的目录和文件,从而收集信息。Also, forceful browsing is usually combined with Brute Force techniques to gather information by attempting to access as many URLs as possible to enumerate directories and files on a server. 攻击者可能会检查现有常见文件的所有变体。Attackers may check for all variations of commonly existing files. 例如,搜索密码文件可以找到 psswd.txt、password.htm、password.dat 等文件和其他变体。For example, a password file search would encompass files including psswd.txt, password.htm, password.dat, and other variations.

为了缓解此问题,应该包含暴力破解企图检测功能。To mitigate this, capabilities for detection of brute force attempts should be included.

确保使用最低特权帐户连接到数据库服务器Ensure that least-privileged accounts are used to connect to Database server

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References SQL 数据库权限层次结构SQL 数据库安全对象SQL Database permissions hierarchy, SQL database securables
步骤Steps 应该使用最低特权帐户连接到数据库。Least-privileged accounts should be used to connect to the database. 应用程序登录名应限制为在数据库中使用,并且只应执行选定的存储过程。Application login should be restricted in the database and should only execute selected stored procedures. 应用程序登录名不应该拥有对表的直接访问权限。Application's login should have no direct table access.

实施行级别安全性 RLS 来防止租户访问彼此的数据Implement Row Level Security RLS to prevent tenants from accessing each other's data

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies SQL Azure、OnPremSql Azure, OnPrem
属性Attributes SQL 版本 - V12,SQL 版本 - MsSQL2016SQL Version - V12, SQL Version - MsSQL2016
参考References SQL Server 行级别安全性 (RLS)SQL Server Row-Level Security (RLS)
步骤Steps

行级别安全性使客户能够根据执行查询的用户的特征(例如,组成员身份或执行上下文),控制对数据库表中的行的访问。Row-Level Security enables customers to control access to rows in a database table based on the characteristics of the user executing a query (e.g., group membership or execution context).

行级别安全性 (RLS) 简化了应用程序中的安全性设计和编程。Row-Level Security (RLS) simplifies the design and coding of security in your application. 使用 RLS 可针对数据行访问实施限制。RLS enables you to implement restrictions on data row access. 例如,确保工作人员只能访问与其部门相关的数据行,或者将客户限制为只能访问与其公司相关的数据。For example ensuring that workers can access only those data rows that are pertinent to their department, or restricting a customer's data access to only the data relevant to their company.

访问限制逻辑位于数据库层,而不会脱离另一应用程序层中的数据。The access restriction logic is located in the database tier rather than away from the data in another application tier. 每当从任一层尝试访问数据时,数据库系统就会应用访问限制。The database system applies the access restrictions every time that data access is attempted from any tier. 这样就会通过减少安全系统的外围应用,使安全系统变得更加可靠和稳健。This makes the security system more reliable and robust by reducing the surface area of the security system.

请注意,作为一个现成的数据库功能,RLS 仅适用于 SQL Server 2016 及更高版本以及 Azure SQL 数据库。Please note that RLS as an out-of-the-box database feature is applicable only to SQL Server starting 2016 and Azure SQL database. 如果未实施这项现成的 RLS 功能,应确保使用视图和过程来限制数据访问If the out-of-the-box RLS feature is not implemented, it should be ensured that data access is restricted Using Views and Procedures

Sysadmin 角色应该只包括必要的有效用户Sysadmin role should only have valid necessary users

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References SQL 数据库权限层次结构SQL 数据库安全对象SQL Database permissions hierarchy, SQL database securables
步骤Steps SysAdmin 固定服务器角色的成员应该受到严格限制,永远不应包含应用程序使用的帐户。Members of the SysAdmin fixed server role should be very limited and never contain accounts used by applications. 请检查该角色中的用户列表,并删除所有不必要的帐户Please review the list of users in the role and remove any unnecessary accounts

使用最低特权令牌连接到云网关Connect to Cloud Gateway using least-privileged tokens

标题Title 详细信息Details
组件Component IoT 云网关IoT Cloud Gateway
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 网关选项 - Azure IoT 中心Gateway choice - Azure IoT Hub
参考References Iot 中心访问控制Iot Hub Access Control
步骤Steps 向连接到云网关(IoT 中心)的各种组件提供最低特权。Provide least privilege permissions to various components that connect to Cloud Gateway (IoT Hub). 典型示例 – 设备管理/预配组件使用 registryread/write,事件处理器 (ASA) 使用服务连接。Typical example is – Device management/provisioning component uses registryread/write, Event Processor (ASA) uses Service Connect. 各个设备使用设备凭据建立连接Individual devices connect using Device credentials

使用仅有发送权限的 SAS 密钥生成设备令牌Use a send-only permissions SAS Key for generating device tokens

标题Title 详细信息Details
组件Component Azure 事件中心Azure Event Hub
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 事件中心身份验证和安全模型概述Event Hubs authentication and security model overview
步骤Steps SAS 密钥用于生成各个设备令牌。A SAS key is used to generate individual device tokens. 为给定的发布者生成设备令牌时,请使用拥有仅限发送权限的 SAS 密钥Use a send-only permissions SAS key while generating the device token for a given publisher

不要使用可提供事件中心直接访问权限的访问令牌Do not use access tokens that provide direct access to the Event Hub

标题Title 详细信息Details
组件Component Azure 事件中心Azure Event Hub
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 事件中心身份验证和安全模型概述Event Hubs authentication and security model overview
步骤Steps 不应该将授予事件中心直接访问权限的令牌提供给设备。A token that grants direct access to the event hub should not be given to the device. 对设备使用仅授予发布者访问权限的最低特权令牌有助于识别设备,如果发现该设备是恶意设备或者是遭到入侵的设备,则将它加入方块列表。Using a least privileged token for the device that gives access only to a publisher would help identify and blacklist it if found to be a rogue or compromised device.

使用具有所需最低权限的 SAS 密钥连接到事件中心Connect to Event Hub using SAS keys that have the minimum permissions required

标题Title 详细信息Details
组件Component Azure 事件中心Azure Event Hub
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 事件中心身份验证和安全模型概述Event Hubs authentication and security model overview
步骤Steps 向连接到事件中心的各种后端应用程序提供最低特权。Provide least privilege permissions to various back-end applications that connect to the Event Hub. 为每个后端应用程序单独生成 SAS 密钥并只向它们提供所需的权限 - 发送、接收或管理。Generate separate SAS keys for each back-end application and only provide the required permissions - Send, Receive or Manage to them.

尽可能使用资源令牌连接到 Cosmos DBUse resource tokens to connect to Cosmos DB whenever possible

标题Title 详细信息Details
组件Component Azure Document DBAzure Document DB
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 资源令牌与 Azure Cosmos DB 权限资源关联,可捕获数据库用户与该用户对某个特定 Azure Cosmos DB 应用程序资源(例如,集合、文档)的权限之间的关系。A resource token is associated with an Azure Cosmos DB permission resource and captures the relationship between the user of a database and the permission that user has for a specific Azure Cosmos DB application resource (e.g. collection, document). 如果无法信任客户端(例如,移动或桌面客户端等最终用户应用程序)对主密钥或只读密钥的处理,请始终使用资源令牌访问 Azure Cosmos DB。通过可以安全存储这些密钥的后端应用程序使用主密钥或只读密钥。Always use a resource token to access the Azure Cosmos DB if the client cannot be trusted with handling master or read-only keys - like an end user application like a mobile or desktop client.Use Master key or read-only keys from backend applications which can store these keys securely.

使用 RBAC 启用对 Azure 订阅的精细访问管理Enable fine-grained access management to Azure Subscription using RBAC

标题Title 详细信息Details
组件Component Azure 信任边界Azure Trust Boundary
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 使用角色分配管理对 Azure 订阅资源的访问权限Use role assignments to manage access to your Azure subscription resources
步骤Steps Azure 基于角色的访问控制 (RBAC) 可用于对 Azure 进行细致的访问管理。Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. 使用 RBAC,可以仅授予用户执行其作业所需的访问次数。Using RBAC, you can grant only the amount of access that users need to perform their jobs.

使用 RBAC 限制客户端对群集操作的访问权限Restrict client's access to cluster operations using RBAC

标题Title 详细信息Details
组件Component Service Fabric 信任边界Service Fabric Trust Boundary
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 环境 - AzureEnvironment - Azure
参考References 适用于 Service Fabric 客户端的基于角色的访问控制Role-based access control for Service Fabric clients
步骤Steps

Azure Service Fabric 针对连接到 Service Fabric 群集的客户端支持两种不同的访问控制类型:管理员和用户。Azure Service Fabric supports two different access control types for clients that are connected to a Service Fabric cluster: administrator and user. 访问控制可让群集管理员针对不同的用户组限制特定群集操作的访问权限,使群集更加安全。Access control allows the cluster administrator to limit access to certain cluster operations for different groups of users, making the cluster more secure.

管理员对管理功能(包括读取/写入功能)拥有完全访问权限。Administrators have full access to management capabilities (including read/write capabilities). 默认情况下,用户只有管理功能的读取访问权限(例如查询功能),以及解析应用程序和服务的能力。Users, by default, have only read access to management capabilities (for example, query capabilities), and the ability to resolve applications and services.

可在创建群集时为每个角色提供不同的证书,以指定两个客户端角色(管理员和客户端)。You specify the two client roles (administrator and client) at the time of cluster creation by providing separate certificates for each.

根据需要执行安全建模并使用字段级别安全性Perform security modeling and use Field Level Security where required

标题Title 详细信息Details
组件Component Dynamics CRMDynamics CRM
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 根据需要执行安全建模并使用字段级别安全性Perform security modeling and use Field Level Security where required

执行门户帐户的安全建模并注意门户的安全模型不同于 CRM 的其他组件Perform security modeling of portal accounts keeping in mind that the security model for the portal differs from the rest of CRM

标题Title 详细信息Details
组件Component Dynamics CRM 门户Dynamics CRM Portal
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 执行门户帐户的安全建模并注意门户的安全模型不同于 CRM 的其他组件Perform security modeling of portal accounts keeping in mind that the security model for the portal differs from the rest of CRM

针对 Azure 表存储中的一系列实体授予精细权限Grant fine-grained permission on a range of entities in Azure Table Storage

标题Title 详细信息Details
组件Component Azure 存储Azure Storage
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes StorageType - 表StorageType - Table
参考References 如何使用 SAS 来委派对 Azure 存储帐户中对象的访问权限How to delegate access to objects in your Azure storage account using SAS
步骤Steps 在某些业务方案中,Azure 表存储可能需要存储面向不同当事方的敏感数据。In certain business scenarios, Azure Table Storage may be required to store sensitive data that caters to different parties. 例如, 与不同国家/地区相关的敏感数据。E.g., sensitive data pertaining to different countries/regions. 在这种情况下, 可以通过指定分区和行键范围来构建 SAS 签名, 使用户能够访问特定国家/地区的数据。In such cases, SAS signatures can be constructed by specifying the partition and row key ranges, such that a user can access data specific to a particular country/region.

使用 Azure 资源管理器对 Azure 存储帐户启用基于角色的访问控制 (RBAC)Enable Role-Based Access Control (RBAC) to Azure storage account using Azure Resource Manager

标题Title 详细信息Details
组件Component Azure 存储Azure Storage
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 如何使用基于角色的访问控制 (RBAC) 来保护存储帐户How to secure your storage account with Role-Based Access Control (RBAC)
步骤Steps

创建新的存储帐户时,可以选择经典或 Azure 资源管理器部署模型。When you create a new storage account, you select a deployment model of Classic or Azure Resource Manager. 在 Azure 中创建资源的经典模型只允许以孤注一掷的方式访问订阅,并访问存储帐户。The Classic model of creating resources in Azure only allows all-or-nothing access to the subscription, and in turn, the storage account.

通过 Azure 资源管理器模型,可将存储帐户放在资源组中,使用 Azure Active Directory 控制对该特定存储帐户的管理平面的访问。With the Azure Resource Manager model, you put the storage account in a resource group and control access to the management plane of that specific storage account using Azure Active Directory. 例如,可授权特定用户访问存储帐户密钥,而其他用户可查看存储帐户相关信息却无法访问存储帐户密钥。For example, you can give specific users the ability to access the storage account keys, while other users can view information about the storage account, but cannot access the storage account keys.

实施“隐式越狱”或“获取 root 权限”检测Implement implicit jailbreak or rooting detection

标题Title 详细信息Details
组件Component 移动客户端Mobile Client
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

如果手机经过 root 或越狱,应用程序应保护自身的配置和用户数据。Application should safeguard its own configuration and user data in case if phone is rooted or jail broken. Root/越狱隐含着未经授权访问的风险,而普通用户不会在他们自己的手机上进行这种访问。Rooting/jail breaking implies unauthorized access, which normal users won't do on their own phones. 因此,应用程序应在启动时运行隐式检测逻辑,检测手机是否经过 root。Therefore application should have implicit detection logic on application startup, to detect if the phone has been rooted.

该检测逻辑只需访问正常情况下只能由 root 用户访问的文件,例如:The detection logic can be simply accessing files which normally only root user can access, for example:

  • /system/app/Superuser.apk/system/app/Superuser.apk
  • /sbin/su/sbin/su
  • /system/bin/su/system/bin/su
  • /system/xbin/su/system/xbin/su
  • /data/local/xbin/su/data/local/xbin/su
  • /data/local/bin/su/data/local/bin/su
  • /system/sd/xbin/su/system/sd/xbin/su
  • /system/bin/failsafe/su/system/bin/failsafe/su
  • /data/local/su/data/local/su

如果应用程序可以访问其中的任何文件,则表示应用程序正以 root 用户身份运行。If the application can access any of these files, it denotes that the application is running as root user.

WCF 中的弱类引用Weak Class Reference in WCF

标题Title 详细信息Details
组件Component WCFWCF
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型、NET Framework 3Generic, NET Framework 3
属性Attributes 不可用N/A
参考References MSDN巩固王国MSDN, Fortify Kingdom
步骤Steps

系统使用弱类引用,这可能会允许攻击者执行未经授权的代码。The system uses a weak class reference, which might allow an attacker to execute unauthorized code. 程序引用未唯一标识的用户定义类。The program references a user-defined class that is not uniquely identified. 当 .NET 加载这种弱标识的类时,CLR 类型加载程序会在以下位置按指定的顺序搜索该类:When .NET loads this weakly identified class, the CLR type loader searches for the class in the following locations in the specified order:

  1. 如果该类型的程序集已知,加载程序将搜索配置文件的重定向位置、GAC、使用配置信息的当前程序集,以及应用程序基目录If the assembly of the type is known, the loader searches the configuration file's redirect locations, GAC, the current assembly using configuration information, and the application base directory
  2. 如果程序集未知,加载程序将搜索当前程序集、mscorlib,以及 TypeResolve 事件处理程序返回的位置If the assembly is unknown, the loader searches the current assembly, mscorlib, and the location returned by the TypeResolve event handler
  3. 可以使用类型转发机制和 AppDomain.TypeResolve 事件等挂钩来修改此 CLR 搜索顺序This CLR search order can be modified with hooks such as the Type Forwarding mechanism and the AppDomain.TypeResolve event

如果攻击者通过创建同名的替代类并将它放置在 CLR 首先加载的替代位置来利用 CLR 搜索顺序,CLR 会在无意中执行攻击者提供的代码If an attacker exploits the CLR search order by creating an alternative class with the same name and placing it in an alternative location that the CLR will load first, the CLR will unintentionally execute the attacker-supplied code

示例Example

以下 WCF 配置文件中的 <behaviorExtensions/> 元素指示 WCF 将自定义行为类添加到特定的 WCF 扩展。The <behaviorExtensions/> element of the WCF configuration file below instructs WCF to add a custom behavior class to a particular WCF extension.

<system.serviceModel>
    <extensions>
        <behaviorExtensions>
            <add name=""myBehavior"" type=""MyBehavior"" />
        </behaviorExtensions>
    </extensions>
</system.serviceModel>

使用完全限定的(强)名称可唯一标识某个类型,进一步提高系统的安全性。Using fully qualified (strong) names uniquely identifies a type and further increases security of your system. 在 machine.config 和 app.config 文件中注册类型时,请使用完全限定的程序集名称。Use fully qualified assembly names when registering types in the machine.config and app.config files.

示例Example

以下 WCF 配置文件中的 <behaviorExtensions/> 元素指示 WCF 将强引用自定义行为类添加到特定的 WCF 扩展。The <behaviorExtensions/> element of the WCF configuration file below instructs WCF to add strongly-referenced custom behavior class to a particular WCF extension.

<system.serviceModel>
    <extensions>
        <behaviorExtensions>
            <add name=""myBehavior"" type=""Microsoft.ServiceModel.Samples.MyBehaviorSection, MyBehavior,
            Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"" />
        </behaviorExtensions>
    </extensions>
</system.serviceModel>

WCF - 实施授权控制WCF-Implement Authorization control

标题Title 详细信息Details
组件Component WCFWCF
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型、NET Framework 3Generic, NET Framework 3
属性Attributes 不可用N/A
参考References MSDN巩固王国MSDN, Fortify Kingdom
步骤Steps

此服务不使用授权控制。This service does not use an authorization control. 当客户端调用特定的 WCF 服务时,WCF 将提供多种授权方案,用于验证调用方是否有权在服务器上执行服务方法。When a client calls a particular WCF service, WCF provides various authorization schemes that verify that the caller has permission to execute the service method on the server. 如果没有为 WCF 服务启用授权控制,经过身份验证的用户可以实现特权升级。If authorization controls are not enabled for WCF services, an authenticated user can achieve privilege escalation.

示例Example

以下配置指示 WCF 在执行服务时不要检查客户端的授权级别:The following configuration instructs WCF to not check the authorization level of the client when executing the service:

<behaviors>
    <serviceBehaviors>
        <behavior>
            ...
            <serviceAuthorization principalPermissionMode=""None"" />
        </behavior>
    </serviceBehaviors>
</behaviors>

使用服务授权方案来验证服务方法的调用方是否也有权执行此操作。Use a service authorization scheme to verify that the caller of the service method is authorized to do so. WCF 提供两种模式,允许定义自定义的授权方案。WCF provides two modes and allows the definition of a custom authorization scheme. UseWindowsGroups 模式使用 Windows 角色和用户进行身份验证,UseAspNetRoles 模式使用 ASP.NET 角色提供程序(例如 SQL Server)进行身份验证。The UseWindowsGroups mode uses Windows roles and users and the UseAspNetRoles mode uses an ASP.NET role provider, such as SQL Server, to authenticate.

示例Example

以下配置指示 WCF 在执行 Add 服务之前确保客户端属于管理员组:The following configuration instructs WCF to make sure that the client is part of the Administrators group before executing the Add service:

<behaviors>
    <serviceBehaviors>
        <behavior>
            ...
            <serviceAuthorization principalPermissionMode=""UseWindowsGroups"" />
        </behavior>
    </serviceBehaviors>
</behaviors>

然后,按如下所示声明该服务:The service is then declared as the following:

[PrincipalPermission(SecurityAction.Demand,
Role = ""Builtin\\Administrators"")]
public double Add(double n1, double n2)
{
double result = n1 + n2;
return result;
}

在 ASP.NET Web API 中实施适当的授权机制Implement proper authorization mechanism in ASP.NET Web API

标题Title 详细信息Details
组件Component Web APIWeb API
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型、MVC5Generic, MVC5
属性Attributes 不适用,标识提供者 - ADFS,标识提供程序 - Azure ADN/A, Identity Provider - ADFS, Identity Provider - Azure AD
参考References ASP.NET Web API 中的身份验证和授权Authentication and Authorization in ASP.NET Web API
步骤Steps

如果应用程序依赖于 Azure AD 或 ADFS 声明,则可从这些声明派生应用程序用户的角色信息,因为标识提供者或应用程序本身可以提供此信息。Role information for the application users can be derived from Azure AD or ADFS claims if the application relies on them as Identity provider or the application itself might provided it. 在上述任何情况下,自定义授权实现应验证用户角色信息。In any of these cases, the custom authorization implementation should validate the user role information.

如果应用程序依赖于 Azure AD 或 ADFS 声明,则可从这些声明派生应用程序用户的角色信息,因为标识提供者或应用程序本身可以提供此信息。Role information for the application users can be derived from Azure AD or ADFS claims if the application relies on them as Identity provider or the application itself might provided it. 在上述任何情况下,自定义授权实现应验证用户角色信息。In any of these cases, the custom authorization implementation should validate the user role information.

示例Example

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class ApiAuthorizeAttribute : System.Web.Http.AuthorizeAttribute
{
        public async override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
        {
            if (actionContext == null)
            {
                throw new Exception();
            }

            if (!string.IsNullOrEmpty(base.Roles))
            {
                bool isAuthorized = ValidateRoles(actionContext);
                if (!isAuthorized)
                {
                    HandleUnauthorizedRequest(actionContext);
                }
            }

            base.OnAuthorization(actionContext);
        }

public bool ValidateRoles(actionContext)
{
   //Authorization logic here; returns true or false
}

}

所有需要保护的控制器和操作方法应使用上述特性进行修饰。All the controllers and action methods which needs to protected should be decorated with above attribute.

[ApiAuthorize]
public class CustomController : ApiController
{
     //Application code goes here
}

如果设备支持需要不同权限级别的各种操作,应在设备中执行授权检查Perform authorization checks in the device if it supports various actions that require different permission levels

标题Title 详细信息Details
组件Component IoT 设备IoT Device
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

设备应向调用方授权,让调用方检查自身是否拥有所需的权限来执行请求的操作。The Device should authorize the caller to check if the caller has the required permissions to perform the action requested. 例如,假设设备是可以通过云监视的智能门锁,提供远程锁门等功能。For e.g. Lets say the device is a Smart Door Lock that can be monitored from the cloud, plus it provides functionalities like Remotely locking the door.

仅当门卡持有人的身体与门靠近时,该智能门锁才提供解锁功能。The Smart Door Lock provides unlocking functionality only when someone physically comes near the door with a Card. 在这种情况下,实现远程命令和控制时,不应该让云网关提供任何开门功能,因为它无权发送开门的命令。In this case, the implementation of the remote command and control should be done in such a way that it does not provide any functionality to unlock the door as the cloud gateway is not authorized to send a command to unlock the door.

如果现场网关支持需要不同权限级别的各种操作,应在现场网关中执行授权检查Perform authorization checks in the Field Gateway if it supports various actions that require different permission levels

标题Title 详细信息Details
组件Component IoT 现场网关IoT Field Gateway
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 现场网关应向调用方授权,让调用方检查自身是否拥有所需的权限来执行请求的操作。The Field Gateway should authorize the caller to check if the caller has the required permissions to perform the action requested. 例如,用于配置现场网关的管理用户接口/API 的权限,应该与连接到现场网关的设备的权限不同。For e.g. there should be different permissions for an admin user interface/API used to configure a field gateway v/s devices that connect to it.