您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

安全框架:通信安全 | 缓解措施Security Frame: Communication Security | Mitigations

产品/服务Product/Service 文章Article
Azure 事件中心Azure Event Hub
Dynamics CRMDynamics CRM
Azure 数据工厂Azure Data Factory
标识服务器Identity Server
Web 应用程序Web Application
数据库Database
Azure 存储Azure Storage
移动客户端Mobile Client
WCFWCF
Web APIWeb API
用于 Redis 的 Azure 缓存Azure Cache for Redis
IoT 现场网关IoT Field Gateway
IoT 云网关IoT Cloud Gateway

使用 SSL/TLS 保护与事件中心之间的通信Secure communication to Event Hub using SSL/TLS

标题Title 详细信息Details
组件Component Azure 事件中心Azure Event Hub
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References 事件中心身份验证和安全模型概述Event Hubs authentication and security model overview
步骤Steps 使用 SSL/TLS 来保护与事件中心的 AMQP 或 HTTP 连接Secure AMQP or HTTP connections to Event Hub using SSL/TLS

检查服务帐户特权,并检查自定义服务或 ASP.NET 页面是否遵循 CRM 的安全性Check service account privileges and check that the custom Services or ASP.NET Pages respect CRM's security

标题Title 详细信息Details
组件Component Dynamics CRMDynamics CRM
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References 不适用N/A
步骤Steps 检查服务帐户特权,并检查自定义服务或 ASP.NET 页面是否遵循 CRM 的安全性Check service account privileges and check that the custom Services or ASP.NET Pages respect CRM's security

将本地 SQL Server 连接到 Azure 数据工厂时使用数据管理网关Use Data management gateway while connecting On-premises SQL Server to Azure Data Factory

标题Title 详细信息Details
组件Component Azure 数据工厂Azure Data Factory
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 链接服务类型-Azure 和本地Linked Service Types - Azure and On-premises
参考References 在本地和 Azure 数据工厂之间移动数据数据管理网关Moving data between On-premises and Azure Data Factory, Data management gateway
步骤Steps

需要使用数据管理网关 (DMG) 工具连接到受企业网络或防火墙保护的数据源。The Data Management Gateway (DMG) tool is required to connect to data sources which are protected behind corpnet or a firewall.

  1. 锁定计算机可以隔离 DMG 工具,防止不正常的程序损坏源计算机或者窥视其数据。Locking down the machine isolates the DMG tool and prevents malfunctioning programs from damaging or snooping on the data source machine. (例如,(E.g. 必须安装最新的更新、启用所需的最少量端口、预配受控帐户、审核启用、启用磁盘加密,等等。)latest updates must be installed, enable minimum required ports, controlled accounts provisioning, auditing enabled, disk encryption enabled etc.)
  2. 必须经常或者每当 DMG 服务帐户密码续订时轮替数据网关密钥Data Gateway key must be rotated at frequent intervals or whenever the DMG service account password renews
  3. 通过链接服务传输的数据必须加密Data transits through Link Service must be encrypted

确保发往标识服务器的所有流量都通过 HTTPS 连接传输Ensure that all traffic to Identity Server is over HTTPS connection

标题Title 详细信息Details
组件Component 标识服务器Identity Server
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References IdentityServer3 - 密钥、签名和加密IdentityServer3 - 部署IdentityServer3 - Keys, Signatures and Cryptography, IdentityServer3 - Deployment
步骤Steps 默认情况下,IdentityServer 要求所有传入连接都通过 HTTPS 建立。By default, IdentityServer requires all incoming connections to come over HTTPS. 只能通过受保护的传输来与 IdentityServer 通信,是一项绝对需要遵守的要求。It is absolutely mandatory that communication with IdentityServer is done over secured transports only. 在某些部署方案(例如 SSL 卸载)中,可以放宽此项要求。There are certain deployment scenarios like SSL offloading where this requirement can be relaxed. 有关详细信息,请参阅“参考”部分中的标识服务器部署页。See the Identity Server deployment page in the references for more information.

验证用于对 SSL、TLS 和 DTLS 连接进行身份验证的 X.509 证书Verify X.509 certificates used to authenticate SSL, TLS, and DTLS connections

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References 不适用N/A
步骤Steps

使用 SSL、TLS 或 DTLS 的应用程序必须全面验证它们所要连接到的实体的 X.509 证书。Applications that use SSL, TLS, or DTLS must fully verify the X.509 certificates of the entities they connect to. 这包括验证证书的以下信息:This includes verification of the certificates for:

  • 域名Domain name
  • 生效日期(开始日期和过期日期)Validity dates (both beginning and expiration dates)
  • 吊销状态Revocation status
  • 用途(例如,对服务器进行服务器身份验证,对客户端进行客户端身份验证)Usage (for example, Server Authentication for servers, Client Authentication for clients)
  • 信任链。Trust chain. 证书必须链接到平台信任的或者由管理员显式配置的根证书颁发机构 (CA)Certificates must chain to a root certification authority (CA) that is trusted by the platform or explicitly configured by the administrator
  • 证书公钥的密钥长度必须 >2048 位Key length of certificate's public key must be >2048 bits
  • 哈希算法必须是 SHA256 和更高级别Hashing algorithm must be SHA256 and above

在 Azure 应用服务中为自定义域配置 SSL 证书Configure SSL certificate for custom domain in Azure App Service

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes EnvironmentType - AzureEnvironmentType - Azure
参考References 为 Azure 应用服务中的应用启用 HTTPSEnable HTTPS for an app in Azure App Service
步骤Steps 默认情况下,Azure 已使用 *.azurewebsites.net 域的通配符证书为每个应用启用了 HTTPS。By default, Azure already enables HTTPS for every app with a wildcard certificate for the *.azurewebsites.net domain. 但是,就像所有通配符域一样,这不如将自定义域与自己的证书配合使用那么安全。参考However, like all wildcard domains, it is not as secure as using a custom domain with own certificate Refer. 建议针对用于访问所部署应用的自定义域启用 SSLIt is recommended to enable SSL for the custom domain which the deployed app will be accessed through

强制要求发往 Azure 应用服务的所有流量都通过 HTTPS 连接传输Force all traffic to Azure App Service over HTTPS connection

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes EnvironmentType - AzureEnvironmentType - Azure
参考References 对 Azure 应用服务强制执行 HTTPSEnforce HTTPS on Azure App Service
步骤Steps

尽管 Azure 已使用 *.azurewebsites.net 域的通配符证书为 Azure 应用服务启用了 HTTPS,但它并不强制 HTTPS。Though Azure already enables HTTPS for Azure app services with a wildcard certificate for the domain *.azurewebsites.net, it do not enforce HTTPS. 访问者仍可使用 HTTP 访问应用,这可能会损害应用的安全性,因此必须显式强制 HTTPS。Visitors may still access the app using HTTP, which may compromise the app's security and hence HTTPS has to be enforced explicitly. ASP.NET MVC 应用程序应使用 RequireHttps 筛选器,强制要求通过 HTTPS 重新发送不安全的 HTTP 请求。ASP.NET MVC applications should use the RequireHttps filter that forces an unsecured HTTP request to be re-sent over HTTPS.

或者,可以使用 Azure 应用服务随附的 URL 重写模块来强制 HTTPS。Alternatively, the URL Rewrite module, which is included with Azure App Service can be used to enforce HTTPS. 开发人员可以使用 URL 重写模块来定义将请求传递给应用程序之前应用到传入请求的规则。URL Rewrite module enables developers to define rules that are applied to incoming requests before the requests are handed to your application. URL 重写规则在 web.config 文件中定义,该文件存储在应用程序根目录中。URL Rewrite rules are defined in a web.config file stored in the root of the application

示例Example

以下示例包含可强制所有传入流量使用 HTTPS 的基本 URL 重写规则The following example contains a basic URL Rewrite rule that forces all incoming traffic to use HTTPS

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Force HTTPS" enabled="true">
          <match url="(.*)" ignoreCase="false" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

此规则的工作方式是当用户使用 HTTP 请求某个页面时,返回 HTTP 状态码 301(永久重定向)。This rule works by returning an HTTP status code of 301 (permanent redirect) when the user requests a page using HTTP. 301 将请求重定向到访问者请求的同一个 URL,但使用 HTTPS 来替换请求的 HTTP 部分。The 301 redirects the request to the same URL as the visitor requested, but replaces the HTTP portion of the request with HTTPS. 例如,HTTP://contoso.com 会重定向到 HTTPS://contoso.comFor example, HTTP://contoso.com would be redirected to HTTPS://contoso.com.

启用 HTTP 严格传输安全性 (HSTS)Enable HTTP Strict Transport Security (HSTS)

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References OWASP HTTP 严格传输安全性速查表OWASP HTTP Strict Transport Security Cheat Sheet
步骤Steps

HTTP 严格传输安全性 (HSTS) 是 Web 应用程序使用特殊响应标头指定的一个选用的安全增强功能。HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. 支持的浏览器收到此标头后,将阻止通过 HTTP 将任何通信发送到指定的域,并改为通过 HTTPS 发送所有通信。Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. 它还可以防止浏览器中出现 HTTPS 点击提示。It also prevents HTTPS click through prompts on browsers.

若要实现 HSTS,必须在代码或配置中为网站全局配置以下响应标头。严格传输-安全性:最大有效期 = 300;includeSubDomains HSTS 解决了以下威胁:To implement HSTS, the following response header has to be configured for a website globally, either in code or in config. Strict-Transport-Security: max-age=300; includeSubDomains HSTS addresses the following threats:

  • 用户将 https://example.com 加入书签或手动键入此 URL,可能会受到中间人攻击:HSTS 会自动将 HTTP 请求重定向到目标域的 HTTPSUser bookmarks or manually types https://example.com and is subject to a man-in-the-middle attacker: HSTS automatically redirects HTTP requests to HTTPS for the target domain
  • 纯粹只进行 HTTPS 通信的 Web 应用程序无意中包含 HTTP 链接或通过 HTTP 提供内容:HSTS 会自动将 HTTP 请求重定向到目标域的 HTTPSWeb application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP: HSTS automatically redirects HTTP requests to HTTPS for the target domain
  • 中间人攻击者尝试使用无效的证书来截获受害用户发送的流量,并希望该用户接受错误的证书:HSTS 不允许用户重写无效的证书消息A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate: HSTS does not allow a user to override the invalid certificate message

确保加密 SQL Server 连接并验证证书Ensure SQL server connection encryption and certificate validation

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies SQL AzureSQL Azure
属性Attributes SQL 版本 - V12SQL Version - V12
参考References 有关为 SQL 数据库编写安全连接字符串的最佳做法Best Practices on Writing Secure Connection Strings for SQL Database
步骤Steps

SQL 数据库与客户端应用程序之间的所有通信始终使用安全套接字层 (SSL) 加密。All communications between SQL Database and a client application are encrypted using Secure Sockets Layer (SSL) at all times. SQL 数据库不支持未加密的连接。SQL Database doesn’t support unencrypted connections. 若要使用应用程序代码或工具验证证书,需显式请求一个加密的连接并且不信任服务器证书。To validate certificates with application code or tools, explicitly request an encrypted connection and do not trust the server certificates. 即使应用程序代码或工具未请求加密的连接,它们仍会收到加密的连接If your application code or tools do not request an encrypted connection, they will still receive encrypted connections

但是,它们可能不会验证服务器证书,因此将容易受到“中间人”攻击。However, they may not validate the server certificates and thus will be susceptible to "man in the middle" attacks. 若要使用 ADO.NET 应用程序代码验证证书,请在数据库连接字符串中设置 Encrypt=TrueTrustServerCertificate=FalseTo validate certificates with ADO.NET application code, set Encrypt=True and TrustServerCertificate=False in the database connection string. 若要通过 SQL Server Management Studio 验证证书,请打开“连接到服务器”对话框。To validate certificates via SQL Server Management Studio, open the Connect to Server dialog box. 在“连接属性”选项卡中单击“加密连接”Click Encrypt connection on the Connection Properties tab

强制以加密形式来与 SQL Server 通信Force Encrypted communication to SQL server

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies OnPremOnPrem
属性Attributes SQL 版本 - MsSQL2016,SQL 版本 - MsSQL2012,SQL 版本 - MsSQL2014SQL Version - MsSQL2016, SQL Version - MsSQL2012, SQL Version - MsSQL2014
参考References 启用与数据库引擎的加密连接Enable Encrypted Connections to the Database Engine
步骤Steps 启用 SSL 加密可以提高在 SQL Server 实例与应用程序之间通过网络传输的数据的安全性。Enabling SSL encryption increases the security of data transmitted across networks between instances of SQL Server and applications.

确保与 Azure 存储之间的通信通过 HTTPS 进行Ensure that communication to Azure Storage is over HTTPS

标题Title 详细信息Details
组件Component Azure 存储Azure Storage
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References Azure 存储传输级加密 – 使用 HTTPSAzure Storage Transport-Level Encryption – Using HTTPS
步骤Steps 为了确保传输中 Azure 存储数据的安全性,请在调用 REST API 或访问存储中的对象时,始终使用 HTTPS 协议。To ensure the security of Azure Storage data in-transit, always use the HTTPS protocol when calling the REST APIs or accessing objects in storage. 此外,可以使用共享访问签名,它除了可以委派对 Azure 存储对象的访问权限,还能指定在使用共享访问签名时只能使用 HTTPS 协议,确保任何使用 SAS 令牌发出链接的人都使用正确的协议。Also, Shared Access Signatures, which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when using Shared Access Signatures, ensuring that anybody sending out links with SAS tokens will use the proper protocol.

如果无法启用 HTTPS,请在下载 Blob 后验证 MD5 哈希Validate MD5 hash after downloading blob if HTTPS cannot be enabled

标题Title 详细信息Details
组件Component Azure 存储Azure Storage
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes StorageType - BlobStorageType - Blob
参考References Windows Azure Blob MD5 概述Windows Azure Blob MD5 Overview
步骤Steps

Windows Azure Blob 服务提供相应的机制来确保应用程序和传输层的数据完整性。Windows Azure Blob service provides mechanisms to ensure data integrity both at the application and transport layers. 如果出于任何原因需要使用 HTTP 而不是 HTTPS,并且使用的是块 Blob,则可以使用 MD5 检查,帮助验证正在传输的 Blob 的完整性。If for any reason you need to use HTTP instead of HTTPS and you are working with block blobs, you can use MD5 checking to help verify the integrity of the blobs being transferred

这会有助于防止网络/传输层错误,但不一定可帮助防止中间攻击。This will help with protection from network/transport layer errors, but not necessarily with intermediary attacks. 如果可以使用提供传输级安全的 HTTPS,则使用 MD5 检查就很多余且不必要。If you can use HTTPS, which provides transport level security, then using MD5 checking is redundant and unnecessary.

使用与 SMB 3.0 兼容的客户端来确保传输到 Azure 文件共享的数据经过加密Use SMB 3.0 compatible client to ensure in-transit data encryption to Azure File shares

标题Title 详细信息Details
组件Component 移动客户端Mobile Client
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes StorageType - 文件StorageType - File
参考References Azure 文件存储Windows 客户端的 Azure 文件存储 SMB 支持Azure File Storage, Azure File Storage SMB Support for Windows Clients
步骤Steps 使用 REST API 时,Azure 文件存储支持 HTTPS,但经常用作附加到 VM 的 SMB 文件共享。Azure File Storage supports HTTPS when using the REST API, but is more commonly used as an SMB file share attached to a VM. SMB 2.1 不支持加密,因此只允许在 Azure 中的相同区域内连接。SMB 2.1 does not support encryption, so connections are only allowed within the same region in Azure. 但是,SMB 3.0 支持加密,并且可以配合 Windows Server 2012 R2、Windows 8、Windows 8.1 和 Windows 10 使用,允许跨区域访问,甚至桌面上的访问。However, SMB 3.0 supports encryption, and can be used with Windows Server 2012 R2, Windows 8, Windows 8.1, and Windows 10, allowing cross-region access and even access on the desktop.

实施证书固定Implement Certificate Pinning

标题Title 详细信息Details
组件Component Azure 存储Azure Storage
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 通用、Windows PhoneGeneric, Windows Phone
属性Attributes 不适用N/A
参考References 证书和公钥绑定Certificate and Public Key Pinning
步骤Steps

证书绑定可以防范中间人 (MITM) 攻击。Certificate pinning defends against Man-In-The-Middle (MITM) attacks. 绑定是将主机与其预期 X509 证书或公钥相关联的过程。Pinning is the process of associating a host with their expected X509 certificate or public key. 某个主机知悉或者识别到某个证书或公钥后,该证书或公钥将关联或“绑定”到该主机。Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.

因此,当攻击者尝试展开 SSL MITM 攻击时,在 SSL 握手期间,攻击者服务器中的密钥将与绑定证书的密钥不同,因此会丢弃该请求,阻止 MITM。可以通过实现 ServicePointManager 的 ServerCertificateValidationCallback 委派来完成证书固定。Thus, when an adversary attempts to do SSL MITM attack, during SSL handshake the key from attacker's server will be different from the pinned certificate's key, and the request will be discarded, thus preventing MITM Certificate pinning can be achieved by implementing ServicePointManager's ServerCertificateValidationCallback delegate.

示例Example

using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography;

namespace CertificatePinningExample
{
    class CertificatePinningExample
    {
        /* Note: In this example, we're hardcoding a the certificate's public key and algorithm for 
           demonstration purposes. In a real-world application, this should be stored in a secure
           configuration area that can be updated as needed. */

        private static readonly string PINNED_ALGORITHM = "RSA";

        private static readonly string PINNED_PUBLIC_KEY = "3082010A0282010100B0E75B7CBE56D31658EF79B3A1" +
            "294D506A88DFCDD603F6EF15E7F5BCBDF32291EC50B2B82BA158E905FE6A83EE044A48258B07FAC3D6356AF09B2" +
            "3EDAB15D00507B70DB08DB9A20C7D1201417B3071A346D663A241061C151B6EC5B5B4ECCCDCDBEA24F051962809" +
            "FEC499BF2D093C06E3BDA7D0BB83CDC1C2C6660B8ECB2EA30A685ADE2DC83C88314010FFC7F4F0F895EDDBE5C02" +
            "ABF78E50B708E0A0EB984A9AA536BCE61A0C31DB95425C6FEE5A564B158EE7C4F0693C439AE010EF83CA8155750" +
            "09B17537C29F86071E5DD8CA50EBD8A409494F479B07574D83EDCE6F68A8F7D40447471D05BC3F5EAD7862FA748" +
            "EA3C92A60A128344B1CEF7A0B0D94E50203010001";


        public static void Main(string[] args)
        {
            HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://azure.microsoft.com");
            request.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
            {
                if (certificate == null || sslPolicyErrors != SslPolicyErrors.None)
                {
                    // Error getting certificate or the certificate failed basic validation
                    return false;
                }

                var targetKeyAlgorithm = new Oid(certificate.GetKeyAlgorithm()).FriendlyName;
                var targetPublicKey = certificate.GetPublicKeyString();
                
                if (targetKeyAlgorithm == PINNED_ALGORITHM &&
                    targetPublicKey == PINNED_PUBLIC_KEY)
                {
                    // Success, the certificate matches the pinned value.
                    return true;
                }
                // Reject, either the key or the algorithm does not match the expected value.
                return false;
            };

            try
            {
                var response = (HttpWebResponse)request.GetResponse();
                Console.WriteLine($"Success, HTTP status code: {response.StatusCode}");
            }
            catch(Exception ex)
            {
                Console.WriteLine($"Failure, {ex.Message}");
            }
            Console.WriteLine("Press any key to end.");
            Console.ReadKey();
        }
    }
}

启用 HTTPS - 安全传输通道Enable HTTPS - Secure Transport channel

标题Title 详细信息Details
组件Component WCFWCF
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies NET Framework 3NET Framework 3
属性Attributes 不适用N/A
参考References MSDN巩固王国MSDN, Fortify Kingdom
步骤Steps 应用程序配置应确保始终使用 HTTPS 来访问敏感信息。The application configuration should ensure that HTTPS is used for all access to sensitive information.
  • 说明: 如果应用程序需要处理敏感信息但未使用消息级加密,则只能允许它通过加密的传输通道来通信。EXPLANATION: If an application handles sensitive information and does not use message-level encryption, then it should only be allowed to communicate over an encrypted transport channel.
  • 建议: 确保禁用 HTTP 传输,改为启用 HTTPS 传输。RECOMMENDATIONS: Ensure that HTTP transport is disabled and enable HTTPS transport instead. 例如,将 <httpTransport/> 替换为 <httpsTransport/> 标记。For example, replace the <httpTransport/> with <httpsTransport/> tag. 不要依赖使用网络配置(防火墙)来保证只能通过安全通道访问应用程序。Do not rely on a network configuration (firewall) to guarantee that the application can only be accessed over a secure channel. 从哲学的观点来讲,应用程序不应依赖于网络来保证其安全性。From a philosophical point of view, the application should not depend on the network for its security.

从实践的观点来讲,负责保护网络的人不会一直跟进应用程序的不断变化的安全要求。From a practical point of view, the people responsible for securing the network do not always track the security requirements of the application as they evolve.

WCF:将消息安全保护级别设置为 EncryptAndSignWCF: Set Message security Protection level to EncryptAndSign

标题Title 详细信息Details
组件Component WCFWCF
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies .NET Framework 3.NET Framework 3
属性Attributes 不适用N/A
参考References MSDNMSDN
步骤Steps
  • 说明: 当保护级别设置为“none”时,将禁用消息保护。EXPLANATION: When Protection level is set to "none" it will disable message protection. 保密性和完整性是使用适当的设置级别实现的。Confidentiality and integrity is achieved with appropriate level of setting.
  • 建议:RECOMMENDATIONS:
    • Mode=None 时 - 禁用消息保护when Mode=None - Disables message protection
    • Mode=Sign 时 - 将消息签名但不加密;当数据完整性非常重要时应使用该设置when Mode=Sign - Signs but does not encrypt the message; should be used when data integrity is important
    • Mode=EncryptAndSign 时 - 将消息签名并加密when Mode=EncryptAndSign - Signs and encrypts the message

请考虑禁用加密,仅当只是需要验证信息的完整性而不关心机密性时,才为消息签名。Consider turning off encryption and only signing your message when you just need to validate the integrity of the information without concerns of confidentiality. 对于需要验证原始发送者但不传输任何敏感数据的操作或服务约定,这种做法可能很有用。This may be useful for operations or service contracts in which you need to validate the original sender but no sensitive data is transmitted. 降低保护级别时,请注意消息不包含任何个人数据。When reducing the protection level, be careful that the message does not contain any personal data.

示例Example

以下示例演示了如何将服务和操作配置为只将消息签名。Configuring the service and the operation to only sign the message is shown in the following examples. ProtectionLevel.Sign 的服务约定示例:下面是在服务约定级别使用 ProtectionLevel.Sign 的示例:Service Contract Example of ProtectionLevel.Sign: The following is an example of using ProtectionLevel.Sign at the Service Contract level:

[ServiceContract(Protection Level=ProtectionLevel.Sign] 
public interface IService 
  { 
  string GetData(int value); 
  } 

示例Example

ProtectionLevel.Sign 的操作约定示例(用于精细控制):下面是在操作约定级别使用 ProtectionLevel.Sign 的示例:Operation Contract Example of ProtectionLevel.Sign (for Granular Control): The following is an example of using ProtectionLevel.Sign at the OperationContract level:

[OperationContract(ProtectionLevel=ProtectionLevel.Sign] 
string GetData(int value);

WCF:使用最低特权帐户运行 WCF 服务WCF: Use a least-privileged account to run your WCF service

标题Title 详细信息Details
组件Component WCFWCF
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies .NET Framework 3.NET Framework 3
属性Attributes 不适用N/A
参考References MSDNMSDN
步骤Steps
  • 说明: 不要使用管理员或高特权帐户运行 WCF 服务。EXPLANATION: Do not run WCF services under admin or high privilege account. 否则,如果服务遭到入侵,将导致严重影响。in case of services compromise it will result in high impact.
  • 建议: 最低特权帐户托管 WCF 服务,因为这样可以在遭到攻击时减小应用程序的受攻击面,降低潜在损失。RECOMMENDATIONS: Use a least-privileged account to host your WCF service because it will reduce your application's attack surface and reduce the potential damage if you are attacked. 如果服务帐户需要 MSMQ、事件日志、性能计数器和文件系统等基础结构资源的其他访问权限,应该授予对这些资源的相应权限,使 WCF 服务能够成功运行。If the service account requires additional access rights on infrastructure resources such as MSMQ, the event log, performance counters, and the file system, appropriate permissions should be given to these resources so that the WCF service can run successfully.

如果服务需要代表原始调用方访问特定的资源,请使用模拟和委派来传送调用方的标识,以便在下游进行授权检查。If your service needs to access specific resources on behalf of the original caller, use impersonation and delegation to flow the caller's identity for a downstream authorization check. 在开发方案中,请使用本地网络服务帐户,这是一个特权降低的特殊内置帐户。In a development scenario, use the local network service account, which is a special built-in account that has reduced privileges. 在生产方案中,请创建最低特权的自定义域服务帐户。In a production scenario, create a least-privileged custom domain service account.

强制要求发往 Web API 的所有流量都通过 HTTPS 连接传输Force all traffic to Web APIs over HTTPS connection

标题Title 详细信息Details
组件Component Web APIWeb API
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies MVC5、MVC6MVC5, MVC6
属性Attributes 不适用N/A
参考References 在 Web API 控制器中强制 SSLEnforcing SSL in a Web API Controller
步骤Steps 如果应用程序同时使用 HTTPS 和 HTTP 绑定,则客户端仍可使用 HTTP 访问站点。If an application has both an HTTPS and an HTTP binding, clients can still use HTTP to access the site. 为了防止这种问题,请使用操作筛选器来确保始终通过 HTTPS 向受保护 API 传输请求。To prevent this, use an action filter to ensure that requests to protected APIs are always over HTTPS.

示例Example

以下代码演示了一个检查 SSL 的 Web API 身份验证筛选器:The following code shows a Web API authentication filter that checks for SSL:

public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
        {
            actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
            {
                ReasonPhrase = "HTTPS Required"
            };
        }
        else
        {
            base.OnAuthorization(actionContext);
        }
    }
}

将此筛选器添加到要求使用 SSL 的任何 Web API 操作:Add this filter to any Web API actions that require SSL:

public class ValuesController : ApiController
{
    [RequireHttps]
    public HttpResponseMessage Get() { ... }
}

确保与 Azure Redis 缓存之间的通信通过 SSL 进行Ensure that communication to Azure Cache for Redis is over SSL

标题Title 详细信息Details
组件Component 用于 Redis 的 Azure 缓存Azure Cache for Redis
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References Azure Redis SSL 支持Azure Redis SSL support
步骤Steps Redis 服务器不能现成地支持 SSL,但 Azure Redis 缓存则可以。Redis server does not support SSL out of the box, but Azure Cache for Redis does. 如果要连接到 Azure Redis 缓存并且客户端支持 SSL(如 StackExchange.Redis),则应使用 SSL。If you are connecting to Azure Cache for Redis and your client supports SSL, like StackExchange.Redis, then you should use SSL. 默认情况下,为新的 Azure Redis 缓存实例禁用了非 SSL 端口。By default non-SSL port is disabled for new Azure Cache for Redis instances. 请确保安全的默认设置不会更改,除非 Redis 客户端依赖 SSL 支持。Ensure that the secure defaults are not changed unless there is a dependency on SSL support for redis clients.

请注意,Redis 旨在由受信任环境中的受信任客户端访问。Please note that Redis is designed to be accessed by trusted clients inside trusted environments. 这意味着,我们通常不建议将 Redis 实例直接在 Internet 中公开,一般情况下,在不受信任的客户端可以直接访问 Redis TCP 端口或 UNIX 套接字的环境中,也不建议公开 Redis 实例。This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

保护设备与现场网关之间的通信Secure Device to Field Gateway communication

标题Title 详细信息Details
组件Component IoT 现场网关IoT Field Gateway
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References 不适用N/A
步骤Steps 对于基于 IP 的设备,通常可将通信协议封装在 SSL/TLS 通道中,以保护传输中的数据。For IP based devices, the communication protocol could typically be encapsulated in a SSL/TLS channel to protect data in transit. 对于其他不支持 SSL/TLS 的协议,请调查是否有安全的协议版本可在传输或消息层提供安全性。For other protocols that do not support SSL/TLS investigate if there are secure versions of the protocol that provide security at transport or message layer.

使用 SSL/TLS 保护设备与云网关之间的通信Secure Device to Cloud Gateway communication using SSL/TLS

标题Title 详细信息Details
组件Component IoT 云网关IoT Cloud Gateway
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不适用N/A
参考References 选择通信协议Choose your Communication Protocol
步骤Steps 使用 SSL/TLS 保护 HTTP/AMQP 或 MQTT 协议。Secure HTTP/AMQP or MQTT protocols using SSL/TLS.