Remoting (.NET 1.1) Security Checklist

From Guidance Share
Jump to navigationJump to search

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan


Design Considerations

  • Remote components are not exposed to the Internet.
  • The ASP.NET host and HttpChannel are used to take advantage of Internet Information Services (IIS) and ASP.NET security features.
  • TcpChannel (if used) is only used in trusted server scenarios.
  • TcpChannel (if used) is used in conjunction with custom authentication and authorization solutions.


Input Validation

  • MarshalByRefObj objects from clients are not accepted without validating the source of the object.
  • The risk of serialization attacks are mitigated by setting the typeFilterLevel attribute programmatically or in the application's Web.config file.
  • All field items that are retrieved from serialized data streams are validated as they are created on the server side.


Authentication

  • Anonymous authentication is disabled in IIS.
  • ASP.NET is configured for Windows authentication.
  • Client credentials are configured at the client through the proxy object.
  • Authentication connection sharing is used to improve performance.
  • Clients are forced to authenticate on each call (unsafeAuthenticatedConnectionSharing is set to "false").
  • connectionGroupName is specified to prevent unwanted reuse of authentication connections.
  • Plain text credentials are not passed over the network.
  • IPrincipal objects passed from the client are not trusted.


Authorization

  • IPSec is used for machine-level access control.
  • File authorization is enabled for user access control.
  • Users are authorized with principal-based role checks.
  • Where appropriate, access to remote resources is restricted by setting rejectRemoteRequest attribute to "true".


Configuration Management

  • Configuration files are locked down and secured for both the client and the server.
  • Generic error messages are sent to the client by setting the mode attribute of the <customErrors> element to "On".


Sensitive Data

  • Exchange of sensitive application data is secured by using SSL, IPSec, or a custom encryption sink.


Exception Management

  • Structured exception handling is used.
  • Exception details are logged (not including private data, such as passwords).
  • Generic error pages with standard, user friendly messages are returned to the client.


Auditing and Logging

  • If ASP.NET is used as the host, IIS auditing features are enabled.
  • If required, a custom channel sink is used to perform logging on the client and the server.