.gif)
Improving Web Application Security: Threats and Countermeasures
J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Microsoft Corporation
Published: June 2003
Applies to:
- Remoting (.NET Framework version 1.1)
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.
Contents
How to Use This Checklist
Design Considerations
Input Validation
Authentication
Authorization
Configuration Management
Sensitive Data
Exception Management
Auditing and Logging
How to Use This Checklist
This checklist is a companion to Chapter 13, "Building Secure Remoted Components." Use it to help you build secure components that use the Microsoft ® .NET remoting technology and as a snapshot of the corresponding chapter.
Design Considerations
| Check | Description |
|---|
.gif) | Remote components are not exposed to the Internet. |
| The ASP.NET host and HttpChannel are used to take advantage of Internet Information Services (IIS) and ASP.NET security features. |
| TcpChannel (if used) is only used in trusted server scenarios. |
| TcpChannel (if used) is used in conjunction with custom authentication and authorization solutions. |
Input Validation
| Check | Description |
|---|
| MarshalByRefObj objects from clients are not accepted without validating the source of the object. |
| The risk of serialization attacks are mitigated by setting the typeFilterLevel attribute programmatically or in the application's Web.config file. |
| All field items that are retrieved from serialized data streams are validated as they are created on the server side. |
Authentication
| Check | Description |
|---|
| Anonymous authentication is disabled in IIS. |
| ASP.NET is configured for Windows authentication. |
| Client credentials are configured at the client through the proxy object. |
| Authentication connection sharing is used to improve performance. |
| Clients are forced to authenticate on each call (unsafeAuthenticatedConnectionSharing is set to "false"). |
| connectionGroupName is specified to prevent unwanted reuse of authentication connections. |
| Plain text credentials are not passed over the network. |
| IPrincipal objects passed from the client are not trusted. |
Authorization
| Check | Description |
|---|
| IPSec is used for machine-level access control. |
| File authorization is enabled for user access control. |
| Users are authorized with principal-based role checks. |
| Where appropriate, access to remote resources is restricted by setting rejectRemoteRequest attribute to "true". |
Configuration Management
| Check | Description |
|---|
| Configuration files are locked down and secured for both the client and the server. |
| Generic error messages are sent to the client by setting the mode attribute of the <customErrors> element to "On". |
Sensitive Data
| Check | Description |
|---|
| Exchange of sensitive application data is secured by using SSL, IPSec, or a custom encryption sink. |
Exception Management
| Check | Description |
|---|
| Structured exception handling is used. |
| Exception details are logged (not including private data, such as passwords). |
| Generic error pages with standard, user friendly messages are returned to the client. |
Auditing and Logging
| Check | Description |
|---|
| If ASP.NET is used as the host, IIS auditing features are enabled. |
| If required, a custom channel sink is used to perform logging on the client and the server. |