保护 ClickOnce 应用程序Secure ClickOnce applications

ClickOnceClickOnce 应用程序受 .NET Framework 中代码访问安全性约束的限制,以帮助限制代码访问受保护的资源和操作的权限。applications are subject to code access security constraints in the .NET Framework to help limit the access that code has to protected resources and operations. 因此,了解代码访问安全性的含义以相应地编写 ClickOnceClickOnce 应用程序是十分重要的。For that reason, it is important that you understand the implications of code access security to write your ClickOnceClickOnce applications accordingly. 您的应用程序可以使用完全信任或使用部分区域(如 Internet 区域和 Intranet 区域)来限制访问权限。Your applications can use Full Trust or use partial zones, such as the Internet and Intranet zones, to limit access.

此外,ClickOnce 使用证书验证应用程序发行者的真实性,并使用证书为应用程序和部署清单签名,以证明文件未被篡改。Additionally, ClickOnce uses certificates to verify the authenticity of the application's publisher, and to sign the application and deployment manifests to prove that the files have not been tampered with. 签名是一个可选的步骤,它会使在生成清单以后更改应用程序文件更容易。Signing is an optional step, which makes it easier to change the application files after the manifests are generated. 然而,在没有签名清单的情况下,很难确保应用程序安装程序在受到中间人安全攻击时不被篡改。However, without signed manifests, it is difficult to ensure that the application installer is not tampered in man-in-the-middle security attacks. 出于这个原因,我们建议您对应用程序清单和部署清单进行签名,以帮助保护您的应用程序。For this reason, we recommend that you sign your application and deployment manifests to help secure your applications.

区域Zones

使用 ClickOnceClickOnce 技术部署的应用程序被限定为由安全区域定义的一组权限和操作。Applications that are deployed using ClickOnceClickOnce technology are restricted to a set of permissions and actions that are defined by the security zone. 安全区域在 Internet Explorer 中定义,并基于应用程序的位置。Security zones are defined in Internet Explorer, and are based on the location of the application. 下表列出基于部署位置的默认权限:The following table lists the default permissions based on the deployment location:

部署位置Deployment Location 安全区域Security Zone
从 Web 运行Run from Web Internet 区域Internet Zone
从 Web 安装Install from Web Internet 区域Internet Zone
从网络文件共享安装Install from network file share 本地 Intranet 区域Local Intranet Zone
从 CD-ROM 安装Install from CD-ROM 完全信任Full Trust

默认权限取决于部署初始应用程序版本的位置;应用程序的更新将继承这些权限。The default permissions are based on the location from which the original version of the application was deployed; updates to the application will inherit those permissions. 如果将应用程序配置为从 Web 或网络位置检查是否有更新且存在较新的版本,则初始安装可以获得 Internet 或 Intranet 区域的权限,而不是完全信任权限。If the application is configured to check for updates from a Web or network location and a newer version is available, the original installation can receive permissions for the Internet or Intranet zone instead of full-trust permissions. 如果不想让系统提示用户,系统管理员可以指定一个 ClickOnce 部署策略,将某个特定的应用程序发行者定义为受信任的来源。To prevent users from being prompted, a system administrator can specify a ClickOnce deployment policy that defines a specific application publisher as a trusted source. 对于部署此策略的计算机,系统会自动授予权限而不会提示用户授予权限。For computers on which this policy is deployed, permissions will be granted automatically and the user will not be prompted. 有关详细信息,请参阅 受信任的应用程序部署概述For more information, see Trusted Application Deployment Overview. 若要配置受信任的应用程序部署,可以将证书安装到计算机或企业级别。To configure trusted application deployment, the certificate can be installed to the machine or enterprise level. 有关详细信息,请参阅 How to: Add a Trusted Publisher to a Client Computer for ClickOnce ApplicationsFor more information, see How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications.

代码访问安全性策略Code access security policies

应用程序的权限取决于应用程序清单的 <trustInfo> 元素元素中的设置。Permissions for an application are determined by the settings in the <trustInfo> Element element of the application manifest. Visual StudioVisual Studio 会根据项目的 “安全性” 属性页上的设置自动生成此信息。automatically generates this information based on the settings on the project's Security property page. ClickOnceClickOnce 应用程序仅被授予它所请求的特定权限。A ClickOnceClickOnce application is granted only the specific permissions that it requests. 例如,文件访问需要完全信任权限时,如果应用程序请求文件访问权限,则它仅被授予文件访问权限,而不会被授予完全信任权限。For example, where file access requires full-trust permissions, if the application requests file-access permission, it will only be granted file-access permission, not full-trust permissions. 在开发 ClickOnceClickOnce 应用程序时,你应确保仅请求应用程序需要的特定权限。When developing your ClickOnceClickOnce application, you should make sure that you request only the specific permissions that the application needs. 在大多数情况下,你可以使用 Internet 区域和本地 Intranet 区域来将你的应用程序限制为部分信任。In most cases, you can use the Internet or Local Intranet zones to limit your application to partial trust. 有关更多信息,请参阅如何:为 ClickOnce 应用程序设置安全区域For more information, see How to: Set a security zone for a ClickOnce application. 如果应用程序需要自定义权限,则您可以创建一个自定义区域。If your application requires custom permissions, you can create a custom zone. 有关详细信息,请参阅如何:设置 ClickOnce 应用程序的自定义权限For more information, see How to: Set custom permissions for a ClickOnce application.

如果包括应用程序部署区域的默认权限集以外的权限,则会导致在安装或更新时提示最终用户授予权限。Including a permission that is not part of the default permission set for the zone from which the application is deployed will cause the end user to be prompted to grant permission at install or update time. 如果不想让系统提示用户,系统管理员可以指定一个 ClickOnce 部署策略,将某个特定的应用程序发行者定义为受信任的来源。To prevent users from being prompted, a system administrator can specify a ClickOnce deployment policy that defines a specific application publisher as a trusted source. 在部署此策略的计算机上,系统会自动授予权限而不会提示用户授予权限。On computers where this policy is deployed, permissions will automatically be granted and the user will not be prompted.

作为开发人员,您有责任确保您的应用程序将以适当的权限运行。As a developer, it is your responsibility to make sure that your application will run with the appropriate permissions. 如果应用程序在运行时请求区域之外的权限,则可能会出现安全性异常。If the application requests permissions outside of a zone during run time, a security exception may appear. Visual StudioVisual Studio 使你能够在目标安全区域中调试应用程序,并提供有关开发安全应用程序的帮助。enables you to debug your application in the target security zone and provides help in developing secure applications. 有关详细信息,请参阅 调试使用 system.web 的 ClickOnce 应用程序For more information, see Debug ClickOnce apps that use System.Deployment.Application.

有关代码访问安全性和 ClickOnce 的详细信息,请参阅 ClickOnce 应用程序的代码访问安全性For more information about code access security and ClickOnce, see Code access security for ClickOnce applications.

代码签名证书Code-signing certificates

若要使用 ClickOnceClickOnce 部署发布应用程序,可以用公钥/私钥对为应用程序的应用程序和部署清单签名。To publish an application by using ClickOnceClickOnce deployment, you can sign the application and deployment manifests for the application by using a public/private key pair. “项目设计器”“签名” 页上提供了用于为清单签名的工具。The tools for signing a manifest are available on the Signing page of the Project Designer. 有关更多信息,请参见 Signing Page, Project DesignerFor more information, see Signing Page, Project Designer.

为清单签名之后,安装期间,权限对话框将向用户显示基于 Authenticode 签名的发行者信息,以向用户表明该应用程序来自受信任的来源。After the manifests are signed, the publisher information based on the Authenticode signature will be displayed to the user in the permissions dialog box during installation, to show the user that the application originated from a trusted source.

有关 ClickOnce 和证书的更多信息,请参见 ClickOnce and AuthenticodeFor more information about ClickOnce and certificates, see ClickOnce and Authenticode.

ASP.NET 基于窗体的身份验证ASP.NET form-based authentication

如果要控制每个用户能访问哪些部署,则不应允许对 Web 服务器上部署的 ClickOnceClickOnce 应用程序进行匿名访问。If you want to control which deployments each user can access, you should not enable anonymous access to ClickOnceClickOnce applications deployed on a Web server. 而应根据用户的身份使用 Windows 身份验证允许用户访问已安装的部署。Rather, you would enable users access to the deployments you have installed based on a user's identity using Windows authentication.

ClickOnceClickOnce 使用持久性 Cookie,所以它不支持基于 ASP.NET 窗体的身份验证;这些 Cookie 会带来安全风险,因为它们驻留在 Internet Explorer 缓存中,可能受到攻击。does not support ASP.NET forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the Internet Explorer cache and can be hacked. 因此,如果部署 ClickOnceClickOnce 应用程序,将不支持除 Windows 身份验证以外的任何身份验证方案。Therefore, if you are deploying ClickOnceClickOnce applications, any authentication scenario besides Windows authentication is unsupported.

传递参数Pass arguments

如果必须将参数传递到 ClickOnceClickOnce 应用程序中,则将出现一项额外的安全性注意事项。An additional security consideration occurs if you have to pass arguments into a ClickOnceClickOnce application. ClickOnceClickOnce 使开发人员可以向部署在 Web 上的应用程序提供查询字符串。enables developers to supply a query string to applications deployed over the Web. 该查询字符串采用了在用于启动应用程序的 URL 末尾跟随一系列名称/值对的形式:The query string takes the form of a series of name-value pairs at the end of the URL used to start the application:

http://servername.adatum.com/WindowsApp1.application?username=joeuser

默认情况下,查询字符串参数处于禁用状态。By default, query-string arguments are disabled. 若要启用查询字符串,则必须在应用程序部署清单中设置特性 trustUrlParametersTo enable them, the attribute trustUrlParameters must be set in the application's deployment manifest. 此值可通过 Visual StudioVisual Studio 和 MageUI.exe 来设置。This value can be set from Visual StudioVisual Studio and from MageUI.exe. 有关如何启用传递查询字符串的详细步骤,请参阅如何在联机 ClickOnce 应用程序中检索查询字符串信息For detailed steps on how to enable passing query strings, see How to: Retrieve query string information in an online ClickOnce application.

在未检查参数以确保参数安全的情况下,决不要将通过查询字符串检索的参数传递给数据库或命令行。You should never pass arguments retrieved through a query string to a database or to the command line without checking the arguments to make sure that they are safe. 不安全参数是包含数据库或命令行转义符的参数,这些转义符可以让恶意用户操纵应用程序执行任意命令。Unsafe arguments are ones that include database or command line escape characters that could allow a malicious user to manipulate your application into executing arbitrary commands.

备注

查询字符串参数是在启动时向 ClickOnceClickOnce 应用程序传递参数的唯一途径。Query-string arguments are the only way to pass arguments to a ClickOnceClickOnce application at startup. 不能从命令行向 ClickOnceClickOnce 应用程序传递参数。You cannot pass arguments to a ClickOnceClickOnce application from the command line.

部署经过模糊处理的程序集Deploying obfuscated assemblies

Visual Studio 包括免费的 PreEmptive Protection - Dotfuscator Community,使用它,可以通过代码混淆和主动保护措施来保护 ClickOnce 应用程序。Visual Studio includes the free PreEmptive Protection - Dotfuscator Community, which you can use to protect your ClickOnce applications through code obfuscation and active protection measures. 有关详细信息,请参阅 Dotfuscator Community 用户指南的 ClickOnce 部分For details, please see the ClickOnce section of the Dotfuscator Community User Guide.

另请参阅See also